B Secure Deployment Checklist
Use the following security checklist to help secure ELAP and its components:
- Change default passwords
- Configure ELAP firewall port assignments
- Enable HTTPS and disable HTTP
- Enforce strong password management
- Restrict admin functions to the required administrator groups
- Utilize the Authorized IP addresses feature
B.1 ELAP Firewall Port Assignments
If a firewall is installed in the provisioning network between the MPS systems or between the MPS system(s) and the provisioning system, it must be configured to allow selected traffic to pass. Firewall protocol filtering for the various interfaces is defined in this table (from the perspective of each MPS).
Note:
The information in the following table is used for both internal customer network configuration and VPN access for support.Table B-1 Firewall Requirements
| Server Interface | IP Address | TCP/IP Port | Inbound | Outbound | Use/Comments | |
|---|---|---|---|---|---|---|
| ELAP Application Firewall Requirements: | ||||||
| Port 1 | Provisioning IP or VIP configured on ELAP | 22 | Yes | Yes | SSH/SCP/SFTP | |
| Port 1 | NTP server IP(s) configured on ELAP | 123 | Yes | Yes | NTP - Needed for time-sync. | |
| Port 1 | Provisioning IP or VIP configured on ELAP | 80 | Yes | No | APACHE - Needed for ELAP Web-based GUI. | |
| Port 1 | Provisioning IP or VIP configured on ELAP | 8473 | Yes | Yes | GUI server (process) - Needed by ELAP Web-based GUI. | |
| Port 1 | Provisioning IP or VIP configured on ELAP | 9691 | Yes | Yes | Used for HSOPD watcher. | |
| Port 1 | Provisioning IP or VIP configured on ELAP | 1030 | Yes | Yes | Used for bulkdownload between LSMS and ELAP. | |
| Port 1 | Provisioning IP or VIP configured on ELAP | 7483 | Yes | No | Used for download the normal provisioning data from LSMS to ELAP. | |