beautypg.com

Firewall:port assigment, Port security – HP UX B6941-90001 User Manual

Page 443

background image

Chapter 10

443

Tuning, Troubleshooting, Security, and Maintenance

ITO Security

example, if the ITO management server ‘garlic.spices.com’ and the
managed node ‘

basil.herbs.com

’ are configured to run with

authenticated RPCs the following principals will be created:

opc/opc-mgr/garlic.spices.com

opc/opc-agt/basil.herbs.com

In DCE, a name or principal (

garlic.spices.com

) belongs to a group

(

opc-mgr

), which in turn belongs to an organization (

opc

). The only

exception to this rule in ITO is the principal

opc-agt-adm

:

opc-agt-adm

is a member of the group and organization

none

, which is

a special principal that is primarily used in the administration of
accounts and passwords.

In addition, ITO allows you to select and configure the security level your
particular environment requires for an individual managed node: the
value is stored in the given managed node’s nodeinfo file and on the
management server in the relevant entry in the database. In this way,
security on a given managed node may be changed to handle, for
example, the addition of sensitive connections.

ITO may be configured in such a way as to be able to overcome a
situation where, owing to the temporary unavailability or poor
configuration of the security service, a process is required to run in
unauthenticated mode or fail. For example, if a management server
process such as the request sender receives an authentication failure
when calling a control agent on a managed node, an error message is
generated, which appears in the

Message Browser

window. The

administrator is then able to take immediate corrective action, for
example, by temporarily changing the security level on the managed
node in question to allow the retransmitted request to succeed. However,
care should be taken in situations such as this, since an error in the
connection could in certain circumstances indicate that the system is
under “attack”.

Port Security

One simple but effective way of limiting access to a network and
consequently improving the network’s inherent security is to restrict to a
specific range of ports all connections between processes. This applies to
all network traffic and not just RPCs. In the context of ITO, you can do
this on two distinct levels:

See also other documents in the category HP Computers: