OPS-17:%20Utilizing%20Firewalls%20-%20In%20the%20Reign%20of%20Fire - PowerPoint PPT Presentation

About This Presentation
Title:

OPS-17:%20Utilizing%20Firewalls%20-%20In%20the%20Reign%20of%20Fire

Description:

Database connectivity and firewall configuration. Don't forget PendConnTime ! ... to the WS agent and it. passes the name of the. web object to execute. along ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 48
Provided by: skra9
Category:

less

Transcript and Presenter's Notes

Title: OPS-17:%20Utilizing%20Firewalls%20-%20In%20the%20Reign%20of%20Fire


1
OPS-17 Utilizing Firewalls - In the Reign of Fire
Sasha Kraljevic
Principal TS Engineer
2
Agenda
  • Firewalls Intro
  • Short history
  • Firewall types
  • What will be covered (and what not)
  • OpenEdge Environment
  • Database connectivity
  • AppServer
  • WebSpeed
  • Adapters
  • DataServers

3
Firewalls Intro
  • A firewall is the first line of defense for basic
    network security.
  • It separates the untrusted network (the Internet)
    and the trusted network (the Intranet).
  • There is usually a third network called the DMZ
    or Demilitarized zone. This network is separate
    from both the others, but it can communicate with
    both.
  • Usually it employs NAT (network address
    translation) and/or port mapping
  • "Responsible" for vast majority of calls logged
    with the technical support

4
Firewalls Intro
Internet
DMZ
5
Firewalls Intro
Firewall Device 1
Internet
DMZ
Firewall Device 2
6
Firewalls Intro
Short history
  • A firewall is a system or group of systems that
    enforces an access control policy between two
    networks.
  • Late 80s 1st Gen. packet filters
  • 2nd Gen stateful filters
  • Early 90s 3rd Gen application layer
  • Next Gen convergence of Firewalls and IPS

7
Firewalls Intro
Firewall types
  • Network layer firewalls
  • Application layer firewalls
  • Hybrid firewalls

8
Agenda
  • Firewalls Intro
  • Short history
  • Firewall types
  • What will be covered (and what not)
  • OpenEdge Environment
  • Database connectivity
  • AppServer
  • WebSpeed
  • Adapters
  • DataServers

9
What will be covered (and what not)
We will talk about
  • Network layer firewalls
  • OpenEdge products

but not about
  • Application layer firewalls
  • NAT, proxies, VPN, IDS IPS
  • Non-OpenEdge products

10
Agenda
  • Firewalls Intro
  • Short history
  • Firewall types
  • What will be covered (and what not)
  • OpenEdge Environment
  • Database connectivity
  • AppServer
  • WebSpeed
  • Adapters
  • DataServers

11
OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
12
OpenEdge Environment
Database connectivity
Connect rq gt
Database Broker
lt Remote Srv port
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
13
OpenEdge Environment
Database connectivity
Database Broker
Remote Server 1
Remote Server 2
Remote Server n
Shared memory
14
OpenEdge Environment
Database connectivity and firewall configuration
Open all TCP ports from ABL/ODBC/JDBCclient to
the remote servers port range
DB Remote Servers port range is definedwith
-minport -maxport parameters
Remote Srv
Dont forget PendConnTime !
15
OpenEdge Environment
AppServer
And the Server was without theform and void
Admin said Let therebe light and there was
AdminServer.And it started the NameServer
NameServer/5162
AdminServer and NameServer are started.User/Admin
starts the AppServer broker asbman i
asbroker1 start
UDP mess.uuidasbroker1hostname3090
Broker keeps sendingUDP KeepAlive messagesto
the NameServer untilit is shutdown.
AppServer Server(s) (Agents)
AppServer Broker
Servers (_proapsv) start using db connection and
otherstartup parameters passed by broker.
AdminServer sets the brokers environment and
then it starts the Java process which takes the
properties fromubroker.properties file.
Broker opens its listening port and starts
predetermined number of servers.
And the Database Server was started
When all servers are started, broker sends the
udp messageto the controlling NameServer to
register with it.
16
OpenEdge Environment
Overview AppServer round trip
UDP to 5162 asbroker1 ?
NameServer/5162
UDP from 5162 asbroker1, host, port
NameServer checks for thebroker registered with
AppServicename asbroker1 and sends the
messageback to the client (udp) with the
brokersregistered host name (or ip address)
andthe port where it listens
End user initiates the connection from the
4GLAppServer//host5162/asbroker1
AS Broker
AS Agent
17
OpenEdge Environment
Overview Stateless AppServer round trip
NameServer/5162
RUN
Client connects to the AppServer brokerusing
TCP/IP, the hostname and the port number
provided by the NameServer
and then it executes the RUN ON statement
RUN
AS Broker
AS Agent
Broker checks its pool ofavailable agents and
allocates one of them,passing the RUN request.
_proapsv gets the request and it starts executing
it.
18
OpenEdge Environment
Overview Stateless AppServer round trip
NameServer/5162
Client accepts the OUTPUT params (if any)and
continues on with processing now
callinganother RUN, or disconnecting from
AppServer.
After the procedure is executed,agent returns
the output parameters (if any),and signals to
broker that it has finished.
AS Broker
AS Agent
OUTPUTEND
OUTPUTEND
Broker returns the OUTPUT params (if any)and
signals the end of the RUN requestto the 4GL
client.
_proapsv gets the request and it starts executing
it.
19
OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
Client connects to the AppServer brokerusing
TCP/IP, the hostname and the port number
provided by the NameServer
AS Broker
AS Agent
Broker checks its pool ofavailable agents and
returns the port numberof one of them back to
the client.
20
OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
RUN..ON
AS Broker
AS Agent
Client disconnects from the AppServer brokerand
connects to the agent
Client executes the RUN ON statement
_proapsv gets the request and it starts executing
it.
21
OpenEdge Environment
Overview State-reset State-aware AS round trip
NameServer/5162
4GL client accepts theOUTPUT params (if any)
andit is now ready to make a new RUN,or to
disconnect the AppServer.
OUTPUT..END
Im available again!
AS Broker
AS Agent
Note that 4GL client sends the AppServer
DISCONNECTto the agent which then signals to
broker that it is readyto accept another client
connection.
After it is finished, agent returns theparams
(if any) and signals the endto the client
22
OpenEdge Environment
AppServer and Firewall Configuration
Stateless
S St ta at te er ae ws ae
rt e
Open all TCP ports from client to theAppServers
servers port range (20022202)
AppServers servers port range is definedwith
srvrMinPort srvrMaxPort properties
AS Agents
23
OpenEdge Environment
WebSpeed
Web server
End user initiates the request from the web
browserhttp//host/scripts/cgiip.exe/WServicews
broker1/order.w
NameServer
WS Broker
WS Agent
24
OpenEdge Environment
WebSpeed
Web server
scripts/cgiip.exe
/WServicewsbroker1/order.w
NameServer
WS Broker
WS Agent
25
OpenEdge Environment
WebSpeed
Web server
Messenger reads ubroker.properties and
usingcontrolingNameServer locates the host and
portwhere it sends the udp message to the NS.It
can use minNSclientPort and maxNSclientPortto
specify the udp port range for getting back
thereponse from NS used for firewall.
/WServicewsbroker1/order.w
Messenger
NameServer
WS Broker
WS Agent
26
OpenEdge Environment
WebSpeed
Web server
wsbroker1 ?
Messenger
NameServer
WS Broker
WS Agent
NameServer checks for thebroker registered with
AppServicename wsbroker1 and sends the
messageback to the Messenger (udp) with the
brokersregistered host name (or ip address)
andthe port where it listens
27
OpenEdge Environment
WebSpeed
Web server
Messenger
NameServer
WS Broker
WS Agent
Messenger connects to the broker which then
checks its pool ofavailable agents and sends
themessage (tcp) back to the messenger withthe
port number of chosen available agentto process
the request
28
OpenEdge Environment
WebSpeed
Web server
Messeger connects (tcp)to the WS agent and it
passes the name of theweb object to
executealong with the list ofparameters (if
any)/order.w?custnum1
Messenger
NameServer
WS Broker
WS Agent
29
OpenEdge Environment
WebSpeed
Web server
Messenger
WS agent executes theweb object and
NameServer
WS Broker
WS Agent
30
OpenEdge Environment
WebSpeed
Web server
Messenger
it returns the HTML in the web output stream
NameServer
WS Broker
WS Agent
31
OpenEdge Environment
WebSpeed
Web server
Messenger
that is returned to the end users browser.
NameServer
WS Broker
WS Agent
32
OpenEdge Environment
WebSpeed
Internet Web Server
Internet Production Server
Internet / Untrusted Zone
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
33
OpenEdge Environment
WebSpeed
Internet Web Server
Internet Production Server
Internet NameServer
Internet Database
Internet WebSpeedServer
Internet / Untrusted Zone
Demilitarized Zone(DMZ)
Intranet / Trusted Zone
Intranet Database
Intranet WebSpeedServer
Intranet Server
Intranet NameServer
Development Test Server
IntranetWeb Server
Dev/Test WebSpeedServer
DevelopersTesters
Users
34
OpenEdge Environment
WebSpeed
Open all TCP ports from WS Msngr to
theWebSpeeds servers port range (20022202)
WebSpeeds servers port range is definedwith
srvrMinPort srvrMaxPort properties
WS Agents
35
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
Client creates the message for theAppServer
Wraps it up in the HTTP packet
36
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
AIA receives the HTTP packet
Client creates the message for theAppServer
Wraps it up in the HTTP packet
And sends it to the AIA
37
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
HTTP
AIA receives the HTTP packet
Client creates the message for theAppServer
Unwraps and extracts the message
Wraps it up in the HTTP packet
And sends it to the AIA
38
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
AIA
AIA receives the HTTP packet
Client creates the message for theAppServer
Unwraps and extracts the message
Wraps it up in the HTTP packet
And it sends it to the AppServer.
And sends it to the AIA
39
OpenEdge Environment
OpenEdge Adapters - AIA
ABL/OpenClient proxy
JSE/AIA
AppServer
Open TCP port(s) to JSE listener80 or 8080
and/or 443
Open all ports following client-to-AppServer
rules
AIA to NameServer minNSClientPort -
maxNSClientPort
40
OpenEdge Environment
OpenEdge Adapters - WSA
WebService client
JSE/WSA
AppServer
Open TCP port(s) to JSE listener80 or 8080
and/or 443
Open all ports following client-to-AppServer
rules
WSA to NameServer nsMinClientPort -
nsMaxClientPort
41
OpenEdge Environment
OpenEdge DataServers
  • Configuration- schema holder location- foreign
    db location- connecting through DataServer
    broker (standard/unified)
  • Foreign database connection configuration

NB DataServer servers cannot specify port range!
42
In Summary
  • Firewalls are not panacea!
  • Understand the roundtrip!
  • Double-check the rules!

43
For More Information, go to
  • PSDN
  • http//www.psdn.com/library/entry.jspa?externalID
    1433
  • http//www.psdn.com/library/entry.jspa?externalID
    163
  • Documentation
  • Core Business Services
  • Application and Integration Services

44
Relevant Exchange Sessions
  • OPS-19 What is IPv6 and Why Should I Care?

45
?
Questions
46
Thank You
47
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "OPS-17:%20Utilizing%20Firewalls%20-%20In%20the%20Reign%20of%20Fire" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!