1. Administrator's Guide
  2. Firewall Security Option
  3. Benefits of the Firewall-Secure Option

Benefits of the Firewall-Secure Option

This section describes the benefits of the Firewall-Secure option.

ACSLS Server-Side

With changes to just the server-side component, as provided within this Firewall-Secure solution, the benefits include:

  • Restricting incoming connections for ACSLS communications to a single TCP port for all registered program numbers (there are two registered program numbers for the ACSLS CSI, both of which will be serviced by one single port).

  • Allowing users to specify the identity of that port, and configure their firewall in a corresponding fashion.

  • Allowing users to turn-off ACSLS communications to UDP ports.

  • Allowing users to disable any communication by the ACSLS server to the client-side portmapper(s)* (UDP/TCP port 111). The portmapper must still remain running on client platforms to preserve compatibility with client side code. However, it will not be used for network communications initiated by the server, and therefore, the clients' firewall(s) can be configured to disallow access to it.

  • Outgoing connections from the ACSLS server side to the client(s) are unrestricted, for the server-side ports used to preserve current performance. This follows the widely accepted practice by the security community.

ACSLS Server Port Restriction

This firewall solution restricts the number of incoming ports through which an outside party can initiate network communication. The ports are limited to either one or three: the single customer-specified port for ACSLS incoming requests, plus, possibly, the two portmapper ports (TCP and UDP port 111).

Note:

To disallow client access to the ACSLS server portmapper, thus, disallow access to UDP and TCP ports 111, changes must be made to the client software component. See the client-side discussion below.

The server-side of the solution, above, is implemented completely within ACSLS.

Client-Side (CSC)

The changes made to the CSC place identical restrictions on the client-side platform to those described above. This gives the CSC an identical capability to reside behind its own secure firewall. This solution provides the following benefits:

  • Restricts incoming connections for communications (response) to the CSC to a single TCP port for each registered program number. There is one registered program number for the ACSLS SSI.

  • End-users can specify the identity of the TCP port and configure their firewall similarly.

  • Turns-off client-side communications to UDP ports.

  • Disables any communication by the client to the ACSLS server portmapper (UDP/TCP port 111). The portmapper must still remain running on the ACSLS platform to preserve compatibility with ACSLS code. However, client network communications are not initiated through the portmapper. Therefore, the ACSLS server firewall can be configured to disallow access to it.

  • Outgoing connections from the client side to the ACSLS server are unrestricted for the client-side ports used to preserve current performance.

Client Port Restriction

This solution restricts the number of incoming ports through which an outside party can initiate network communication. The ports are limited to either one or three: the single customer-specified port for client incoming responses, and possibly the two portmapper ports (TCP and UDP port 111).

Note:

To disallow ACSLS server access to the client's portmapper (and thus disallow access to UDP and TCP ports 111), the changes must be made to the ACSLS server software component (see ACSLS server-side discussion above).

This solution has a two-step implementation:

  • Oracle StorageTek has made the needed code changes to the CSC Developer's Toolkit 2.3 (or later) source code.

  • Clients of ACSLS wanting to provide this security for their client platform must integrate these changes into their client-side SSI code, rebuild the product, and again certify their Client System Component (CSC) with ACSLS.

Advantages

The client-side and server-side parts of the solution are independent. Therefore, if only one of the two sides is behind a firewall, with respect to the other side, the software changes need to be implemented only on that side. In addition, changing only one side maintains compatibility with all current client and server implementations which already exist and compatibility with other software components which use the CSI/SSI interface.

Note:

This includes compatibility with current Oracle StorageTek products.

This solution does not impact current performance for client/server communications.