Target Systems Network Security
In order to function properly, several communication ports need to be opened in order for the EPAS to be able to communicate with and extract account profile information (including password hashes) from the respective targets.
Although the communication ports can be different from the ones mentioned in the table included below, it is by required for the EPAS to have access to the following network communication ports (outgoing communication), depending on the service audited.
| Module | EPAS Component | Communication Type | Security / Integrity | Default ports | Description |
|---|---|---|---|---|---|
| Audit | Active Directory | WMI / SMB | Yes / Yes | TCP: 135,139,445 TCP: 1025-5000 TCP: 49152-65535 UDP: 137, 138 TCP/UDP: 88 (Optional - only when Protected Users are used) |
EPAS can use the highest level of security supported by the target, unless the operator chooses a lower security setting. Secure protocols: - WMI through DCOM/RPC for actions - SMB for data transfer WMI / DCOM RPC supported security: - Integrity (Packet Integrity) - Confidentiality/Encryption (Packet Privacy) SMB supported security: - SMBv3 Confidentiality/Encryption |
| Audit | Windows Local Accounts | WMI / SMB | Yes / Yes | TCP: 135,139,445 TCP: 1025-5000 TCP: 49152-65535 UDP: 137, 138 TCP/UDP: 88 (Optional - only when Protected Users are used) |
EPAS can use the highest level of security supported by the target, unless the operator chooses a lower security setting. Secure protocols: - WMI through DCOM/RPC for actions - SMB for data transfer WMI / DCOM RPC supported security: - Integrity (Packet Integrity) - Confidentiality/Encryption (Packet Privacy) SMB supported security: - SMBv3 Confidentiality/Encryption |
| Audit | IBM System i - iSeries - AS/400 | FTP / FTP-SSL | Yes / Yes | TCP: 21 |
Secure protocols: FTP-SSL SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | IBM System p - pSeries - RS/6000 AIX | SCP / AFTP / SSH / FTP / FTP-SSL | Yes / Yes | TCP: 21,22 |
Secure protocols: SCP, SFTP, SSH and FTP-SSL SSH,SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | IBM System z - zSeries - z/OS RACF | FTP / FTP-SSL / IND$FILE / IND$FILE-SSL / IND$FILE-TLS | Yes / Yes | TCP: 21,23,1023 |
Secure protocols: FTP-SSL, IND$FILE-SSL and IND$FILE-TLS SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | IBM System z - zSeries - z/VM RACF | IND$FILE / IND$FILE-SSL / IND$FILE-TLS | Yes / Yes | TCP: 23,1023 |
Secure protocols: FTP-SSL, IND$FILE-SSL and IND$FILE-TLS SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | IBM Lotus Domino Application Server | LDAP / LDAPS / HTTP / HTTPS | Yes / Yes | TCP: 389,636,80,443 |
Secure protocols: LDAPS and HTTPS SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | BSD Operating System | SCP / SFTP / SSH / FTP / FTP-SSL | Yes / Yes | TCP: 21,22 |
Secure protocols: SCP, SFTP, SSH and FTP-SSL SSH, SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Linux OS | SCP / SFTP / SSH / FTP / FTP-SSL | Yes / Yes | TCP: 21,22 |
Secure protocols: SCP, SFTP, SSH and FTP-SSL SSH, SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | MacOS System Accounts | SSH | Yes | TCP: 22 |
Secure protocols: SSH SSH supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Sun Solaris - SunOS | SCP / SFTP / SSH / FTP / FTP-SSL | Yes / Yes | TCP: 21,22 |
Secure protocols: SCP, SFTP, SSH and FTP-SSL SSH, SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Apache Basic - htpasswd | SCP / SFTP / SSH / FTP / FTP-SSL | Yes / Yes | TCP: 21,22 |
Secure protocols: SCP, SFTP, SSH and FTP-SSL SSH, SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | SAP NetWeaver - ABAP AS | SAP R/3 RFC | No / No | TCP: 330-3399 |
SAP-RFC connection type uses the proprietary SAP-RFC protocol. The authentication and data transfer is performed unencrypted |
| Audit | LDAP | LDAP / LDAP-SSL / LDAP-TLS | Yes / Yes | TCP: 389-636 |
Secure protocols: LDAP-SSL, LDAP-TLS SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Cisco ISE, ASA, IOS, NX-OS | TELNET (IOS)/SSH(ALL) | No / Yes | TCP: 23/22 |
Secure protocols: SSH SSH supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | MSSQL System Accounts | Microsoft SQL Server / MSSQL-TLS | Yes / Yes | TCP: 1433 |
Secure protocols: MSSQL-TLS MSSQL-TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | MySQL System Accounts | MySQL / MySQL-TLS | Yes / Yes | TCP: 3306 |
Secure protocols: MySQL-TLS MySQL-TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Oracle System Accounts | Oracle / Oracle-SSL/TLS | Yes / Yes | TCP: 1521 |
Secure protocols: Oracle over SSL-TLS Oracle over SSL-TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Postgres System Accounts | Postgres / Postgres-SSL/TLS | Yes / Yes | TCP: 5432 |
Secure protocols: Postgres over SSL-TLS Postgres over SSL-TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Sybase ASE System Accounts | Sybase / Sybase-SSL/TLS | Yes / Yes | TCP: 5000 |
Secure protocols: Sybase over SSL-TLS Sybase over SSL-TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | MongoDB System Accounts | MongoDB / MongoDB TLS / MongoDB TLS X509 | Yes / Yes | TCP: 27017 |
Secure protocols: MongoDB-TLS and MongoDB TLS X509 MongoDB-TLS & MongoDB-TLS X509 supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | Database Custom Application | MSSQL/MySQL/Oracle/Postgres/Sybase/DB2/MaxDB/Informix | Yes / Yes | TCP: 1433 TCP: 3306 TCP: 1521 TCP: 5432 TCP: 5000 TCP: 27017 |
Secure protocols: MSSQL-TLS, MySQL-TLS, Oracle-SSL/TLS, Postgres-SSL/TLS, Sybase-SSL/TLS, MongoDB-TLS and MongoDB-TLS X509 MSSQL-TLS, MySQL-TLS, Oracle-SSL/TLS, Postgres-SSL/TLS, Sybase-SSL/TLS, MongoDB-TLS & MongoDB-TLS X509 supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | EPAS Worker | SSH / SCP / RSYNC | Yes / Yes | TCP: 22 |
EPAS uses the highest level of security for communication and authetication with EPAS Worker. Secure protocols: SSH and key-based authentication SSH and key-based authentication supported security: - Confidentiality / Encryption and Integrity - Industry standard level for key size and supported ciphers |
| Audit | EPAS Agent | SSH / SCP / RSYNC | Yes / Yes | TCP: 22 |
EPAS uses the highest level of security for communication and authetication with EPAS Agent. Secure protocols: SSH and key-based authentication SSH and key-based authentication supported security: - Confidentiality / Encryption and Integrity - Industry standard level for key size and supported ciphers |
| Audit | EPAS External Authentication Source | LDAP / LDAP-TLS / LDAP-SSL / RADIUS | Yes / Yes | TCP: 389,636,1812 |
EPAS uses the highest level of security for communication and authetication with external authentication sources. Secure protocols: LDAP-TLS, LDAP-SSL, RADIUS LDAP-TLS and LDAP-SSL supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target RADIUS supported security: - Confidentiality / Encryption and Integrity by using a strong shared secret |
| Audit | EPAS Integration - CyberArk | HTTPS / SSL | Yes / Yes | TCP: 443,1858 |
EPAS can be integrated with CyberArk Enterprise Password Vaults and CyberArk Credential Provider, use the highest level of security supported by the customer defined CyberArk deployment. Secure protocols: SSL and TLS SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | EPAS Integration - Mail Gateway | SMTP / SMTP with SSL / TLS | Yes / Yes | TCP: 25,465,587 |
Secure protocols: SMTP with SSL & TLS SMTP with SSL & TLS supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Audit | EPAS Online Backups | SMB / SFTP / SCP | Yes / Yes | TCP: 22,135,139,445 |
Secure protocols: SSH and SMB SMB supported security: - SMBv3 Confidentiality / Encryption SSH supported security: - Confidentiality / Encryption and Integrity - Highest protocol level and key size supported by target |
| Enforcer | EPAS Agent - Enforcer Service | HTTPS | Yes / Yes | TCP: 10443 |
Secure protocols: HTTPS and authentication with client certificate HTTPS & authentication with client certificate supported security: - Confidentiality / Encryption and Integrity - Industry standard level for key size and supported ciphers |
| Enforcer | EPAS Master - Enforcer Service | HTTPS | Yes / Yes | TCP: 10443 | Secure protocols: HTTPS and authentication with client certificate HTTPS & authentication with client certificate supported security: - Confidentiality / Encryption and Integrity - Industry standard level for key size and supported ciphers |
| Enforcer | EPAS Master - EPAS Agent | SSH / RSYNC | Yes / Yes | TCP: 22 |
EPAS Master uses SSH for syncronising the Enforcer data with the participating EPAS Agents Secure protocols: SSH and key-based authentication SSH & key-based authentication supported security: - Confidentiality / Encryption and Integrity - Industry standard level for key size and supported ciphers |
| Enforcer | Deployment - Microsoft AD / Local | WMI / SMB | Yes / Yes | TCP: 135,139,445 TCP: 1025-5000 TCP: 49152-65535 UDP: 137,138 TCP/UDP: 88 (Optional - only when Protected Users are used) |
EPAS can use the highest level of security supported by the target AD, unless the operator chooses a lower security setting. Secure protocols: - WMI through DCOM/RPC for actions - SMB for data transfer WMI / DCOM RPC supported security: - Integrity (Packet Integrity) - Confidentiality/Encryption (Packet Privacy) SMB supported security: - SMBv3 Confidentiality/Encryption |
| Enforcer | Deployment - Linux | SSH | Yes / Yes | TCP: 22 |
Secure protocols: SSH SSH supported security: - Confidentiality/Encryption and Integrity - Highest protocol level and key size supported by target |
Additionally, if NTP synchronization, SMTP relays, LDAP / RADIUS external authentication or external logging via SYSLOG are enabled in the EPAS Systems menu, the EPAS will need the following communication ports to be open between the EPAS Master and the server hosting the aforementioned service:
| Protocol / Service | Default Ports |
|---|---|
| SMTP, SMTP / TLS | TCP: 25 |
| SMTP / SSL | TCP: 465 |
| NTP | UDP: 123 |
| LDAP | TCP: 389 |
| LDAP / SSL | TCP: 636 |
| RADIUS | UDP: 1812 |
| SYSLOG | UDP: 514 |
For incoming communication, the following ports / services are used, by default, by the EPAS Master:
| Protocol / Service | Default Ports |
|---|---|
| Admin / Reporter HTTP | TCP: 80 |
| Admin / Reporter HTTPS | TCP: 443 |
| PQA HTTP | TCP: 8080 |
| PQA HTTPS | TCP: 443 |
All communication between the EPAS Master and the EPAS Worker is not subject to any network security / firewall rules, as the communication between the two components is direct and does not pass through any customer network.
Communication between the EPAS Master and the EPAS Agent is done via an encrypted protocol, by default enabled on port 22. Only the EPAS Master communicates with the EPAS Agent. All communication from the EPAS Agent to the target network is subject to the outgoing communication routes mentioned above.