Insight Remote Security
1748180 Members
4341 Online
108759 Solutions
New Discussion

ISEE + SPOP in the DMZ

 
Mark Kovarski
New Member

ISEE + SPOP in the DMZ

A few questions to such a configuration.

- Why is ftp required? ftp is unsecure and the whole thing about ISEE it is suppose to be secure. Is it due to the fact that HP does not supply an SSH server (Openssh for windows)? Is such a config supported if we load an external ssh server thus not requiring ftp server to be setup?

- When setting up rules for the Internal Firewall and the SPOP + VPN router are in the DMZ, which IP needs access to the Internal network? Is it SPOP or the VPN router?

- We need some clarification on the document at http://h61001.www6.hp.com/isee_training/hp.ac.gsg.pdf . Netmeeting/Telnet/PC Anywhere/ Terminal services. What are these exactly used for. Can someone explain and future manuals can they include this info? From a security point of view we would like to understand.

- Same link as above, on page 24, what do th >1023 ports means? Does it mean you have to open all the ports greater than 1023 and what is that for exactly?

- Can the manual include a troubleshooting guide?

- Most corporate accounts used Checkpoint Firewall. Can sample rules be included as examples for the various config scenarios?
1 REPLY 1
Frauke Denker_2
Esteemed Contributor

Re: ISEE + SPOP in the DMZ

Hello Mark,
you are right, ftp is not secure and that is why t is remove. In an updated version of that document the ftp port/service will no more be listed. As ssh is supported for HPUX I don´t see any reason, why it shouldn´t be supported.
For the firewall ports: For the SPOP it depends very much on the applications you use on the SPOP as the NST tools for example need more than 10 port on the internal firewall.
For the VPN: This depends on the service you want HP to use. You do not need to open all the ports mentioned. If you want HP only to access the CAS via ssh just open port 22.

Concerning the Port >1023: This is only for the "establish back" connection. The tewo systems talking to one another agree on a port for the further communication and this will be a port >1023.
By now there is no external Troubleshooting guide for the SPOP and the VPN and I do not know if this is planned for the future.
regards
Fr