Cybersecurity Awareness Month may be behind us, but that doesn’t mean that we should stop thinking about security. Because security is a continuous process. So it’s high time to continue our series on hardening your DataMiner System. Previously, we already had a look at security of client applications. Now we will focus on the firewall.
The firewall acts as a “gatekeeper“, blocking and monitoring unauthorized requests to a network, server, or application. It is crucial to close any “gate” (better known as a port) that is not actively being used.
DataMiner Firewall Rules
On DataMiner versions installed using the 10.0 installer (or older), the DataMiner installation opens the following (inbound) ports and rules in the Windows firewall:
- TCP 23: Telnet (disabled by default)
- TCP 80: HTTP
- TCP 8004: Remoting (client-server & inter-DMS communication)*
- TCP 9004: Web Services (end of life)
- TCP 7000: Cassandra (inter-node communication)¹
- TCP 9042: Cassandra (client-server communication)¹
- TCP 9200: Elasticsearch (client-server communication)²
- TCP 9300: Elasticsearch (inter-node communication)²
- TCP 4222, 6222, 8222: NATS (inter-process communication)
- TCP 9090: NATS Account Server
- UDP 161, 162, 362: SNMP (disabled by default)
- Allow Remote Administration
- Allow ICMP: Ping
¹: These rules only apply when the DataMiner System uses a Cassandra database (locally).
²: These rules only apply when the DataMiner System uses an Elasticsearch database (locally).
*: We are working hard on removing DataMiner’s dependency on .NET Remoting (port 8004).
In a future version, DataMiner will use gRPC by default instead. This will mean port 8004 can be closed as well.
From the DataMiner 10.1 installer onwards, the ports in orange will no longer be opened by default during DataMiner installation.
However, to avoid breaking changes, the ports are not closed when you upgrade an existing DataMiner System to version 10.1 or higher. We therefore recommend that you verify if any of these ports can be closed manually:
- TCP port 23 can be closed if the DataMiner Telnet feature is disabled. For more information, see DataMiner.xml – Telnet.
- TCP port 80 can be closed if IIS is configured to require HTTPS connections. We highly recommended enabling HTTPS on your DataMiner System. Note that TCP port 443 needs to be open for HTTPS connections. For more information, see Setting up HTTPS on a DMA.
- TCP port 9004 can always be closed from DataMiner 10.0.11 CU0 and 10.0.0 CU6 onwards.
- TCP port 8222 can always be closed. This will be the default from 10.1.12 CU0 and 10.2.0 CU0 onwards.
- The ports for NATS communication (4222, 6222, 9090) can be closed when the DMA is not part of a cluster.
- UDP ports 161 and 362 can be closed if the DataMiner SNMP Agent feature is disabled, which is the case by default from DataMiner 9.6.11.0 onwards. However, if a DMA was installed prior to DataMiner 9.6.11 and is upgraded to DataMiner 9.6.11 or higher, this functionality will remain enabled until it is manually disabled. For more information, see DataMiner SNMP agent functionality.
The Remote Administration rule must be enabled when the DataMiner server is monitored by a remote element using the Microsoft Platform protocol. For example, when 2 DataMiner Agents are in Failover, and both servers are monitored through the Microsoft Platform driver.
ICMP is only required when Failover heartbeats are active or the pingCount attribute in the DMS tag of the file C:\Skyline DataMiner\DMS.xml is set to a value greater than 0. For more information, see Attributes of the DMS tag. Allowing ICMP is also useful to debug connectivity issues.
For more detailed information, refer to our overview of IP ports used in a DMS.
In our next article, we’ll dive into securing the database powering your DataMiner System.