Notification
Risk classification
Informational
Subcategories for Informational notifications
Troubleshooting & Fixes
Affected Domain
Any TSSC or IMC installing the Firewall patch or upgrading to code level v9.1.11 or above.
Abstract
Important changes to TSSC/IMC firewall dependencies with TSSC/IMC Firewall patch and TSSC/IMC v9.1.11 or above.
Description
The TSSC/IMC internal firewall used to be more lenient in that only those TCP/UDP ports that were specifically prohibited were blocked.
To tighten security a change was implemented such that all TCP/UDP ports, both inbound and outbound, are blocked unless specifically permitted.
This change was initially provided via TSSC/IMC patch and has also been added to TSSC/IMC code level v9.1.11 and above.
This change was initially provided via TSSC/IMC patch and has also been added to TSSC/IMC code level v9.1.11 and above.
As a result of this security change, it is important that all ports required by services configured on TSSC/IMC not already explicitly allowed via standard firewall rules get added through custom rules.
TSSC/IMC Firewall Settings allow to Accept or Drop defined services and respective ports separately for External and Grid/AOTM as well as separately for INbound and OUTbound for those.
In this example only HTTPS via port 443 is allowed INbound, which is required for access to the TSSC/IMC Web UI.
In this example only HTTPS via port 443 is allowed INbound, which is required for access to the TSSC/IMC Web UI.
For any service not handled via predefined firewall settings, or where a client may use a non-standard port, a custom rule is required:
Here an example of how port 7777 may be added to be accepted for OUTbound for the External interface.
Here an example of how port 7777 may be added to be accepted for OUTbound for the External interface.
User defined rules are shown once added:
Examples where such custom defined rules may be required are:
- LDAP
- RSysLog
- ECC Call Home, AOS and remote support center when a client provided proxy is used
Note: TSSC/IMC code level v9.1.11 and above improved the firewall configuration page by allowing predefined rules for RSYSLOG, LDAP, LDAPTLS, LDAPSAS, and NTP through their default ports. Custom rules may still be needed when non-standard ports are used, as well as when using prior code level.
In addition, when TSSC is configured in same subnet mode, TS7700 only, the same consistent firewall rules must be enabled for both External and Grid/AOTM interface.
Recommended Action
It must be ensured that TSSC/IMC configuration is reviewed, and firewall rules be configured appropriately when planning to install the TSSC/IMC firewall patch, or when installing a TSSC/IMC code level that includes the same security change, i.e. v9.1.11 and above.
In many cases the firewall changes can be applied after the installation.
However, at a minimum, in case of LDAP it may cause a loss of access for client and IBM support to the TSSC/IMC web UI, and in case of AOS and remote support center loss of remote access by IBM support.
Therefore, it is recommended to add required custom firewall rules prior to the installation of the patch or later TSSC/IMC code, as those will be honored during the code update process.
Date first published
28 July 2021
[{"Risk Classification":"Informational","Line of Business":{"code":"","label":""},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"STFS69","label":"TS7700"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Risk Classification":"Informational","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"STQRQ9","label":"TS4500 Tape Library (3584)"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 July 2021
UID
ibm16476570