Professional Documents
Culture Documents
1KHW028766 Unem Firewall An
1KHW028766 Unem Firewall An
APPLICATION NOTE
Copyright and confidentiality Copyright in this document vests in Hitachi Power Grids.
Manuals and software are protected by copyright. All rights reserved. The copy-
ing, reproduction, translation, conversion into any electronic medium or
machine scannable form is not permitted, either in whole or in part. The con-
tents of the manual may not be disclosed by the recipient to any third party,
without the prior written agreement of Hitachi Power Grids.
An exception is the preparation of a backup copy of the software for your own
use. For devices with embedded software, the end-user license agreement on
the enclosed CD applies.
This document may not be used for any purposes except those specifically
authorized by contract or otherwise in writing by Hitachi Power Grids.
Contents
1 Purpose and Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 UNEM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 UNEM Core component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.2 UNEM Element Agent (EA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.3 UNEM Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.3 Inter-Processes Communication between UNEM Components . . . . . . . . . . . . . . . . . . .5
1.3.1 Internal Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.4 Fixed TCP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.5 UNEM Server - XMC20 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.6 DIRAC to XMC20 Encryption Unit Communication . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.7 UNEM Server - DIRAC Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.8 UNEM Server - UMUX Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.9 UNEM Main - Standby Server Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
2 UNEM Firewall Configuration File: firewall.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 firewall.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 GUI Client Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Linux Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.2 Firewalld Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4 Annex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1 List of Open Ports on UNEM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Document history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.1 General
The UNEM system can be deployed in a firewalled environment. This feature was intro-
duced starting from release version UNEM R9B.
The UNEM components (Client, Core) can be deployed on different nodes, which in turn
can be separated by firewalls.
These firewalls should be configured to allow communications between the UNEM com-
ponents. The security risk can be minimized by opening only restricted port ranges.
This Application Note provides information for the firewall administrator to configure the
firewalls in the following deployments:
• firewall between UNEM Core and UNEM Client,
• firewall between UNEM Core and XMC20 network.
Deploying the UNEM system in a firewalled environment raises the question of listening
TCP/UDP ports used by applications on both sides of the firewall.
To provide answer to this question, the following major topics are covered:
• Overview of communications between the UNEM components, focusing on the core/
client processes and their corresponding port range to be opened in the firewall.
• Factors/considerations to estimate the number of ports to be opened based on your
UNEM specific implementation.
Please note:
• The actual firewall configuration procedures are beyond the scope of this
document. It is up to the firewall administrator to use the UNEM specific
information provided in this document to configure his network firewalls
accordingly.
• The current implementation of UNEM restricts destination ports and some
of the source ports.
• For SELinux some specific settings are required; see section 2.2 Linux Set-
tings (on page 9).
It acts as a proxy, talking with NE in a specific manner, and dealing with the Core in a uni-
formed protocol.
A single EA may act with hundreds of NE, but only with one Core. Several EA may work for
the same Core.
Please note:
When a UNEM client is closed, the TCP connection on the client goes into the
state “Waiting”. If the client is restarted immediately, the client recognized
the “Waiting” ports as occupied and takes the next free ports. If the firewall is
enabled, the ea_server_range is limited and there might not be enough free
ports left. This will lead to a starting client which may announce that the con-
nection to the server has been lost. Waiting 75 seconds before starting the
UNEM client again will not lead to connection losses.
3 The UNEM Client gets references through port 2809 to CORE services in the range
specified by the parameter core_server_range. This range includes TCP listening
ports on the Server.
Note:
In steps 2 and 3 the source TCP ports are controlled by the following configuration
parameters:
− nemdesktop_client_range
− cst_client_range
4 The UNEM Client makes connections to the UNEM Server services.
This requires several TCP port connections from the NEM Desktop to the UNEM Core
Server.
5 The UNEM Client actively listens for notifications and callbacks from the UNEM Server
on any available TCP ports, by default no restriction is applied.
Note:
As basic configuration, the UNEM firewall configuration file proposes the port range
55000-55200 controlled by the following parameters:
− nemdesktop_server_range
− cst_server_range
− hwview_server_range
− ucst_server_range
6 Whenever the UNEM administrator opens up new Client Application, e.g. NEM Network
Browser, new TCP port connection is established between the two systems.
All these TCP ports or port ranges must be opened in the firewall in order to establish
communications between UNEM Client and UNEM Server components.
2.1 firewall.conf
To fit the UNEM processes in a firewalled deployment, the port ranges of the UNEM pro-
cesses can be defined and activated:
− UNEM core:
/opt/nem/etc/firewall.conf.
− UNEM Windows client:
C:\Program Files (x86)\UNEM_UI_R14A\etc\firewall.conf
Note:
To activate entries, remove the comment (hash) symbol at the beginning of the line
when editing the firewall.conf file. The UNEM processes need to be restarted (nem-
start) in order for the changes to take effect.
The proposed basic configuration values are shown below:
# for the GUI clients that connect to the core, the ORB
# will use the ports in the defined ranges; as each
# process of the core has its own ORB, the GUI client
# uses as many ports as ORB it connects to.
# No definition means any ports.
# ---------------------------------------
nemdesktop_client_range 48000-48020
Note:
Increase the “nemdesktop_client_range” by 10 ports per additional user; e.g. for 5 con-
current users set the range to 48000-48060.
It is possible to define the port range per client application to limit the number of
instances an individual application can run simultaneously, e.g. setting the <<nem_desk-
top_server_range>> to 55000-55010 limits the NEM Desktop clients that can simultane-
ously connect to UNEM Core to 10. Likewise, setting the <<ucst_server_range>> to 55061-
55080 allows only a maximum of 20 UCST GUIs to be opened simultaneously.
# Make it persistent
firewall-cmd --zone=public --permanent --add-service=nem
# Exclude UMUX network e.g. eth1 (avoid problems with ftp protocol)
firewall-cmd --zone=trusted --change-interface=eth1
3 Summary
The following tables summarize the proposed firewall concept.
1. Expand the range by 10 ports per additional user; e.g. for 5 users set it to 48000 - 48060.
1. Not required if UNEM Server and DIRAC run on the same machine, which is the recommended set-
up.
4 Annex
nem-base
nem-prwd.service 4800 OFF nem- C++ procwatch_ctl_port
base tcpport
nem-omni-names.service 2809/tcp ON nem- C++ /opt/nem/etc/
base NMS.properties:ns_port
nem-omni-event.service CORBA range nem- C++
40000-40099 base
nem-bp-eventchannel.service nem- C++
base
nem-bp-cred.service nem- C++
base
nem-bp-rmqvh.service 5671/tcp OFF /etc/rabbitmq/rab- local
5672/tcp ON bitmq.conf
15671 OFF
nem-bp-securitymgrd.service CORBA range C++
40000-40099
9192 local rest com-
munication
(available only
from 127.0.0.1)
Agents
XMC agent CORBA range C++ KOAP notifica-
40000-40099 tion receiver.
One port per
range from:
agent.
20736/udp
UMUX agent CORBA range C++ One port per
40000-40099 agent.
range from:
20736/udp
21/ftp ON FTP ftp_port
23/telnet ON TEL- telnet_port
NET
SNMP agent CORBA range C++ SNMP trap
40000-40099 receiver.
default: 162/ One port per
udp agent.
OMS agent CORBA range C++ SNMP trap
40000-40099 receiver.
range from: One port per
20736/udp agent.
Voyager Java processes
nem-bp-discovery.service nem- java
base
5 Document history
Table 9: Document history
Document ID UNEM Rev. Date Changes since previous version
Release
1KHW028766 R14A A 2020-07-31 First revision for this product release.
1KHW028766 R14A B 2020-09-04 Extended CORBA / EA port range to 40099. Added list of
open ports per process in section 4.1.
1KHW028766 R14B A 2020-12-02 Updated for latest product release.
www.hitachi-powergrids.com/communication-networks