|
|
Table Of Contents
Running Node Manager on an Admin Workstation
Security Considerations
The Cisco Network Applications Manager (NAM) product allows several customers to share the same Central Controller complex. This presents some possible security concerns in the following areas:
•
Relationships between Windows NT domains
•
•
•
This chapter discusses these concerns and the means by which the NAM product addresses them.
Windows NT Domains
Components in this architecture are divided among several Windows NT domains. All NAMs and their associated Admin Workstations are in a single domain. Each CICM complex and its associated Admin Workstations is in a separate domain. Each instance's Admin Workstations are in a separate domain. Each CICM domain must have a two-way trust relationship with the NAM domain and a two-way trust relationship with each instance domain that it serves. Figure 6-1 illustrates the relationship between the Windows NT domains in the Network Applications Manager architecture.
Figure 6-1 Relationship Between Windows NT Domains
The CICM domains do not necessarily have trust relationships with each other. Therefore, an Admin Workstation in a CICM domain cannot necessarily view data on other CICM complexes. However, an Admin Workstation in the NAM domain can access all CICM domains.
Note
Running Node Manager on an Admin Workstation
When you install an Admin Workstation, you have the choice of running the Node Manager under one of two accounts:
•
•
If Node Manager runs under the System account, then the associated Central Controller must provide unrestricted access to the System account. For security reasons, you might not want to grant full access to the system account.
To minimize security risks, you should define a specific user account for the Node Manager in the Admin Workstation domain. You must grant that user account appropriate access to the Central Controller domain.
Validating Real-Time Clients
To prevent unauthorized access to real-time data, you can configure the ICM's Real-Time Server process to validate each connection. This ensures that only expected clients receive the real-time data.
To set up this validation, you must edit the Windows NT Registry on the CallRouter machine. Locate the customer's subtree under the registry tree HKEY_LOCAL_MACHINE\SOFTWARE\GeoTel\ICR. The customer's subtree contains either a RouterA or RouterB tree. Under that tree locate RealTimeServer\CurrentVersion\Clients.
Figure 6-2 Registry Editor on CallRouter
To allow access for a specific machine or subnet, you must specify an IP address (IP00, IP01, IP02, etc.) and a corresponding mask (IP00Mask, IP01Mask, IP02Mask, etc.). The IP address can be a complete or partial address. The mask indicates which part of the address must match. You can specify up to 30 addresses and associated masks.
For example, to allow access only to a machine with an address of 199.99.123.45, specify that value as IP00 and set IP00Mask to 255.255.255.255 (meaning to match all four octets of the address). To then allow access to any member of the 199.99.125 subnet, set IP01 to 199.99.125.0 and set IP01Mask to 255.255.255.0 (meaning to match only the first three octets of the address).
The IP mask 0.0.0.0 is a special value indicating that the associated IP address should be ignored. By default, all the masks are set to this value. If the ICM does not find any valid values, it allows any machine to connect.
Historical Data Server
In the standard ICM architecture, historical (half-hour) data is stored in the central database on the Logger. Users in this architecture access the Logger database directly for historical reports. However, this requires users to have access to the Logger's domain (the CICM domain in the Network Applications Manager environment). This is not recommended when multiple instances are running on a CICM.
As an alternative, you can set up the real-time distributor Admin Workstation at a site as a Historical Data Server (HDS). The ICM feeds historical records to the HDS machine through a secure mechanism. Other Admin Workstations at the site can read historical data from the HDS machine rather than from the Logger.
The Central Controller forwards historical records to the HDS for storage in a special local database. Other Admin Workstations at the local site can retrieve historical data from the HDS machine without having to access the central site.
Figure 6-3 Historical Data Server Architecture
To set up a Historical Data Server, you must configure the Logger to perform historical data replication. You must create an HDS database on the real-time distributor Admin Workstation and configure that Admin Workstation to be a Historical Data Server.
Information in the real-time feed tells each client Admin Workstation where to obtain historical data. If the real-time distributor is a Historical Data Server, then it instructs its clients to get historical data from it. Otherwise, it instructs its clients to get historical data from the Logger.
Note
Posted: Mon Nov 29 16:25:15 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
