370
Chapter 9
An Overview of ITO Processes
Secure Networking
or RPCD always runs on UDP 135, a reserved port which must be
accessible even through a firewall. Once it has the port number of the
RPC server, the RPC client can initiate the RPC call.
Processes and Ports
In addition to the checks and controls that a DCE environment supplies
for authentication and data integrity both prior to and during
connections between processes, ITO allows you to combat security
breaches more effectively by restricting to a specific range which you
define in the GUI the port numbers that processes may use. ITO then
assigns these port numbers dynamically to the processes that are
granted an RPC connection. The port numbers are configurable and are
checked against the defined range each time an RPC server registers
itself or an RPC client requests a connection.
If a service request for a port number within the range specified in the
GUI is refused because none is available, the process starts anyway and
ITO assigns a port number outside the permitted range. However, a
possible consequence of this is that the newly assigned port may not be
available either. In this case, ITO generates an error message. For more
information on how to set port ranges and the consequences of incorrect
port assignment, see the HP ITO Administrator’s Guide to Online
Information.
Dynamic Port Assignment through a Firewall:
Example Scenario
If the security precautions of a given environment require that a
restriction be applied to the nodes, ports or protocols that are allowed to
pass a packet-filtering firewall, the administrator might configure the
firewall to enable, for example, the port range 1050 to 1300 on the
managed nodes and ports 1200 to 1500 on the server for ITO traffic. The
administrator does this by “switching off ” all port numbers not in the
specified range to traffic in the direction specified. The only exception to
this is port 135 which is used for access to the RPCD/LLBD and must not
be blocked. All ITO-specific traffic then has to go through the designated
ports. The scenario described below would be the consequence of such a
configuration:
❏
The Control Agent on a managed node registers TCP/UDP port 1050
in its unique RPCD/LLBD and listens there for ITO traffic.
Содержание -UX B6941-90001
Страница 6: ...6 ...
Страница 8: ...8 ...
Страница 27: ...27 1 Prerequisites for Installing ITO Agent Software ...
Страница 43: ...43 2 Installing ITO Agents on the Managed Nodes ...
Страница 115: ...115 3 File Tree Layouts on the Managed Node Platforms ...
Страница 162: ...162 Chapter3 File Tree Layouts on the Managed Node Platforms File Tree Layout on Windows NT Managed Nodes ...
Страница 163: ...163 4 Software Maintenance on Managed Nodes ...
Страница 183: ...183 5 Configuring ITO ...
Страница 298: ...298 Chapter5 Configuring ITO Variables ...
Страница 299: ...299 6 Installing Updating the ITO Configuration on the Managed Nodes ...
Страница 315: ...315 7 Integrating Applications into ITO ...
Страница 333: ...333 8 ITO Language Support ...
Страница 352: ...352 Chapter8 ITO Language Support Flexible Management in a Japanese Environment ...
Страница 353: ...353 9 An Overview of ITO Processes ...
Страница 372: ...372 Chapter9 An Overview of ITO Processes Secure Networking ...
Страница 373: ...373 10 Tuning Troubleshooting Security and Maintenance ...
Страница 481: ...481 A ITO Managed Node APIs and Libraries ...
Страница 499: ...499 B Administration of MC ServiceGuard ...
Страница 512: ...512 AppendixB Administration of MC ServiceGuard Troubleshooting ITO in a ServiceGuard Environment ...
Страница 513: ...513 C ITO Tables and Tablespaces in the Database ...
Страница 520: ...520 AppendixC ITO Tables and Tablespaces in the Database ITO Tables and Tablespace ...
Страница 521: ...521 D ITO Man Pages Listing ...