/
System Security
Document toolboxDocument toolbox

System Security

Owned by Panna .
Oct 04, 2023

The NetMRI appliance is configured to prevent all non-essential servers and ports, and all user accounts are disabled except for the admin account, which is used for administrative purposes (see below for more information).

Symptom: Unable to connect to Infoblox Technical Support server.

  • Use the NetMRI ping/traceroute tool via the browser interface (Tools icon > Device > Ping/Traceroute), or the ping command via the NetMRI administrative shell to verify that NetMRI can reach any server on the Internet.
  • Use the NetMRI ping/traceroute tool via the browser interface, or the traceroute command via the administrative shell to verify that NetMRI can reach techdata.infoblox.com on the Internet.
  • Verify that your firewall rules allow NetMRI to make an outbound SSH connection (tcp port 22) to techdata.infoblox.com.

Technical Support monitors the CERT advisories for all components used in the appliance and evaluates all appropriate reports with regard to their usage in NetMRI. If a serious vulnerability is discovered, a custom patch is developed and provided to all existing customers via the NetMRI User Mailing list.

Network Connections

Service

Protocol

Port

Purpose

SSH

TCP

22

Administrative shell

HTTP

TCP

80

Graphical user interface

HTTPS

TCP

443

Secure graphical user interface

Syslog

UDP

514

Real-time config change detection


The SSH port can be accessed using the administrator password specified by the operator during configuration. All services on the SSH port are provided through the OpenSSH v3.5p1 public domain server. The only commands that can be executed via the SSH port are those provided by the NetMRI Administrative Shell, and the user can access only a restricted directory on the server.

All other ports are supported by a Java-based application server that is inherently resilient to buffer overflow attacks and other common network-based attacks. The HTTP, HTTPS and SNMP ports support standard processing for those protocols. The HTTP and HTTPS ports can be accessed only by authorized users using a valid password, as specified by the administrator.

 Access Control Lists

NetMRI supports an Access Control List (ACL) via the NetMRI Administrator Shell that allows the operator to specify one or more CIDR blocks to restrict access to all the non-SNMP ports supported by the appliance. When combined with the existing authentication mechanisms, the ACL effectively safeguards the appliance against unauthorized access.

 Protocol Configuration

NetMRI allows system administrators to configure the HTTP, HTTPS, SNMP, and SSH protocols used to connect to the appliance via the Console GUI and Admin Shell, and the protocols used by the appliance to connect to network devices when collecting data. Protocol configurations can be defined on the Settings icon > General Settings > Security page, or by executing the configure command in the NetMRI administrative shell.