This page contains trueITOptimizebranding security details.

trueITOptimizebranding functionality

There are two conditions which cause trueITOptimizebranding to reach out to a server. They are discovery and polling.  

During discovery, for WMI, SSH, and VMware protocols, trueITObranding performs a logon to the target server, and pulls a series of information from the host including server make and model, IP, serial number, OS type, CPU details  (make/model, cache, speed,...), Memory details (make/model, size, type,  ...). SNMP discovery is similar, except no physical logon to the host is required. After initial discovery, a discovery of a Windows or Linux server only needs to occur if the physical hardware changes. Often running discoveries less than once a month is enough but must be based on server changes done in the data center.   

Polling occurs when trueITObrandingcontacts the target server to pull CPU utilization information. In this case, only previously discovered servers are polled. By default,  polls occur every five minutes. This value can be configured using the trueDCObranding GUI to occur as infrequently as every 30 minutes. So having 1000 discovered hosts, you can expect approximately 100k of polling data to be read from servers every 5 minutes. Overall load on the target servers is low. In our labs, we have a large set of trueITObrandingconfigurations discovering and poling a set of live servers. They are all polling and discovering the same servers 24x365. The average CPU utilization of our idle lab servers (so only trueITObrandingdiscover and polling is occurring on them) is approximately 3%.

 

Network protocol and ports

Protocol

Transfer protocol

Port(s)

NetworkCredentials/AccessEncryptionCommands

WMI

TCP

Request: 135

Response: 1024-65535

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

WMI connections between hosts require valid user credentials on the remote system.

The credentials should be encrypted on Linux (using j-Interop) as well as Windows (using the  native Windows libraries).

trueITOptimizebranding polls Windows server WMI namespace. The specified user account must have local administrator access to query disk related details from the namespace.

Credential information is always encrypted using NTLM  and/or Kerberos encryption. 

SNMP

TCP/UDP

161, 162

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

trueITOptimizebranding uses a read-only community string to pull values from a set of server OIDs or Blade Chassis OIDs

No encryption is used for SNMP communication

Both SNMP v1 and v2 are supported.

VMware vSphere Web Service

TCP

80, 443

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

Connections are made on port 443 by default

SSL connections to VMware web services api's to pull ESX server and guest utilization information

Password authentication is used, no keys are stored on the trueITObrandingserver.

VMware protocol discoveries require a local user account on each ESX host. The account must belong to at least the readonly role. It does NOT require access to the ESX shell.

Encrypted connection (SSL) to the default https port (443) key length is determined by server

SSH

TCP

22

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

Discovery commands require root level access. "sudo" may be used to complete this task a guide can be found . Polling of Linux and Unix clients is completed using SNMP.

 

Server determine cipher type and key length.

SSH v2 is supported, v1 is not supported.

TCP ECHO

TCP

7

Echo functionality to make sure discovered device is alive---

ICMP ECHO

IP

N/A

Ping/Echo functionality to make sure discovered device is alive---

IPMI

UDP

623

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

IPMI connections between hosts require valid user credentials on the remote system.

Depending on configuration and BMC interface 
PostgresUDP3306Localhost only - internal ITO database connectionHandled by ITO systemYes-
HTTPTCP8090Management Console interface for ITOHandled by DCO/ITO integration interface--

HTTPs

TCP

8643

Management Console interface for Intel DCM

Localhost only--

HTTP

UDP

8688

Management Console interface for Intel DCM Localhost only--

Postgres

UDP

6443

Localhost only - internal Intel DCM database connectionLocalhost only--
Server Access - related protocols
VNCRFB5900 (default)Bandwidth usage is very depended on screen activity and usageMore info can be found  The encryption is depended on the OS and the installed VNC application-
SSHTCP22Since text only is transferred the bandwidth requirement is very limited.More info can be found  Server determine cipher type and key length-
RDPTCP3389 (default)Bandwidth usage is very depended on screen activity and usageMore info can be found  The encryption is depended on the OS and the installed application. Default 128-bit encryption, using the RC4 encryption algorithm-


A 1024-bit RSA key is generated and used for SSL communication. The key is self- signed and will generally require the user to trust the signing authority. When connecting to an trueITObrandingserver, trueDCObrandingpresents a dialog asking the user to trust the certificate. The keystore where the RSA key is stored is password protected.

Packages being used in trueITOptimizebranding server

Packages and their version numbers being used in trueITOptimizebranding server can be found .

Firewall configuration

trueITOptimizebranding does not contain any firewall in the installation. The firewall must be allowing ports as needed from the above table of ports and protocols.

Software Vulnerability, Scan(s) and Certifications

Status in terms of general known vulnerabilities can be found .

A software scanning tool is run against every release of the product. The results are investigated and needed action in terms of security updates etc. taken. The scanning tool used is named Nessus.
Nessus is a network vulnerability scan utility. It scans the server as a network device and not just a webserver. Please contact us for details.

Antivirus

Antivirus tools are not provided with the trueITOptimizebrandingserver installation. Antivirus is allowed on the trueITOptimizebrandingserver and target client. It is recommended to exclude the data folders for the databases to maintain performance and reduce problems when installing and upgrading ITO software.

Logging

Log files can be found in the .log folder in the installation directory of the trueITOptimizebranding server

Database architecture

trueITOptimizebrandingdatabase technology is MariaDB version 5.2.14 and cannot be exchanged with any other database type or technology.


See also