La integridad sexual como un derecho humano y bien jurídico protegido

The Tivoli Decision Support application provides comprehensive functions and tools for the analysis of performance and status network management data. The NetView network management server in the subordinate network collects all required performance and status data via SNMP requests to the appropriate MIB-entries of the controlled network devices. The collected SNMP data can be stored in relational database management systems, (RDBMS) such as DB2, Oracle, or Sybase, as shown in Figure 54 on page 117. NetView’s trap daemon can also store all detected network traps, messages, and events in the database systems for analysis with the TDS system.

In the eventuality that future management projects require Tivoli region communication, you have the possibility to interconnect the service provider’s TMR server with the TMR servers in the customer’s NetView.

This allows the transfer of regional data, for example, inventory data, from the NetView region to the service provider’s Tivoli management region.

See the redbook Tivoli Enterprise Management Across Firewalls,

SG24-5510 for a detailed discussion of the communication requirements.

Note

Figure 54. NetView database integration in TDS analysis

The TDS system queries the database system for the needed performance and event data. The database transfers the requested data to the TDS server for further processing and generating of comprehensive network performance and status analysis. Furthermore, the utilization and performance data and analysis are used for the documentation of service level agreements.

As shown in Figure 53 on page 115, there is an efficient central database server in the service provider network for managing all the customer’s performance and service level management data. All NetView performance and event data of the different customers will be stored, for further

processing, on this database server. Different database sessions will handled on this server.

The database connection of NetView for UNIX is based on the Tivoli Framework functions. NetView uses a RIM object for communication with the database. The RIM object will be created on the TMR server. If the NetView management server is integrated in a Tivoli Management Region that spans across the firewall (an example is shown in Section 4.3.1,

“NetView in service provider TMR” on page 107), you do not need to open database communication ports. The database communication will be handled from the TMR server, which is, in this case, also located in the same secure network as the database server. In this case, NetView will be installed on managed nodes.

For a more in-depth introduction to database handling and configuration of RIM objects, see the Tivoli Management Framework Planning for

Deployment Guide Version 3.7.1, found on the IBM Redbooks CD-ROM collection LK3T-5826.

Note

In the firewall configuration we need to implement a rule (shown in Table 16) for permitting the data communication from NetView in the unsecure network to the database server in the secure network. This includes opening the required database TCP ports for necessary communication between the network management server NetView and database server.

Table 16. Firewall rule for NetView connection to database server

The following section shows a sample implementation with an Oracle

database server and shows (in detail) which configuration conditions through the firewall are to be implemented for the servers. The basic configuration and security concepts of the other possible database systems are similar and will not further described. See the appropriate database administration guides for the required information.

4.4.1 Sample firewall configuration rule - Oracle database connection For our test environment, we used Oracle Database Version 8.1.5 installed on a server running AIX Version 4.3.3. The database server is located in the secure network. It is implemented as the database server for the TEC application as well as for the different NetView servers processing events, trap data, and SNMP collected data. Figure 55 on page 119 describes our test lab.

Function Source Destination Protocol Src- Port

a. Port or port range depend on the database system used. See Section 4.4.1,

“Sample firewall configuration rule - Oracle database connection” on page 118 for an example database configuration with Oracle.

Figure 55. NetView database connection through firewall

We configured three different databases as shown in Table 17. We used the Oracle database assistant (dbassist) as the default method for the creation of the different databases.

Table 17. Oracle databases

The SQL network database interface of Oracle 8.x will be implemented through the Oracle Net8 application. Net8 performs complex network

manipulations that depend on the server and client configuration. By default, Oracle provides the database network access with its TNS (Transparent Network Substrate) listener server, as part of the Net8 concept. The server is started by default and listens on port 1521 for network connections to database. The database client tries to establish a database connection by default to this port. The TNS listener service requires the firewall to be open

Database Description Database server

TEC TEC Database (secure network) itso7

NETVIEW1 Database for NetView Server in secure network 10.69.14.0

itso7

NETVIEW2 Database for NetView Server in unsecure network 192.168.104.0

itso7

to allow the Oracle database access from unsecure network in secure network. Table 18 shows the required firewall communication rule.

Table 18. Firewall rule for NetView connection to Oracle database

Figure 56 on page 121 shows our SecureWay firewall configuration rule for the database connection from NetView of unsecure network to the database server in the secure network.

Function Source Destination Protocol Src- Port

Dest- Port Database query and

transfer

NetView in Network A+B

Database server in SP network

TCP >1023 1521^a

a. This is the default port configuration for TNS listener. You can set it to any port number that suits your requirements.

Figure 56. Oracle database connection rule

You can test the connection with the database client program “sqlplus” from the required Oracle client installation. The following screen is an example.

$ sqlplus netview/netview@NETVIEW1

SQL*Plus: Release 8.1.5.0.0 - Production on Tue Feb 6 19:07:09 2001 (c) Copyright 1999 Oracle Corporation. All rights reserved.

Connected to:

Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production With the Partitioning and Java options

PL/SQL Release 8.1.5.0.0 - Production SQL>

The Oracle listener daemon will be administered in the configuration file

$ORACLE_HOME/network/admin/listener.ora. You can chose a different port configuration, if required.

See the following screen for our default TNS listener configuration, which was generated through the database creation with the Oracle database assistant.

To prevent communication port redirection between the Oracle server and the database client, configure the same listener port for all defined database instances. This makes the firewall rule configuration more specific, as shown in Table 18 on page 120.

Note

In the listener field, you can configure different listener ports for connecting clients to the Oracle database server. After configuration of the TNS listener file, you have to restart the listener daemon with following command:

lsnrctl reload

>more $ORACLE_HOME/network/admin/listener.ora

# LISTENER.ORA Configuration

File:/u01/app/oracle/product/8.1.5/network/admin/listener.ora

# Generated by Oracle Net8 Assistant

LISTENER =

(DESCRIPTION_LIST = (DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0)) )

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCP)(HOST = loopback)(PORT = 1521)) )

(ADDRESS = (PROTOCOL = TCP)(HOST = loopback)(PORT = 2481)) )

After administrating the listener files, you need to configure the Oracle names service $ORACLE_HOME/network/admin/tnsnames.ora to adapt for the new connection ports. Then you have to reconfigure all database client

configuration files that will connect to the appropriate database instance. The configuration is implemented in the

$ORACLE_HOME/network/admin/tnsnames.ora file of the database clients.

The following screen shows the file.

Edit the listener port field for the new database connection port and test the database connection with the Oracle SQL*Plus® program.

The book Building Internet Firewalls by Elizabeth Zwicky et al describes different security implications of Oracle database implementation. Additional database communication security can be implemented with SSH tunneling (see Section 4.6.2, “Secure Shell (SSH) access to network management system” on page 146) and VPN connections (see Chapter 5, “Network management through the VPN” on page 163).

See http://technet.oracle.com for further discussions on Oracle database connections in firewall environments. There are discussions on other security aspects for Oracle database configurations and Oracle databases in security environments.