Title: OPS-17:%20Utilizing%20Firewalls%20-%20In%20the%20Reign%20of%20Fire
1OPS-17 Utilizing Firewalls - In the Reign of Fire
Sasha Kraljevic
Principal TS Engineer
2Agenda
- Firewalls Intro
- Short history
- Firewall types
- What will be covered (and what not)
- OpenEdge Environment
- Database connectivity
- AppServer
- WebSpeed
- Adapters
- DataServers
3Firewalls Intro
- A firewall is the first line of defense for basic
network security. - It separates the untrusted network (the Internet)
and the trusted network (the Intranet). - There is usually a third network called the DMZ
or Demilitarized zone. This network is separate
from both the others, but it can communicate with
both. - Usually it employs NAT (network address
translation) and/or port mapping - "Responsible" for vast majority of calls logged
with the technical support
4Firewalls Intro
Internet
DMZ
5Firewalls Intro
Firewall Device 1
Internet
DMZ
Firewall Device 2
6Firewalls Intro
Short history
- A firewall is a system or group of systems that
enforces an access control policy between two
networks. - Late 80s 1st Gen. packet filters
- 2nd Gen stateful filters
- Early 90s 3rd Gen application layer
- Next Gen convergence of Firewalls and IPS
7Firewalls Intro
Firewall types
- Network layer firewalls
- Application layer firewalls
- Hybrid firewalls
8Agenda
- Firewalls Intro
- Short history
- Firewall types
- What will be covered (and what not)
- OpenEdge Environment
- Database connectivity
- AppServer
- WebSpeed
- Adapters
- DataServers
9What will be covered (and what not)
We will talk about
- Network layer firewalls
- OpenEdge products
but not about
- Application layer firewalls
- NAT, proxies, VPN, IDS IPS
- Non-OpenEdge products
10Agenda
- Firewalls Intro
- Short history
- Firewall types
- What will be covered (and what not)
- OpenEdge Environment
- Database connectivity
- AppServer
- WebSpeed
- Adapters
- DataServers
11OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
12OpenEdge Environment
Database connectivity
Connect rq gt
Database Broker
lt Remote Srv port
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
13OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
14OpenEdge Environment
Database connectivity and firewall configuration
Open all TCP ports from ABL/ODBC/JDBCclient to
the remote servers port range
DB Remote Servers port range is definedwith
-minport -maxport parameters
Remote Srv
Dont forget PendConnTime !
15OpenEdge Environment
AppServer
And the Server was without theform and void
Admin said Let therebe light and there was
AdminServer.And it started the NameServer
NameServer/5162
AdminServer and NameServer are started.User/Admin
starts the AppServer broker asbman i
asbroker1 start
UDP mess.uuidasbroker1hostname3090
Broker keeps sendingUDP KeepAlive messagesto
the NameServer untilit is shutdown.
AppServer Server(s) (Agents)
AppServer Broker
Servers (_proapsv) start using db connection and
otherstartup parameters passed by broker.
AdminServer sets the brokers environment and
then it starts the Java process which takes the
properties fromubroker.properties file.
Broker opens its listening port and starts
predetermined number of servers.
And the Database Server was started
When all servers are started, broker sends the
udp messageto the controlling NameServer to
register with it.
16OpenEdge Environment
Overview AppServer round trip
UDP to 5162 asbroker1 ?
NameServer/5162
UDP from 5162 asbroker1, host, port
NameServer checks for thebroker registered with
AppServicename asbroker1 and sends the
messageback to the client (udp) with the
brokersregistered host name (or ip address)
andthe port where it listens
End user initiates the connection from the
4GLAppServer//host5162/asbroker1
AS Broker
AS Agent
17OpenEdge Environment
Overview Stateless AppServer round trip
NameServer/5162
RUN
Client connects to the AppServer brokerusing
TCP/IP, the hostname and the port number
provided by the NameServer
and then it executes the RUN ON statement
RUN
AS Broker
AS Agent
Broker checks its pool ofavailable agents and
allocates one of them,passing the RUN request.
_proapsv gets the request and it starts executing
it.
18OpenEdge Environment
Overview Stateless AppServer round trip
NameServer/5162
Client accepts the OUTPUT params (if any)and
continues on with processing now
callinganother RUN, or disconnecting from
AppServer.
After the procedure is executed,agent returns
the output parameters (if any),and signals to
broker that it has finished.
AS Broker
AS Agent
OUTPUTEND
OUTPUTEND
Broker returns the OUTPUT params (if any)and
signals the end of the RUN requestto the 4GL
client.
_proapsv gets the request and it starts executing
it.
19OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
Client connects to the AppServer brokerusing
TCP/IP, the hostname and the port number
provided by the NameServer
AS Broker
AS Agent
Broker checks its pool ofavailable agents and
returns the port numberof one of them back to
the client.
20OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
RUN..ON
AS Broker
AS Agent
Client disconnects from the AppServer brokerand
connects to the agent
Client executes the RUN ON statement
_proapsv gets the request and it starts executing
it.
21OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
4GL client accepts theOUTPUT params (if any)
andit is now ready to make a new RUN,or to
disconnect the AppServer.
OUTPUT..END
Im available again!
AS Broker
AS Agent
Note that 4GL client sends the AppServer
DISCONNECTto the agent which then signals to
broker that it is readyto accept another client
connection.
After it is finished, agent returns theparams
(if any) and signals the endto the client
22OpenEdge Environment
AppServer and Firewall Configuration
Stateless
S St ta at te er ae ws ae
rt e
Open all TCP ports from client to theAppServers
servers port range (20022202)
AppServers servers port range is definedwith
srvrMinPort srvrMaxPort properties
AS Agents
23OpenEdge Environment
WebSpeed
Web server
End user initiates the request from the web
browserhttp//host/scripts/cgiip.exe/WServicews
broker1/order.w
NameServer
WS Broker
WS Agent
24OpenEdge Environment
WebSpeed
Web server
scripts/cgiip.exe
/WServicewsbroker1/order.w
NameServer
WS Broker
WS Agent
25OpenEdge Environment
WebSpeed
Web server
Messenger reads ubroker.properties and
usingcontrolingNameServer locates the host and
portwhere it sends the udp message to the NS.It
can use minNSclientPort and maxNSclientPortto
specify the udp port range for getting back
thereponse from NS used for firewall.
/WServicewsbroker1/order.w
Messenger
NameServer
WS Broker
WS Agent
26OpenEdge Environment
WebSpeed
Web server
wsbroker1 ?
Messenger
NameServer
WS Broker
WS Agent
NameServer checks for thebroker registered with
AppServicename wsbroker1 and sends the
messageback to the Messenger (udp) with the
brokersregistered host name (or ip address)
andthe port where it listens
27OpenEdge Environment
WebSpeed
Web server
Messenger
NameServer
WS Broker
WS Agent
Messenger connects to the broker which then
checks its pool ofavailable agents and sends
themessage (tcp) back to the messenger withthe
port number of chosen available agentto process
the request
28OpenEdge Environment
WebSpeed
Web server
Messeger connects (tcp)to the WS agent and it
passes the name of theweb object to
executealong with the list ofparameters (if
any)/order.w?custnum1
Messenger
NameServer
WS Broker
WS Agent
29OpenEdge Environment
WebSpeed
Web server
Messenger
WS agent executes theweb object and
NameServer
WS Broker
WS Agent
30OpenEdge Environment
WebSpeed
Web server
Messenger
it returns the HTML in the web output stream
NameServer
WS Broker
WS Agent
31OpenEdge Environment
WebSpeed
Web server
Messenger
that is returned to the end users browser.
NameServer
WS Broker
WS Agent
32OpenEdge Environment
WebSpeed
Internet Web Server
Internet Production Server
Internet / Untrusted Zone
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
33OpenEdge Environment
WebSpeed
Internet Web Server
Internet Production Server
Internet NameServer
Internet Database
Internet WebSpeedServer
Internet / Untrusted Zone
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
Intranet Database
Intranet WebSpeedServer
Intranet Server
Intranet NameServer
Development Test Server
IntranetWeb Server
Dev/Test WebSpeedServer
DevelopersTesters
Users
34OpenEdge Environment
WebSpeed
Open all TCP ports from WS Msngr to
theWebSpeeds servers port range (20022202)
WebSpeeds servers port range is definedwith
srvrMinPort srvrMaxPort properties
WS Agents
35OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
Client creates the message for theAppServer
Wraps it up in the HTTP packet
36OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
AIA receives the HTTP packet
Client creates the message for theAppServer
Wraps it up in the HTTP packet
And sends it to the AIA
37OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
HTTP
AIA receives the HTTP packet
Client creates the message for theAppServer
Unwraps and extracts the message
Wraps it up in the HTTP packet
And sends it to the AIA
38OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
AIA receives the HTTP packet
Client creates the message for theAppServer
Unwraps and extracts the message
Wraps it up in the HTTP packet
And it sends it to the AppServer.
And sends it to the AIA
39OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
JSE/AIA
AppServer
Open TCP port(s) to JSE listener80 or 8080
and/or 443
Open all ports following client-to-AppServer
rules
AIA to NameServer minNSClientPort -
maxNSClientPort
40OpenEdge Environment
OpenEdge Adapters - WSA
WebService client
JSE/WSA
AppServer
Open TCP port(s) to JSE listener80 or 8080
and/or 443
Open all ports following client-to-AppServer
rules
WSA to NameServer nsMinClientPort -
nsMaxClientPort
41OpenEdge Environment
OpenEdge DataServers
- Configuration- schema holder location- foreign
db location- connecting through DataServer
broker (standard/unified) - Foreign database connection configuration
NB DataServer servers cannot specify port range!
42In Summary
- Firewalls are not panacea!
- Understand the roundtrip!
- Double-check the rules!
43For More Information, go to
- PSDN
- http//www.psdn.com/library/entry.jspa?externalID
1433 - http//www.psdn.com/library/entry.jspa?externalID
163 - Documentation
- Core Business Services
- Application and Integration Services
44Relevant Exchange Sessions
- OPS-19 What is IPv6 and Why Should I Care?
45?
Questions
46Thank You
47(No Transcript)