Can firewalld be enabled in a DX NetOps Data Repository cluster?
search cancel

Can firewalld be enabled in a DX NetOps Data Repository cluster?

book

Article ID: 244962

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Can the DX NetOps Performance Management Data Repository cluster running a Vertica database have firewalld enabled for increased security?

Security scan suggested that firewalld to be turned on Data Repository servers. Will this cause any issue on DR?

OL07-00-040520 - The Oracle Linux operating system must enable an application firewall, if available - state
Check Name: OL07-00-040520 - The Oracle Linux operating system must enable an application firewall, if available - state
Information: Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232
Result: FAILED
Actual Value: The command '/usr/bin/firewall-cmd --state' returned : 

not running
Policy Value: cmd: /usr/bin/firewall-cmd --state
expect: ^[\s]*running[\s]*$
system: Linux

Solution: Ensure the operating system's application firewall is enabled.
Install the 'firewalld' package, if it is not on the system, with the following command:
# yum install firewalld
Start the firewall via 'systemctl' with the following command:
# systemctl start firewalld

See Also: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_7_V2R2_STIG.zip

Reference Information: 800-171|3.13.1,800-53|SC-7(12),CAT|II,CCI|CCI-000366,ITSG-33|SC-7(12),NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,Rule-ID|SV-221868r603260_rule,STIG-ID|OL07-00-040520,STIG-Legacy|SV-108579,STIG-Legacy|V-99475,Vuln-ID|V-221868

Environment

All supported DX NetOps Performance Management releases

Cause

Security requirements are driving more restricted and hardened environments.

Resolution

Confirmed with engineering that as long as it's set up properly to allow traffic through where required it should be fine.

Vertica talks about it in their Firewall Considerations documentation topic. We also see Vertica discuss the specific node-to-node communication requirements for ports and protocols here in their Ensure Ports Are Available documentation topic.

Setting up firewalls for the Data Repository cluster, while ensuring we maintain DX NetOps Performance Management functionality, we need to ensure:

  • Data Repository (DR) Vertica cluster node-to-node communication is properly maintained.
  • DR  to Data Aggregator (DA) communication is properly maintained.

To accomplish those requirements we must ensure the required ports and protocols used between systems are open and allowed.

The ports are documented in the DX NetOps Performance Management Connectivity documentation topic. Some of the key information we see there:

  • The DA and all nodes in a DR cluster need to be able to communicate over 5433.
    • This requires each node in the cluster and the DA are able to communicate over 5433. 
    • There is no option to specify one node as a 'lead' or primary.
  • The DR cluster bubble diagram on the NetOps Connectivity documentation topic shows multiple ports/protocols required for node-to-node communications.

Also note that during installs or upgrades the firewalld service needs to be disabled and shut down. After the install or upgrade is completed it can be enabled again.

Attachments

Powered by Wolken Software