Upload
dwayne-wilkerson
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
OPS-17: Utilizing Firewalls - In the Reign of Fire
Sasha KraljevicPrincipal TS Engineer
© 2008 Progress Software Corporation2 OPS-17: Utilizing Firewalls - In the Reign of Fire
Agenda
Firewalls Intro • Short history
• Firewall types
What will be covered (and what not) OpenEdge® Environment
• Database connectivity
• AppServer™
• WebSpeed®
• Adapters
• DataServers
© 2008 Progress Software Corporation3 OPS-17: Utilizing Firewalls - In the Reign of Fire
Firewalls Intro
A firewall is the first line of defense for basic network security.
It separates the untrusted network (the Internet) and the trusted network (the Intranet).
There is usually a third network called the DMZ or Demilitarized zone. This network is separate from both the others, but it can communicate with both.
Usually it employs NAT (network address translation) and/or port mapping
"Responsible" for vast majority of calls logged with the technical support
© 2008 Progress Software Corporation4 OPS-17: Utilizing Firewalls - In the Reign of Fire
Firewalls Intro
Firewall Device
Internet
DMZ
Intranet
© 2008 Progress Software Corporation5 OPS-17: Utilizing Firewalls - In the Reign of Fire
Firewalls Intro
Firewall Device #1
Firewall Device #2
Internet
DMZ
Intranet
© 2008 Progress Software Corporation6 OPS-17: Utilizing Firewalls - In the Reign of Fire
Firewalls Intro
A firewall is a system or group of systems that enforces an access control policy between two networks.
Late 80’s – 1st Gen. – packet filters 2nd Gen – stateful filters Early 90’s – 3rd Gen – application layer Next Gen – convergence of Firewalls and IPS
Short history…
© 2008 Progress Software Corporation7 OPS-17: Utilizing Firewalls - In the Reign of Fire
Firewalls Intro
Network layer firewalls Application layer firewalls Hybrid firewalls
Firewall types…
© 2008 Progress Software Corporation8 OPS-17: Utilizing Firewalls - In the Reign of Fire
Agenda
Firewalls Intro • Short history
• Firewall types
What will be covered (and what not) OpenEdge Environment
• Database connectivity
• AppServer
• WebSpeed
• Adapters
• DataServers
© 2008 Progress Software Corporation9 OPS-17: Utilizing Firewalls - In the Reign of Fire
What will be covered (and what not)
Network layer firewalls OpenEdge products
Application layer firewalls NAT, proxies, VPN, IDS & IPS Non-OpenEdge products
We will talk about:
…but not about:
© 2008 Progress Software Corporation10 OPS-17: Utilizing Firewalls - In the Reign of Fire
Agenda
Firewalls Intro • Short history
• Firewall types
What will be covered (and what not) OpenEdge Environment
• Database connectivity
• AppServer
• WebSpeed
• Adapters
• DataServers
© 2008 Progress Software Corporation11 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
© 2008 Progress Software Corporation12 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
Connect rq >
< Remote Srv port
© 2008 Progress Software Corporation13 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
© 2008 Progress Software Corporation14 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
DB Broker
Open all TCP ports from ABL/ODBC/JDBCclient to the DB broker port (-S)
Open all TCP ports from ABL/ODBC/JDBCclient to the remote servers port range
Remote SrvDB Remote Servers port range is definedwith -minport & -maxport parameters
Database connectivity and firewall configuration
Don’t forget –PendConnTime !
© 2008 Progress Software Corporation15 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
NameServer/5162
AppServer Broker AppServer Server(s) (Agents)
AdminServer and NameServer are started.User/Admin starts the AppServer broker:# asbman –i asbroker1 –start
AdminServer sets the broker’s environment and then it starts the Java™ process which takes the properties fromubroker.properties file.
Broker opens its listening port and starts predetermined number of servers.
When all servers are started, broker sends the udp messageto the controlling NameServer to register with it.
Servers (_proapsv) start using db connection and otherstartup parameters passed by broker.
UDP mess.uuid
asbroker1hostname
3090
Broker keeps sendingUDP KeepAlive messagesto the NameServer untilit is shutdown.
And the Server was without theform and void… Admin said “Let therebe light” and there was AdminServer.And it started the NameServer…
And the Database Server was started…
AppServer
© 2008 Progress Software Corporation16 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – AppServer round trip
NameServer/5162
AS Broker AS Agent
End user initiates the connection from the 4GL:AppServer://host:5162/asbroker1
NameServer checks for thebroker registered with AppServicename asbroker1 and sends the messageback to the client (udp) with the broker’sregistered host name (or ip address) andthe port where it listens
UDP to 5162 : asbroker1 ?
UDP from 5162 : asbroker1, host, port
© 2008 Progress Software Corporation17 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – Stateless AppServer round trip
NameServer/5162
AS Broker AS Agent
Client connects to the AppServer brokerusing TCP/IP, the hostname and the port number provided by the NameServer
Broker checks its pool ofavailable agents and allocates one of them,passing the RUN request.
… and then it executes the RUN … ON statement
RUN…
RUN…
_proapsv gets the request and it
starts executing it….
© 2008 Progress Software Corporation18 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – Stateless AppServer round trip
NameServer/5162
AS Broker AS Agent
Client accepts the OUTPUT params (if any)and continues on with processing – now callinganother RUN, or disconnecting from AppServer.
Broker returns the OUTPUT params (if any)and signals the end of the RUN requestto the 4GL client.
_proapsv gets the request and it
starts executing it….
After the procedure is executed,agent returns the output parameters (if any),and signals to broker that it has finished.
OUTPUT…ENDOUTPUT…END
© 2008 Progress Software Corporation19 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – State-reset & State-aware AS round trip
NameServer/5162
AS Broker AS Agent
Client connects to the AppServer brokerusing TCP/IP, the hostname and the port number provided by the NameServer
Broker checks its pool ofavailable agents and returns the port numberof one of them back to the client.
© 2008 Progress Software Corporation20 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – State-reset & State-aware AS round trip
NameServer/5162
AS Broker AS Agent
Client disconnects from the AppServer brokerand connects to the agent
_proapsv gets the request and it
starts executing it….
Client executes the RUN … ON statement
RUN..ON
© 2008 Progress Software Corporation21 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Overview – State-reset & State-aware AS round trip
NameServer/5162
AS Broker AS Agent
After it is finished, agent returns theparams (if any) and signals the endto the client
4GL client accepts theOUTPUT param’s (if any) andit is now ready to make a new RUN,or to disconnect the AppServer.
OUTPUT..END
Note that 4GL client sends the AppServer DISCONNECTto the agent which then signals to broker that it is readyto accept another client connection.
I’m available again!
© 2008 Progress Software Corporation22 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
AppServer and Firewall Configuration
NameServer
Open all UDP ports from client to theNameServer’s UDP port (5162)
NameServer
Open UDP from NameServer port (5162)to all UDP ports to the client
AS Broker
Open all TCP ports from client to theAppServer Broker listening port (3090)
Open all TCP ports from client to theAppServer’s servers port range (2002:2202)
AS AgentsAppServer’s servers port range is definedwith srvrMinPort & srvrMaxPort properties
Stateless
S St ta at te & er ae ws ae rt e
© 2008 Progress Software Corporation23 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
End user initiates the request from the web browser:http://host/scripts/cgiip.exe/WService=wsbroker1/order.w
© 2008 Progress Software Corporation24 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
scripts/cgiip.exe /WService=wsbroker1/order.w
© 2008 Progress Software Corporation25 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
/WService=wsbroker1/order.w
Messenger reads ubroker.properties and usingcontrolingNameServer locates the host and portwhere it sends the udp message to the NS.It can use minNSclientPort and maxNSclientPortto specify the udp port range for getting back thereponse from NS – used for firewall.
© 2008 Progress Software Corporation26 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
NameServer checks for thebroker registered with AppServicename wsbroker1 and sends the messageback to the Messenger (udp) with the broker’sregistered host name (or ip address) andthe port where it listens
wsbroker1 ?
© 2008 Progress Software Corporation27 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
Messenger connects to the broker… which then checks its pool ofavailable agents and sends themessage (tcp) back to the messenger withthe port number of chosen available agentto process the request
© 2008 Progress Software Corporation28 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
Messeger connects (tcp)to the WS agent and it passes the name of theweb object to executealong with the list ofparameters (if any):/order.w?custnum=1
© 2008 Progress Software Corporation29 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
WS agent executes theweb object and…
© 2008 Progress Software Corporation30 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
…it returns the HTML in the web output stream…
© 2008 Progress Software Corporation31 OPS-17: Utilizing Firewalls - In the Reign of Fire
…that is returned to the end user’s browser.
OpenEdge Environment
WebSpeed
Web serverWeb server
MessengerMessenger
NameServerNameServer WS BrokerWS Broker WS AgentWS Agent
© 2008 Progress Software Corporation32 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Internet / Untrusted Zone
Internet NameServer
Internet WebSpeed
ServerInternet
Database
Internet Production Server
Intranet NameServer
Intranet WebSpeed
ServerIntranet
Database
IntranetWeb Server
Intranet Production Server
Users
Dev/Test NameServer
Dev/Test WebSpeed
ServerDev/Test Database
Dev/TestWeb Server
Development Test Server
Developers&
Testers
Internet Web Server
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
© 2008 Progress Software Corporation33 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
WebSpeed
Internet / Untrusted Zone
Internet NameServer
Internet WebSpeed
Server
Internet Database
Internet Production Server
Intranet WebSpeed
Server
Intranet Database
Intranet NameServer
IntranetWeb Server
Intranet Server
Users
Dev/Test WebSpeed
ServerDev/Test Database
Development Test Server
Developers&
Testers
Internet Web Server
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
© 2008 Progress Software Corporation34 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
NameServer
Open all UDP ports from WS Msngr to theNameServer’s UDP port (5162)
NameServer
Open UDP from NameServer port (5162)to minNSclientPort : maxNSclientPort Msngr
WS Broker
Open all TCP ports from WS Msngr to theWebSpeed Broker listening port (3090)
Open all TCP ports from WS Msngr to theWebSpeed’s servers port range (2002:2202)
WS AgentsWebSpeed’s servers port range is definedwith srvrMinPort & srvrMaxPort properties
WebSpeed
© 2008 Progress Software Corporation35 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy AIA
HTTP
Client creates the message for theAppServer…Wraps it up in the HTTP packet…
© 2008 Progress Software Corporation36 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - AIA
AIA
Client creates the message for theAppServer…Wraps it up in the HTTP packet…
HTTP
And sends it to the AIA…
AIA receives the HTTP packet…
ABL/OpenClient proxy
© 2008 Progress Software Corporation37 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - AIA
AIA
Client creates the message for theAppServer…Wraps it up in the HTTP packet…
HTTP
And sends it to the AIA…
AIA receives the HTTP packet…
Unwraps and extracts the message…
ABL/OpenClient proxy
© 2008 Progress Software Corporation38 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - AIA
AIA
Client creates the message for theAppServer…Wraps it up in the HTTP packet…
HTTP
And sends it to the AIA…
AIA receives the HTTP packet…
Unwraps and extracts the message…
And it sends it to the AppServer.
ABL/OpenClient proxy
© 2008 Progress Software Corporation39 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy JSE/AIA AppServer
Open TCP port(s) to JSE listener80 or 8080 and/or 443
Open all ports following client-to-AppServer rules
AIA to NameServer : minNSClientPort - maxNSClientPort
© 2008 Progress Software Corporation40 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
OpenEdge Adapters - WSA
WebService client JSE/WSA AppServer
Open TCP port(s) to JSE listener80 or 8080 and/or 443
Open all ports following client-to-AppServer rules
WSA to NameServer : nsMinClientPort - nsMaxClientPort
© 2008 Progress Software Corporation41 OPS-17: Utilizing Firewalls - In the Reign of Fire
OpenEdge Environment
Configuration- schema holder location- foreign db location- connecting through DataServer broker (standard/unified)
Foreign database connection configuration
OpenEdge DataServers
NB: DataServer servers cannot specify port range!
© 2008 Progress Software Corporation42 OPS-17: Utilizing Firewalls - In the Reign of Fire
In Summary
Firewalls are not panacea! Understand the roundtrip! Double-check the rules!
© 2008 Progress Software Corporation43 OPS-17: Utilizing Firewalls - In the Reign of Fire
For More Information, go to…
PSDN• http://www.psdn.com/library/entry.jspa?externalID=1433
• http://www.psdn.com/library/entry.jspa?externalID=163
Documentation:• Core Business Services
• Application and Integration Services
© 2008 Progress Software Corporation44 OPS-17: Utilizing Firewalls - In the Reign of Fire
Relevant Exchange Sessions
OPS-19: What is IPv6 and Why Should I Care?
© 2008 Progress Software Corporation45 OPS-17: Utilizing Firewalls - In the Reign of Fire
Questions?
© 2008 Progress Software Corporation46 OPS-17: Utilizing Firewalls - In the Reign of Fire
Thank You
© 2008 Progress Software Corporation47 OPS-17: Utilizing Firewalls - In the Reign of Fire