Configuring a firewall

BMC PATROL for Amazon Web Services (BMC PATROL for AWS) connects directly to your production databases. Therefore, BMC recommends that communication between tiers of a product, especially if any tier lies outside your internal network, be handled through virtual private networking (VPN) connections for the strongest security. This section provides information about setting up those communications in your environment as discussed in the following topics.

Benefits of VPNs

A VPN allows two or more private networks (protected by various security mechanisms such as encryption and authentication) to be connected over a publicly accessed network such as the Internet. While a VPN can support the same intranet and extranet services as a Wide Area Network (WAN), VPNs can also support secure remote access services. Employees working remotely can then call into a local service provider to access their company’s internal intranet.

BMC PATROL provides some VPN functionality within the product by providing the capability of configuring the Security Socket Layer (SSL) protocol for connections between clients and servers. SSL uses several network security techniques including public and private cryptographic keys and trusted authority certificates. See the PATROL Security User Guide for a further discussion of the security techniques that BMC PATROL uses.

Protocols, port numbers, and blocking

If your environment requires communication between product tiers through a firewall or port-forwarding device, the following list describes some basic considerations. If you require more detailed assistance, contact BMC Customer Support.

• BMC PATROL uses both UDP and TCP/IP communications protocols. See your firewall documentation for detailed information about using the firewall with the TCP/IP and UDP protocols.
• Port numbers enable multiple processes to use TCP/IP or UDP services on the same host. A server makes its services available to the network by using numbered ports. Each port is specified for a particular service (for example, port 80 can be used for a Web server and port 21 can be used for an FTP server). Well-known ports are port numbers that the industry has agreed to reserve for specific services such as telnet, FTP, and SMTP. Well-known ports are numbered 1 through 49,151. Ports greater than 49,151 are considered dynamic ports because they are not associated with any specific service.
• In general, a firewall administrator sets up a firewall by first blocking all incoming and outgoing traffic and then selecting what types of traffic to allow. If the server computer accepts inbound connections on a port from the outside world and a firewall is not protecting the port, anyone can connect to the port and use its services. If a port is generally known to be used by other applications, opening this port allows your application to work, but also allows other applications to use the port. For example, if you choose port 2049 for a BMC application, this may inadvertently open up NFS to an attack from outside the firewall on other computers. Therefore, it is important to choose a port for a new application that is not already used for something else by another application.

Configuring a firewall for BMC PATROL for AWS

While it is common to have both the PATROL Agent and BMC PATROL for AWS components on the database server host, the PATROL console can reside on a client host for system administrator tasks. In this scenario, the PATROL console could reside outside the firewall (yet protected by another firewall) while the PATROL Agents are behind the firewall. After a database connection has been established between the PATROL console and the PATROL Agent, all port requirements have been met (unless you want to deploy the product to other servers).

To deploy Knowledge Modules (KMs), ensure that the following ports are open:

• Port 8160 for TCP/IP, which is the only communication protocol used
  For Windows only, both computers must be members of the same domain
• For UNIX only, port 21 for FTP
• For UNIX only, port 23 for Telnet

For details about configuring a firewall for communication between the PATROL Agents and the PATROL console, see the PATROL Installation Utility Reference Manual.

The following table lists the protocols, ports, and connection directions required for each major feature. Note that day-to-day operations involving only Distribution Manager and executing distributions require only one connection protocol and port: HTTP:80 or HTTPS:443, depending on the security level.