Lookout

cancel
Showing results for 
Search instead for 
Did you mean: 

Can a server process be assigned fixed (Logos) port?

Hi, This question relates to protecting logos traffic between a web client and a server process. We have a number of internet users accessing their own server processes on a single server machine. We would like to set up multiple VPNs for each server process so that users cannot interact with others server processes. However, because each server process is dynamically assiged a port by Logos at startup we cannot do this. Does anyone know if it is possible to set a predetermined port for each process via logos or are there any other alternatives to secure the traffic? Thanks
0 Kudos
Message 1 of 4
(2,295 Views)
TRL,

LOGOS runs in UDP2343 port and when the connection with a client is established opens a second UDP port (dynamically assigned by OS) between 1024 and 65535.

Therefore, you can not know previously what port is going to be opened. However, there is not a major risk on keeping those ports open since you probably don't have any harmful applications listening on the UDP ports greater than 1023.

For further information, search for "Networking Lookout or the LabVIEW DSC Module Across Firewalls" (http://zone.ni.com/devzone/conceptd.nsf/webmain/7D0E7F20B1A7C8E486256A39005747F2?opendocument)

Even though this link is for Labview, it may be useful since Labview uses Logos too.(http://digital.ni.com/public.nsf/3efedde4322fef19862567740067f3cc/f0de7a1a88d92d6d86256d710
049fb40?OpenDocument)

Good luck
JSS
0 Kudos
Message 2 of 4
(2,295 Views)
JSS, Thanks for the response. I understand how the Logos classified ads service works on UDP2343 and dynamically assigns a port for server processes. I am not worried about harmful applications listening on ports greater than 1023 rather, harmful 'lookout' clients (or spoofed clients) attempting to control any processes running on the server. Currently, anyone can connect to the classified ads service to find out exactly what server processes are running and then connect to those services and control the hardware remotely. Hence another security layer is required. Using IPSec connections on all UDP traffic above port 1023 would partially work. All Logos traffic would then be authenticated and encrypted. However, 2 legitimate clients could still control and conne
ct to each others processes. That is the problem I am trying to solve. I was hoping each server process could be tied to a particular port and then each port protected seperately.
0 Kudos
Message 3 of 4
(2,295 Views)
TRL,

OK...I missed that part ;).

Lookout does implement a "network security layer" that provides access privileges to each process, object and subfolders. Its drawback is the "lookout.sec" file, you have to copy it manually (or get it copied) to each client computer.

Also, there are some default settings you should change in order to get it working.

First: create a good lookout.sec file.
Give the Administrator account a password(by default it doesn't have one) and be sure it is not the default login user.
Create as many users (or groups of users) as you need (maybe one per process) using the User Manager. After doing that you can distribute "lookout.sec".

Second: Set network security properties to each process.

Open the "Network Securi
ty Properties" window by rigth clicking (in the object explorer) over the process you want to restrict access and left-click "Configure Network Security". Push "Permission..." button and select the user want to allow or restrict access.

Refer to chapter 10 Security to get more information about the available options.

Hope it works for you

JSS
0 Kudos
Message 4 of 4
(2,295 Views)