8 Replies Latest reply on Jul 3, 2018 3:31 AM by Sean Berry

    Is it possable to force the pach download portion of a patching job to run on a specific server?

    Christopher Dale

      I have a secure network with server that can only be scanned by BSA app servers in the same network. these app servers do not have direct access to download patches from the internet.

       

      I know I can run a scan job and wait for the download job to fail... then create a Patch download job manually that gets routed to a specified App server using job execution rules...

       

      I can't figure out a rule that will send all Download jobs to the specified app servers that have internet access.

       

      I am asking is this the only way and if so how can I write the correct rule, or is there some other configuration that I can set to make this work.

       

      Thanks,

       

      Chris Dale

        • 1. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
          Bill Robinson

          patching jobs are like batch jobs.  they contain child analysis, download, remediation jobs.  so if there's a routing rule for the parent - the patching job, the children should follow suit.

           

           

          so you have a few options:

           

          - get all your appservers (job) outbound internet access.  i mean, why is only one approved for outbound access ? why only one ?

           

          - run all your patching jobs on the same appserver w/ a job routing rule

           

          - script something up that will run patching, create a separate download job and have a rule for that and then run remediation.

           

          - use the 'download from vendor' option in the catalog which will have the CUJ download all the patches for the catalog and use a routing rule on the cuj.

          • 2. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
            Christopher Dale

            that is what I thought ... the only viable is to write a script to run the analysis then have the script create the Patch download with a name I can route to the correct app servers...

             

             

            I have 4 app servers that can access the internet in my normal network it is just one subnet that is secure that the  app servers that have internet are not allowed access directly...so I have job execution rules setup to allow us to run jobs from app servers on that secure subnet. Right now it is not often an issue as we run patching on servers in our normal environment first but every once in a while the secure will need something not required by servers in the normal network.

             

            I would love to see a Patch Configuration to limit the servers that need firewall rules to minimum. Security is always wanting as few servers as possible to have direct access to external sites and having to get new rules setup for a long list of servers when a vendor changes download URLs is a pain. 

             

            Chris

            • 3. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
              Bill Robinson

              these appservers are all part of the same bsa install ?  what do you gain by having one appesrver that can access the secure env ?  can it talk to the other appservers in the env ?  what security are you gaining by this setup ?

              • 4. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
                Christopher Dale

                The idea is to limit ingress points into a secure zone to the bare minimum. And to have the server inside the zone under tighter internet facing rule to prevent direct risk from malicious sites.

                 

                all the app servers are part of the same bsa environment and can access the same DB and File server. But only app servers in the zone can talk to agents on port 4750 and the jobs run there based on job rules.

                 

                the app servers have the specific ports open from normal bi directional from app server to app server but no wildcard rule for direct access to 4750 from the normal environment to the secure zone.

                • 5. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
                  Bill Robinson
                  The idea is to limit ingress points into a secure zone to the bare minimum.

                  i mean, i guess, but that limits your capacity and makes things more difficult to work w/ like you are finding here.  you can use RBAC to limit who can access the 'secure' env and let all the appservers talk to all your targets.

                   

                  And to have the server inside the zone under tighter internet facing rule to prevent direct risk from malicious sites.

                  but it's not 'internet facing'  there is no incoming traffic to the appservers.  the appservers (or patch helper, depending on the catalog os) need outbound access to a list of certain vendor sites.  which can be restricted by a firewall or proxy to just those sites.  if the 'normal' appservers can possibly contact the malicious sites and be compromised, then since they can talk to (and therefore possibly compromise) the 'secure' appserver, i don't see what benefit the 'secure' appserver gets you.  if you want it to be really 'secure' then you have two separate bsa envs (two databases), the 'secure' env is airgapped, and you sneakernet patches and other content between the two after scanning it for malicious payloads.

                   

                  But only app servers in the zone can talk to agents on port 4750 and the jobs run there based on job rules.

                  jobs can contain targets from anywhere.  so do you also restrict the roles can can run these 'secure' jobs so they can only see the 'secure' servers ?  can the 'secure' appserver also talk to the normal targets ?

                  • 6. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
                    Christopher Dale

                    Bill,

                    Bill Robinson wrote:

                     

                    The idea is to limit ingress points into a secure zone to the bare minimum.

                    i mean, i guess, but that limits your capacity and makes things more difficult to work w/ like you are finding here.  you can use RBAC to limit who can access the 'secure' env and let all the appservers talk to all your targets.

                     

                    The reason is not whom has access thru the tool that is being handled thru RBAC.... It has to do with regulations the "secured"  Subnet is not allowed any direct access to the Internet at all, inbound or outbound. Also allowing app servers that sit in a non-secure zone "Corporate" having direct access thru the firewall is also not allowed.  I had the choice of Standing up two completely separate environments and having an offline patch catalog in Corporate and going thru the process of replicating the data into the secure zone thrue two step process that involved submitting the files to security for scanning during each Patch Cycle or... Serup two app servers inside the secure environment with access opened for application only communication to my corporate app servers, files server, and Database. to limit connections to a minimum that could be monitored by security.

                     

                     

                     

                     

                    And to have the server inside the zone under tighter internet facing rule to prevent direct risk from malicious sites.

                    but it's not 'internet facing'  there is no incoming traffic to the appservers.  the appservers (or patch helper, depending on the catalog os) need outbound access to a list of certain vendor sites.  which can be restricted by a firewall or proxy to just those sites.  if the 'normal' appservers can possibly contact the malicious sites and be compromised, then since they can talk to (and therefore possibly compromise) the 'secure' appserver, i don't see what benefit the 'secure' appserver gets you.  if you want it to be really 'secure' then you have two separate bsa envs (two databases), the 'secure' env is airgapped, and you sneakernet patches and other content between the two after scanning it for malicious payloads.

                     

                    I understand your point of the two sets of app servers could still be compromised... but the hope is multiple hope and RBAC security in the application would limit the exposure by allowing more intense scrutiny on what kinds of traffic were being seen between the Corp and secure app servers.

                     

                     

                    Bill Robinson wrote:

                     

                    But only app servers in the zone can talk to agents on port 4750 and the jobs run there based on job rules.

                    jobs can contain targets from anywhere.  so do you also restrict the roles can can run these 'secure' jobs so they can only see the 'secure' servers ?  can the 'secure' appserver also talk to the normal targets ?

                    Job Routing rules based on Name currently keep jobs meant for the secure zone running on the app servers in that zone and "Corporate"  jobs running on the remaining servers.

                     

                    The "secure" Jobs are locked down to a Specific role and that role only can see the "Secured" Servers.

                     

                    The Secured App Servers can only talk to the File Server, Database Server and the App servers in "corporate" and only on the specific ports that are required for each type of communication.

                    • 7. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
                      Bill Robinson

                      Subnet is not allowed any direct access to the Internet at all, inbound or outbound.

                      so you have these 'secure' appservers in the same subnet as your 'secure' targets ?  and your other appservers can talk to these appservers ?  so what is to stop compromise of one of the 'corporate' appservers from then allowing a compromise of one of the 'secure' appservers ?

                       

                      Also allowing app servers that sit in a non-secure zone "Corporate" having direct access thru the firewall is also not allowed. 

                      this is what http proxies are for right ?

                       

                      I had the choice of Standing up two completely separate environments and having an offline patch catalog in Corporate and going thru the process of replicating the data into the secure zone thrue two step process that involved submitting the files to security for scanning during each Patch Cycle or...

                      which would be the most secure option here.

                       

                       

                       

                      the right way to do this is:

                      - use a http/https proxy.  do the payload scanning there

                      - allow only outbound access from the appservers through the proxy to the list of patch sites noted above

                      - allow all your appservers to connect to all the targets - 'secure' or not - via 4750/tcp through whatever firewalls

                      - setup rbac so only the 'secure' roles can see the 'secure' targets. 

                      - setup the agent acls so they only take connections from the appservers and from the 'secure' roles.

                      • 8. Re: Is it possable to force the pach download portion of a patching job to run on a specific server?
                        Sean Berry

                        Setup a web proxy in the one server allowed internet access, or use a proxy from all servers, and route all web traffic through the proxy?

                         

                        Sent from my iPad