1 Reply Latest reply on May 12, 2014 10:23 AM by dmease729

    Clarification on use of SSH between appliances (DOC-4284)

    dmease729

      Hi,

       

      From latest version of DOC-4284, I am trying to break out the exact communications between components, as it does not make it terribly clear.  At present we have the following listed (there are more, but focusing on these two at present):

       

      ETM:

      ApplicationDirectionPortProtocolDestination / Description
      SSHin/out22tcp/udpAll McAfee appliances and to access command line


      ERC:

      ApplicationDirectionPortProtocolDestination / Description
      SSHin/out22tcp/udpTo/From ESM,ELM and to access command line

       


      Question 1: Does the ERC ever initiate an SSH connection to the ETM?  The above is unclear as in the first instance, the 'in' direction could be related only to the command line access from operators.  In the second instance (ERC), the 'in' direction could be from the ESM, and the 'out' to the ELM.  Likewise for the ERC - does the ELM ever initiate an SSH connection with the ERC?

      Question 2: Is UDP really used?  I am aware (not in great detail) of the uses of tunneling, and also aware that 22/udp is indeed assigned (IANA) to SSH.  RFC4251 doesnt seem to list UDP, interestingly.  I ask this as in an enterprise environment, we need to open up certain ports through firewalls, and we dont really want to open up ports that are not going to be used!

       

      It would be greatly appreciated if the below could be reviewed in conjunction with the above, and feedback given with regards to a)if there is anything missing (note again, for now I am only focusing on ERM and ERC), and b)if the below format of providing firewall rules is more handy and useable.  It certainly is for me, and I come from a networking background - but appreciate that different people have different perspectives!  The below only focuses on my interpretation of the above two lines of DOC-4284:

       

      SourceDestinationPort/ProtocolDescription
      <operators>ETM22/tcp (SSH)Operator access to ETM CLI
      ETMERC22/tcp (SSH)ETM to ERC communication channel
      ERCELM22/tcp (SSH)ERC to ELM communication channel

       

      If there are indeed more connections (such as ERC *does* sometimes initiate connections to ETM), could a)this be made explicit and b)further details be provided as to the nature of the comms in each direction?

       

      Many thanks,

        • 1. Re: Clarification on use of SSH between appliances (DOC-4284)
          dmease729

          Just to assist anybody who may have the same questions - after conversations with McAfee contacts, I have the following:

           

          - (Question 1): The ERC does not initiate connections to the ETM.  The ETM initiates all connections to the ERC via SSH.

          - (Question 2): <not currently answered>

           

          Further:

           

          - The ERC pushes all events to the ELM via SSH.  Although not explicit, I am interpreting this answer as advising that the ELM does not initiate connections to ERC.

          - Users can initiate connections to the ETM, ERC and ELM via SSH