Firewall Requirements
Listed below are the ports required to release firewall rules in each senhasegura instance of the architecture:
Source or Destination:
- SSAPLPRD: senhasegura Production Appliance
- SSAPLMBR: senhasegura Secondary Members
Between senhasegura and management systems
| Permission | Protocol | Source | Source Port | Destination | Destination Port |
|---|---|---|---|---|---|
| ALLOW | UDP | SSAPLPRD | ANY | NTP server | 123 |
| ALLOW | UDP | SSAPLPRD | ANY | DNS server | 53 |
| ALLOW | TCP | SSAPLPRD | ANY | MAIL server | SMTP |
| ALLOW | TCP | SSAPLPRD | ANY | LDAP server | LDAP |
| ALLOW | TCP | SSAPLPRD | ANY | LDAP server | LDAPS |
| ALLOW | UDP | SSAPLPRD | ANY | RADIUS server | RADIUS |
| ALLOW | TCP | SSAPLPRD | ANY | TACACS server | TACACS |
| ALLOW | UDP | SSAPLPRD | ANY | TACACS server | TACACS |
| ALLOW | TCP | SSAPLPRD | ANY | LOG server | SYSLOG |
| ALLOW | UDP | SSAPLPRD | ANY | LOG server | SYSLOG |
| ALLOW | TCP | SSAPLPRD | ANY | BACKUP server | TFTP |
| ALLOW | TCP | SSAPLPRD | ANY | BACKUP server | SFTP |
| ALLOW | TCP | SSAPLPRD | ANY | BACKUP server | NFS |
| ALLOW | TCP | SSAPLPRD | ANY | BACKUP server | SMB |
Between management systems and senhasegura
| Permission | Protocol | Source | Source Port | Destination | Destination Port |
|---|---|---|---|---|---|
| ALLOW | TCP | BACKUP server | ANY | SSAPLPRD | TFTP |
| ALLOW | TCP | BACKUP server | ANY | SSAPLPRD | SFTP |
| ALLOW | TCP | BACKUP server | ANY | SSAPLPRD | NFS |
| ALLOW | TCP | BACKUP server | ANY | SSAPLPRD | SMB |
Between the users with senhasegura
| Permission | Protocol | Source | Source Port | Destination | Destination Port |
|---|---|---|---|---|---|
| ALLOW | TCP | it_users | ANY | SSAPLPRD | HTTPS |
| ALLOW | TCP | it_users | ANY | SSAPLPRD | HTTP |
| ALLOW | TCP | it_users | ANY | SSAPLPRD | SSH |
| ALLOW | TCP | it_users | ANY | SSAPLPRD | RDP |
Between senhasegura and managed devices
| Permission | Protocol | Source | Source Port | Destination | Destination Port |
|---|---|---|---|---|---|
| ALLOW | TCP | SSAPLPRD | ANY | target_device | SSH |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | TELNET |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | ORACLE |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | MS-SQL |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | POSTGRE |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | MySQL |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | RDP |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | RPC |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | RM |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | SMB |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | HTTP |
| ALLOW | TCP | SSAPLPRD | ANY | target_device | HTTPS |
Between senhasegura instances, if applicable
| Permission | Protocol | Source | Source Port | Destination | Destination Port |
|---|---|---|---|---|---|
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | SSH |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | MySQL |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | 9300 |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | 4567 |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | 4568 |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | 4444 |
| ALLOW | UDP | SSAPLPRD | ANY | SSAPLMBR | 4567 |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | HTTP |
| ALLOW | TCP | SSAPLPRD | ANY | SSAPLMBR | HTTPS |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | SSH |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | MySQL |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | 9300 |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | 4567 |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | 4568 |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | 4444 |
| ALLOW | UDP | SSAPLMBR | ANY | SSAPLPRD | 4567 |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | HTTP |
| ALLOW | TCP | SSAPLMBR | ANY | SSAPLPRD | HTTPS |