106 Endpoint Security and Compliance Management Design Guide Using IBM Tivoli Endpoint Manager
򐂰 Relevance
Relevance clauses are written into this part in sections to make the
Relevance easier to read. Statements are often separated, because each
statement must return the value of true for the next action to run.
򐂰 Action
Based on the endpoint returning true for all Relevance clauses that it
evaluates, the Action script is then run, if needed, to implement the
remediation. An Action script is another proprietary language that is used to
execute the required Actions at the endpoint. The goal for the Action script is
to ensure that the next time that the Relevance evaluates the clauses, they all
return false.
򐂰 Comments
Operators can insert comments for Fixlets.
Exporting a Fixlet and examining its content reveals additional metadata that
other components of the Tivoli Endpoint Manager system use.
3.3 Network communications and usage
Next, we identify the network flows between the various identified components,
and entities external to the components, such as users, identified in 3.1, “Logical
component overview” on page 64. Later sections help to provide suggestions
about security zones. This section enables architects and solution designers to
understand the implications of placing specific components in various network
segments. Figure 3-17 on page 107 illustrates the components and their network
interactions, and the limitations of the components managed by the organization.
Process: After the Action finishes processing, the Relevance clauses are
evaluated again. If they all return false, the action is successful and the Fixlet
completes what it intended to remediate.
Chapter 3. IBM Tivoli Endpoint Manager component structure 107
Figure 3-17 Component network flows overview
The diagram shows the major network flows between components in the Tivoli
Endpoint Manager system. Each network flow is marked with a flow number that
is described in Table 3-2 on page 108. Table 3-2 on page 108 provides the port
and protocol information. We expalin each flow and the volume and frequency of
the traffic that uses that port. We represent this traffic in terms of “High”,
“Medium”, and “Low”. The definition of each term changes with the size of the
organization and is subjective but they serve as reference points relative to each
other. For additional material, see the IBM Wiki pages:
https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/Tiv
oli%20Endpoint%20Manager/page/Network%20Traffic%20Guide
This section helps you to place a component in a particular network zone and
understand the expected traffic between it and other components.
108 Endpoint Security and Compliance Management Design Guide Using IBM Tivoli Endpoint Manager
3.3.1 Intercomponent traffic
The Tivoli Endpoint Manager platform requires few ports. Interactions among the
Agent, Relay, and Server connect by using a single port, 52311, and Internet
Control Message Protocol (ICMP). Database communications all use a single
port, TCP 1433. Only minor changes are required for the infrastructure of the
organization to accommodate Tivoli Endpoint Manager. Fewer changes to the
security configuration of the network enable organizations to maintain a secure
stance. Table 3-2 provides a breakdown of each numbered flow identified in
Figure 3-17 on page 107 and identifies the major uses of that flow.
Table 3-2 Traffic flows
Number From To Protocol/port Description
1 Agent Relay
Server
TCP:52311 Gather
Download
Post Report
Register
Primarily, Agent to Relay, so that
Agent to Server can be avoided
Agent Relay
Server
ICMP Echo
Request
Relay Discovery
Relay Distance
Primarily, Agent to Relay, so that
Agent to Server can be avoided
2Relay
Server
Agent UDP:52311 Notification
3Relay Relay
Server
TCP:52311 Gather
Download
Post Report
Register
4Relay
Server
Relay TCP:52311 Notification
5Server
Analytics
TEM DB TCP:1433 SQL
Analytics WRS DB
TEMA DB
TCP:1433 SQL
TEM WRS WRS DB TCP:1433 SQL
Chapter 3. IBM Tivoli Endpoint Manager component structure 109
Table 3-2 on page 108 and Figure 3-17 on page 107 can be used together to
identify the Tivoli Endpoint Manager traffic that occurs at a certain point in the
organizational network. Flows 8 and 9 are external to the Tivoli Endpoint
Manager system. Next, we look at the individual flows to describe them in more
detail.
Traffic flow 1: Agent to parent Relay/Server
Traffic flow 1 (Figure 3-18) is the connection that is initiated from the Agent to the
Relay or Server.
Figure 3-18 Traffic flow 1 in context
6Console
TEM WRS
Server TCP:52311 Login
Console
TEM WRS
Server TCP:52383 SSL Login
TEM Query
7 Report Users TEMA
TEM WRS
TCP:80
TCP:443
Web browser
8*
(external
to the
Tivoli
Endpoint
Manager
system)
Server Repositories TCP:80
TCP:443
TCP:21
Downloads
9*
(external
to the
Tivoli
Endpoint
Manager
system)
Server Directories Various Authentication
Number From To Protocol/port Description

Get Endpoint Security and Compliance Management Design Guide Using IBM Tivoli Endpoint Manager now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.