GatherDB in DMZ?

Hello,

We are wondering what people are doing in situations where you can’t let the TEM server connect out to the world but you have a DMZ available.

We are thinking attempt to script the airgap tool unless someone else has any other ideas?

We have to deal with strict regulatory compliance and completely understand the dubious security benefit that moving the gather to the DMZ represents…

Thanks!

I guess I’m not understanding the question. Are you saying your TEM server doesn’t connect to the internet at all?

We currently use TEM in our general enterprise environment but we have a sub-environment with enhanced regulatory compliance requirements.

We are looking to create another TEM instance in that new environment.

The new TEM instance won’t be able to access the outside world – it will have all egress blocked. We have a DMZ we can use and still be in compliance, and as long as the TEM server itself doesn’t contact the internet – only the server in the DMZ, we are fine for compliance.

@strawgate is there a reason you can’t open port 52311 from you general/enterprise environment to this new environment? You can always leverage the AirGap tool, but opening 52311 will be easier to administer and maintain.

What would opening 52311 between general and the new environment allow us to do? Won’t the IBM Endpoint Manager Server (A separate instance) in the new environment have to talk to IBM/Adobe/Google/Mozilla/Apple/Microsoft directly for patches?

@strawgate Why do you need a 2nd environment? You could leverage your existing environment and put a one or more relays in the sub-environments to manage those endpoints. In this case opening 52311 between the two environments would be necessary. If you have to have a second environment, then you’ll need to user the Airgap tool to update license and content. There’s OK documentation on Airgap on the IEM wiki.

For regulatory compliance our general environment cannot be connected to the satellite environments (think General Office vs Health Records or Credit Card processing)

The airgap tool and the besdownloadcacher tool can accomplish this.

What you’ll lose is that copying any custom fixlets, analyses, and baselines are up to you; and export/import baselines lose the relationship between baseline components and the source fixlets (so you can’t switch a component from Action1 to Action2, or tell when the baseline is out of sync with source components).

You also have the problem that the download cacher will download every patch, not just what’s relevant in your environment; and you’ll have to tune the cache on your isolated server so that downloads do not get aged out of the sha1 folder. Plan on a terrabyte of storage at least.

In short, you can totally do what you’re asking, it’s a pain to manage, and you should probably engage IBM Professional Services for a week or so to help you get it set up.

Looking at your original statement - are you sure your lawyers have the right idea on isolation/compliance?

If you’re allowed to use the DMZ, you have a textbook configuration: put BES server in the secure environment, and configure it to use an HTTP proxy in the DMZ for content downloads.

1 Like

Jason,

That might work! I’ll followup with our auditor and see if this setup would be allowed. I don’t know why the HTTP proxy didn’t cross our mind.

If the proxy doesn’t work we’ll script the airgap and besdownloadcacher and waste a terabyte of space in the process.

Thanks for your help

1 Like

Technically a web proxy will definitely work as long as your IEM server can reach it.

During installation of 9.2 versions you’re prompted for the proxy address and port as well as other typical proxy configuration. The installer will also test the proxy for you.
You could try out squid

1 Like