Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can a server process be assigned fixed (Logos) port?
TRL
Member
07-21-2004 09:30 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
Hi, This question relates to protecting logos traffic between a web client and a server process. We have a number of internet users accessing their own server processes on a single server machine. We would like to set up multiple VPNs for each server process so that users cannot interact with others server processes. However, because each server process is dynamically assiged a port by Logos at startup we cannot do this. Does anyone know if it is possible to set a predetermined port for each process via logos or are there any other alternatives to secure the traffic? Thanks
jpss
Member
07-22-2004 10:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
TRL,
LOGOS runs in UDP2343 port and when the connection with a client is established opens a second UDP port (dynamically assigned by OS) between 1024 and 65535.
Therefore, you can not know previously what port is going to be opened. However, there is not a major risk on keeping those ports open since you probably don't have any harmful applications listening on the UDP ports greater than 1023.
For further information, search for "Networking Lookout or the LabVIEW DSC Module Across Firewalls" (http://zone.ni.com/devzone/conceptd.nsf/webmain/7D0E7F20B1A7C8E486256A39005747F2?opendocument)
Even though this link is for Labview, it may be useful since Labview uses Logos too.(http://digital.ni.com/public.nsf/3efedde4322fef19862567740067f3cc/f0de7a1a88d92d6d86256d710
049fb40?OpenDocument)
Good luck
JSS
LOGOS runs in UDP2343 port and when the connection with a client is established opens a second UDP port (dynamically assigned by OS) between 1024 and 65535.
Therefore, you can not know previously what port is going to be opened. However, there is not a major risk on keeping those ports open since you probably don't have any harmful applications listening on the UDP ports greater than 1023.
For further information, search for "Networking Lookout or the LabVIEW DSC Module Across Firewalls" (http://zone.ni.com/devzone/conceptd.nsf/webmain/7D0E7F20B1A7C8E486256A39005747F2?opendocument)
Even though this link is for Labview, it may be useful since Labview uses Logos too.(http://digital.ni.com/public.nsf/3efedde4322fef19862567740067f3cc/f0de7a1a88d92d6d86256d710
049fb40?OpenDocument)
Good luck
JSS
07-22-2004 06:50 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
JSS, Thanks for the response. I understand how the Logos classified ads service works on UDP2343 and dynamically assigns a port for server processes. I am not worried about harmful applications listening on ports greater than 1023 rather, harmful 'lookout' clients (or spoofed clients) attempting to control any processes running on the server. Currently, anyone can connect to the classified ads service to find out exactly what server processes are running and then connect to those services and control the hardware remotely. Hence another security layer is required. Using IPSec connections on all UDP traffic above port 1023 would partially work. All Logos traffic would then be authenticated and encrypted. However, 2 legitimate clients could still control and conne
ct to each others processes. That is the problem I am trying to solve. I was hoping each server process could be tied to a particular port and then each port protected seperately.
ct to each others processes. That is the problem I am trying to solve. I was hoping each server process could be tied to a particular port and then each port protected seperately.
jpss
Member
07-23-2004 05:01 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
TRL,
OK...I missed that part ;).
Lookout does implement a "network security layer" that provides access privileges to each process, object and subfolders. Its drawback is the "lookout.sec" file, you have to copy it manually (or get it copied) to each client computer.
Also, there are some default settings you should change in order to get it working.
First: create a good lookout.sec file.
Give the Administrator account a password(by default it doesn't have one) and be sure it is not the default login user.
Create as many users (or groups of users) as you need (maybe one per process) using the User Manager. After doing that you can distribute "lookout.sec".
Second: Set network security properties to each process.
Open the "Network Securi
ty Properties" window by rigth clicking (in the object explorer) over the process you want to restrict access and left-click "Configure Network Security". Push "Permission..." button and select the user want to allow or restrict access.
Refer to chapter 10 Security to get more information about the available options.
Hope it works for you
JSS
OK...I missed that part ;).
Lookout does implement a "network security layer" that provides access privileges to each process, object and subfolders. Its drawback is the "lookout.sec" file, you have to copy it manually (or get it copied) to each client computer.
Also, there are some default settings you should change in order to get it working.
First: create a good lookout.sec file.
Give the Administrator account a password(by default it doesn't have one) and be sure it is not the default login user.
Create as many users (or groups of users) as you need (maybe one per process) using the User Manager. After doing that you can distribute "lookout.sec".
Second: Set network security properties to each process.
Open the "Network Securi
ty Properties" window by rigth clicking (in the object explorer) over the process you want to restrict access and left-click "Configure Network Security". Push "Permission..." button and select the user want to allow or restrict access.
Refer to chapter 10 Security to get more information about the available options.
Hope it works for you
JSS
