OPS-17: Utilizing Firewalls - In the Reign of Fire Sasha Kraljevic Principal TS Engineer

OPS-17: Utilizing Firewalls - In the Reign of Fire

Sasha KraljevicPrincipal TS Engineer

© 2008 Progress Software Corporation2 OPS-17: Utilizing Firewalls - In the Reign of Fire

Agenda

Firewalls Intro • Short history

• Firewall types

What will be covered (and what not) OpenEdge® Environment

• Database connectivity

• AppServer™

• WebSpeed®

• Adapters

• DataServers


Firewalls Intro

A firewall is the first line of defense for basic network security.

It separates the untrusted network (the Internet) and the trusted network (the Intranet).

There is usually a third network called the DMZ or Demilitarized zone. This network is separate from both the others, but it can communicate with both.

Usually it employs NAT (network address translation) and/or port mapping

"Responsible" for vast majority of calls logged with the technical support


Firewalls Intro

Firewall Device

Internet

DMZ

Intranet


Firewalls Intro

Firewall Device #1

Firewall Device #2

Internet

DMZ

Intranet


Firewalls Intro

A firewall is a system or group of systems that enforces an access control policy between two networks.

Late 80’s – 1st Gen. – packet filters 2nd Gen – stateful filters Early 90’s – 3rd Gen – application layer Next Gen – convergence of Firewalls and IPS

Short history…


Firewalls Intro

Network layer firewalls Application layer firewalls Hybrid firewalls

Firewall types…


Agenda


• Firewall types

What will be covered (and what not) OpenEdge Environment


• AppServer

• WebSpeed

• Adapters

• DataServers


What will be covered (and what not)

Network layer firewalls OpenEdge products

Application layer firewalls NAT, proxies, VPN, IDS & IPS Non-OpenEdge products

We will talk about:

…but not about:


Agenda


• Firewall types

What will be covered (and what not) OpenEdge Environment


• AppServer

• WebSpeed

• Adapters

• DataServers


OpenEdge Environment

Database connectivity

Database Broker

Remote Server 1

Remote Server 2

Remote Server n

Shared memory




Database Broker

Remote Server 1

Remote Server 2

Remote Server n

Shared memory

Connect rq >

< Remote Srv port




Database Broker

Remote Server 1

Remote Server 2

Remote Server n

Shared memory



DB Broker

Open all TCP ports from ABL/ODBC/JDBCclient to the DB broker port (-S)

Open all TCP ports from ABL/ODBC/JDBCclient to the remote servers port range

Remote SrvDB Remote Servers port range is definedwith -minport & -maxport parameters

Database connectivity and firewall configuration

Don’t forget –PendConnTime !



NameServer/5162

AppServer Broker AppServer Server(s) (Agents)

AdminServer and NameServer are started.User/Admin starts the AppServer broker:# asbman –i asbroker1 –start

AdminServer sets the broker’s environment and then it starts the Java™ process which takes the properties fromubroker.properties file.

Broker opens its listening port and starts predetermined number of servers.

When all servers are started, broker sends the udp messageto the controlling NameServer to register with it.

Servers (_proapsv) start using db connection and otherstartup parameters passed by broker.

UDP mess.uuid

asbroker1hostname

3090

Broker keeps sendingUDP KeepAlive messagesto the NameServer untilit is shutdown.

And the Server was without theform and void… Admin said “Let therebe light” and there was AdminServer.And it started the NameServer…

And the Database Server was started…

AppServer



Overview – AppServer round trip

NameServer/5162

AS Broker AS Agent

End user initiates the connection from the 4GL:AppServer://host:5162/asbroker1

NameServer checks for thebroker registered with AppServicename asbroker1 and sends the messageback to the client (udp) with the broker’sregistered host name (or ip address) andthe port where it listens

UDP to 5162 : asbroker1 ?

UDP from 5162 : asbroker1, host, port



Overview – Stateless AppServer round trip

NameServer/5162

AS Broker AS Agent

Client connects to the AppServer brokerusing TCP/IP, the hostname and the port number provided by the NameServer

Broker checks its pool ofavailable agents and allocates one of them,passing the RUN request.

… and then it executes the RUN … ON statement

RUN…

RUN…

_proapsv gets the request and it

starts executing it….



Overview – Stateless AppServer round trip

NameServer/5162

AS Broker AS Agent

Client accepts the OUTPUT params (if any)and continues on with processing – now callinganother RUN, or disconnecting from AppServer.

Broker returns the OUTPUT params (if any)and signals the end of the RUN requestto the 4GL client.



After the procedure is executed,agent returns the output parameters (if any),and signals to broker that it has finished.

OUTPUT…ENDOUTPUT…END



Overview – State-reset & State-aware AS round trip

NameServer/5162

AS Broker AS Agent

Client connects to the AppServer brokerusing TCP/IP, the hostname and the port number provided by the NameServer

Broker checks its pool ofavailable agents and returns the port numberof one of them back to the client.




NameServer/5162

AS Broker AS Agent

Client disconnects from the AppServer brokerand connects to the agent



Client executes the RUN … ON statement

RUN..ON




NameServer/5162

AS Broker AS Agent

After it is finished, agent returns theparams (if any) and signals the endto the client

4GL client accepts theOUTPUT param’s (if any) andit is now ready to make a new RUN,or to disconnect the AppServer.

OUTPUT..END

Note that 4GL client sends the AppServer DISCONNECTto the agent which then signals to broker that it is readyto accept another client connection.

I’m available again!



AppServer and Firewall Configuration

NameServer

Open all UDP ports from client to theNameServer’s UDP port (5162)

NameServer

Open UDP from NameServer port (5162)to all UDP ports to the client

AS Broker

Open all TCP ports from client to theAppServer Broker listening port (3090)

Open all TCP ports from client to theAppServer’s servers port range (2002:2202)

AS AgentsAppServer’s servers port range is definedwith srvrMinPort & srvrMaxPort properties

Stateless

S St ta at te & er ae ws ae rt e



WebSpeed

Web serverWeb server

NameServerNameServer WS BrokerWS Broker WS AgentWS Agent

End user initiates the request from the web browser:http://host/scripts/cgiip.exe/WService=wsbroker1/order.w



WebSpeed



scripts/cgiip.exe /WService=wsbroker1/order.w



WebSpeed


MessengerMessenger


/WService=wsbroker1/order.w

Messenger reads ubroker.properties and usingcontrolingNameServer locates the host and portwhere it sends the udp message to the NS.It can use minNSclientPort and maxNSclientPortto specify the udp port range for getting back thereponse from NS – used for firewall.



WebSpeed


MessengerMessenger


NameServer checks for thebroker registered with AppServicename wsbroker1 and sends the messageback to the Messenger (udp) with the broker’sregistered host name (or ip address) andthe port where it listens

wsbroker1 ?



WebSpeed


MessengerMessenger


Messenger connects to the broker… which then checks its pool ofavailable agents and sends themessage (tcp) back to the messenger withthe port number of chosen available agentto process the request



WebSpeed


MessengerMessenger


Messeger connects (tcp)to the WS agent and it passes the name of theweb object to executealong with the list ofparameters (if any):/order.w?custnum=1



WebSpeed


MessengerMessenger


WS agent executes theweb object and…



WebSpeed


MessengerMessenger


…it returns the HTML in the web output stream…


…that is returned to the end user’s browser.


WebSpeed


MessengerMessenger




WebSpeed

Internet / Untrusted Zone

Internet NameServer

Internet WebSpeed

ServerInternet

Database

Internet Production Server

Intranet NameServer

Intranet WebSpeed

ServerIntranet

Database

IntranetWeb Server

Intranet Production Server

Users

Dev/Test NameServer

Dev/Test WebSpeed

ServerDev/Test Database

Dev/TestWeb Server

Development Test Server

Developers&

Testers

Internet Web Server

Demilitarized Zone(DMZ)

Intranet / Trusted Zone



WebSpeed

Internet / Untrusted Zone

Internet NameServer

Internet WebSpeed

Server

Internet Database

Internet Production Server

Intranet WebSpeed

Server

Intranet Database

Intranet NameServer

IntranetWeb Server

Intranet Server

Users

Dev/Test WebSpeed

ServerDev/Test Database

Development Test Server

Developers&

Testers

Internet Web Server

Demilitarized Zone(DMZ)

Intranet / Trusted Zone



NameServer

Open all UDP ports from WS Msngr to theNameServer’s UDP port (5162)

NameServer

Open UDP from NameServer port (5162)to minNSclientPort : maxNSclientPort Msngr

WS Broker

Open all TCP ports from WS Msngr to theWebSpeed Broker listening port (3090)

Open all TCP ports from WS Msngr to theWebSpeed’s servers port range (2002:2202)

WS AgentsWebSpeed’s servers port range is definedwith srvrMinPort & srvrMaxPort properties

WebSpeed



OpenEdge Adapters - AIA

ABL/OpenClient proxy AIA

HTTP

Client creates the message for theAppServer…Wraps it up in the HTTP packet…




AIA


HTTP

And sends it to the AIA…

AIA receives the HTTP packet…

ABL/OpenClient proxy




AIA


HTTP



Unwraps and extracts the message…





AIA


HTTP



Unwraps and extracts the message…

And it sends it to the AppServer.





ABL/OpenClient proxy JSE/AIA AppServer

Open TCP port(s) to JSE listener80 or 8080 and/or 443

Open all ports following client-to-AppServer rules

AIA to NameServer : minNSClientPort - maxNSClientPort



OpenEdge Adapters - WSA

WebService client JSE/WSA AppServer

Open TCP port(s) to JSE listener80 or 8080 and/or 443

Open all ports following client-to-AppServer rules

WSA to NameServer : nsMinClientPort - nsMaxClientPort



Configuration- schema holder location- foreign db location- connecting through DataServer broker (standard/unified)

Foreign database connection configuration

OpenEdge DataServers

NB: DataServer servers cannot specify port range!


In Summary

Firewalls are not panacea! Understand the roundtrip! Double-check the rules!


For More Information, go to…

PSDN• http://www.psdn.com/library/entry.jspa?externalID=1433

• http://www.psdn.com/library/entry.jspa?externalID=163

Documentation:• Core Business Services

• Application and Integration Services


Relevant Exchange Sessions

OPS-19: What is IPv6 and Why Should I Care?


Questions?


Thank You


Documents

OPS-17: Utilizing Firewalls - In the Reign of Fire Sasha Kraljevic Principal TS Engineer