Subscribe

Securing dynamic UDP/TCP ports used by OM application (and not documented)

Hi,

IHAC that had a thorough review by security exprts.

one of their findings was list of ports being listened with "*" source IP.

the ports are over TCP & UDP, and are dynamic - changing with every service restart

the process listening is "dfmmonitor" & "dfmeventd"

these ports are not documented.

I would like to know if possible to configure application not to listen to these ports or at least open them on localhost only.

Thank you in Advance,

Avishay Mano

Re: Securing dynamic UDP/TCP ports used by OM application (and not documented)

There is no way to do this today.

Pls raise a request for enhancement for the same.

Regards

adai

Re: Securing dynamic UDP/TCP ports used by OM application (and not documented)

Avishay,

I am currently having the same problem at my customer with regard to use of dynamic UDP ports.  We can't even identify which services are using the ports.  In your case were "dfmmonitor" & "dfmeventd" listening on dynamic ports on the filer? Did you ever find an answer to how to secure the system from opening these dynamic ports?

Thank you in advance for any insight.  We are running up against some regulation issues and need solve this security problem. 

Best Regards,

Joyce

Re: Securing dynamic UDP/TCP ports used by OM application (and not documented)

Hi Joyce,

     Looks like there is no way in the current product to make them listen in fixed ports. For a detailed list of port used by DFM pls take at look at the below FAQ link.

https://library.netapp.com/ecmdocs/ECMM1278650/html/faq/index.shtml#_3.14

Regards

adai

Re: Securing dynamic UDP/TCP ports used by OM application (and not documented)

Thanks for the response.  I don't see any info on dynamic ports in use in the FAQ.  Can you tell me if DFM requires any dynamic ports to be open on the FAS system itself? 

Thanks,

Joyce

Re: Securing dynamic UDP/TCP ports used by OM application (and not documented)

No it doesn't - only the static ports listed in the document posted by Adai are used.