Network Architecture and Ports

Document created by RSA Information Design and Development on Jun 22, 2017
Version 1Show Document
  • View in full screen mode
  

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your Security Analytics deployment to communicate with each other.

Security Analytics Network Architecture

The following diagram illustrates the Security Analytics network architecture with ports used for communications in Security Analytics 10.6.

Note: Security Analytics core hosts must be able to communicate with the Security Analytics Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

Security Analytics Host and Service Ports

In versions prior to Security Analytics 10.4, an administrator was able to use the native protocol for fast non-SSL communications like aggregation and REST API for SSL between Security Analytics and the hosts. All communications from Security Analytics moved from REST API to the native Security Analytics Core ports. As a result a second native Security Analytics Core port per host service was added so that administrators can enable secure (SSL) network communications while still being able to use non-secure (HTTP and Security Analytics Core (native)) connectivity methods for communication between services on the same system. Administrators can toggle the ports on and off to support only SSL, only non-SSL, or both.

The following table lists the Security Analytics hosts and their respective service ports:

                                                                                                                                                                                                                                                                                 

From Host

To Host

To Ports (Protocol)

Comments

Any host

Security Analytics Server

80 (TCP)

Yum/HTTP:

All SA hosts receive RPM package updates from Yum repository located in Security Analytics Server over HTTP.  This is a two-way communication from any host to the Security Analytics Server.

Any host

Security Analytics Server

8140 (TCP)

Puppet-master.HTTPS:

All communication from any host to the Security Analytics Server (Puppet master) is over HTTPS.

Any host

Security Analytics Server

61614 (STOMP/TCP)

rabbitmq-server(Mcollective/STOMP):

All communication from any host to the Security Analytics Server (rabbitmq-server) is over Mcollective/STOMP.

Security
Analytics
Server
Any host5671 (AMQPS/TCP)

rabbitmq-server(RabbitMQ/AMQPS):

All communication from Security Analytics  server (rabbitmq-server) to any host is over RabbitMQ/AMQPS.

Note: Port 5671 must be open both ways between the SA Server and the other hosts for version updates.

Security Analytics Server

Log Decoder

56002 (SSL / TCP)

50002 (non-SSL / TCP)
50102 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics Server

Broker

56003 (SSL / TCP)

50003 (non-SSL / TCP)
50103 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics Server

Concentrator

56005 (SSL / TCP)

50005 (non-SSL / TCP)
50105 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics Server

Packet Decoder

Service: 56004 (SSL / TCP)

50004 (non-SSL / TCP)
50104 (REST / TCP)

Security Analytics Server

Log Collector (Local, Remote and Windows Legacy)

56001 (SSL / TCP)

50001 (non-SSL / TCP)
50101 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics Server

Archiver

56008 (SSL / TCP)

50008 (non-SSL / TCP)
50108 (REST / TCP)

Security Analytics Server

ESA

50030 (SSL / TCP)

27017 (SSL / TCP) (Default)

27017 is for one ESA host only.

Security Analytics Server

ESA - Context Hub50022 (SSL / TCP) 

Security Analytics Server

Malware (Malware-colocated on Security Analytics Server)

60007 (TCP)

 

Security Analytics Server

Reporting Engine (rsa-re on Security Analytics Server)

51113 (SSL / TCP)

 

Security Analytics Server

Incident Management (rsa-im on Security Analytics Server)

50040 (TCP)

 

Security Analytics Server (IPDB Extractor)

enVision IPDB

135,138,139,445 (
TCP / UDP)


 

Security Analytics Server

IPDB Extractor

56025 (SSL / TCP)

50025 (non-SSL / TCP)
50125 (REST / TCP)

Security Analytics Server

Warehouse Connector (on Packet Decoder/Log Decoder)

56020 (SSL)
 

50020 (non-SSL)
50120 (REST)

Security Analytics Server

ECAT

443 (TCP)

 

Security Analytics Server

Host Service (Log Decoder, Packet Decoder, Concentrator, Broker, Warehouse Connector, Archiver, )

56006 (SSL / TCP)

50006 (non-SSL / TCP)
50106 (REST / TCP) - For Security Analytics 10.3 and earlier only

Security Analytics Server

Workbench (Archiver)

56007 (SSL / TCP)

50007 (non-SSL / TCP)
50107 (REST / TCP)

Security Analytics Server

Audit Log Syslog Receiver

This can be a third-party syslog receiver or a Log  Decoder

514 (TCP / UDP)

Required only if SA audit logs are sent to Log Decoder/third-party syslog receiver to be parsed.

Security Analytics Servercms.netwitness.com

443, 80 (TCP)

RSA LIVE content
Security Analytics Server

smcupdate.emc.com

 

443 (TCP) RSA Update Repo to Local Update Repo

Concentrator

Packet Decoder

56004

 

Concentrator

Log Decoder

56002

 

Broker

Concentrator

56005

 

Broker

Archiver

56008

 

Archiver

Log Decoder

56002

 

ESA 

Concentrator

56005

 

ESA

RSA LIVE
Whois Server

443

 

Malware

Broker

56003

 

Warehouse Connector

Warehouse

NFS (2049,111),
SFTP (TCP22)
WebHDFS (50070)

 

In the Pull mode:

Log Collector (on Log Decoder)

Virtual Log Collector

Windows Legacy Collector

5671 (TCP)

:

In the Push Mode:

Virtual Log Collector

Windows Legacy Collector

Log Collector (on Log Decoder)

5671 (TCP)

 

enVision Local Collector

Remote Collector (VM)

514 (TCP)

 

enVision Local Collector

Log Decoder

514 (TCP)

 

ECAT

Log Decoder

514 (TCP/UDP)

 

ECAT

Security Analytics Server

5671 (TCP)

ECAT alerts are sent to SAIM on this port.

Security Analytics Server (RE alerts, ESA  and Business Context Live Feeds)

Archer SecOps 1.3

Security Analytics Server To UCF:syslog 1514 (TCP)/ 514 UDP/ 1515 STCP

UCF to Archer Sec Ops : 80/ 443

Security Analytics Server to UCF:9090 HTTP / 8443 HTTPS (Business context live feeds)

.

Security Analytics Server

(IM alerts)

Archer SecOps 1.2/1.3

SAIM Integration Service to on Security Analytics Server : 5671

SAIM Integration Service to Archer Sec Ops: 80/ 443

SAIM Integration service is present on UCF and integrates with SecOps 1.3 and 1.2. 

Security Analytics-Web Browser

Security Analytics Server UI

443 (HTTPS)

 

 External

All hosts

22 (TCP)

SSH provides shell access to the device, for emergency host management. On hosts with the LogCollector installed, ssh provides sftp and scp support for devices that upload log files for consumption by Security Analytics.

Note: When you update to a new version, open firewall ports 8140 and 61614 from all non-Security Analytics Server hosts to Security Analytics Server so that the Security Analytics Server can discover all of your non-Security Analytics Server hosts and services.

You are here
Table of Contents > Network Architecture and Ports

Attachments

    Outcomes