Support to Restrict Application Service Ports
Feature Summary and Revision History
|
Applicable Product(s) or Functional Area |
CPS |
|
Applicable Platform(s) |
Not Applicable |
|
Default Setting |
Enabled - Always-on |
|
Related Changes in This Release |
Not Applicable |
|
Related Documentation |
Not Applicable |
|
Revision Details |
Release |
|---|---|
|
First introduced |
21.1.0 |
Feature Description
Previous Behavior: In CPS 21.1.0 and earlier releases,
-
Policy Director (LB) VMs accepted Rsyslog requests on both internal and external interface (port 5544 and 6514).
-
Whisper server default port 9213 and Zookeeper port 2181 listened on all the interfaces that exposed the system to vulnerable attacks for service.
New Behavior: In CPS 21.2.0 and later releases, CPS restricts application service ports to only internal network.
-
Product Security access is restricted through external interfaces for Rsyslog requests.
-
Whisper service is bound to internal interface thus restricting external access.
-
Rsyslog, Whisper, and Zookeeper allows only one bind address. Either IPv4 or IPv6 is supported as IP address.
You can now find that the Rsyslog and Whisper are now deployed using the internal interfaces. The ports connectivity will
now work only using the internal IP address and the same can be verified using the telnet command.
telnet <internalIP> 5544 - rsyslog
telnet <internalIP> 6514 - rsyslog
telnet <internalIP> 9213 - whisper
telnet <internalIP> 2181 - zookeeper
Feedback