This page contains true ITOptimize branding  security details.

true ITOptimize branding  functionality

There are two conditions which cause true ITOptimize branding  to reach out to a server. They are discovery and polling.  

During discovery, for WMI, SSH, and VMware protocols, true ITO branding  performs a logon to the target server, and pulls a series of information from the host including server make and model, IP, serial number, OS type, CPU details  (make/model, cache, speed,...), Memory details (make/model, size, type,  ...). SNMP discovery is similar, except no physical logon to the host is required. After initial discovery, a discovery of a Windows or Linux server only needs to occur if the physical hardware changes. Often running discoveries less than once a month is enough but must be based on server changes done in the data center.   

Polling occurs when true ITO branding contacts the target server to pull CPU utilization information. In this case, only previously discovered servers are polled. By default,  polls occur every five minutes. This value can be configured using the true DCO branding  GUI to occur as infrequently as every 30 minutes. So having 1000 discovered hosts, you can expect approximately 100k of polling data to be read from servers every 5 minutes. Overall load on the target servers is low. In our labs, we have a large set of true ITO branding configurations discovering and poling a set of live servers. They are all polling and discovering the same servers 24x365. The average CPU utilization of our idle lab servers (so only true ITO branding discover and polling is occurring on them) is approximately 3%.

 

Network protocol and ports

Protocol

 Transfer protocol

Port(s)

 Network Credentials/Access Encryption Commands

WMI

 TCP

Request: 135

Response: 1024-65535

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

WMI connections between hosts require valid user credentials on the remote system.

The credentials should be encrypted on Linux (using j-Interop) as well as Windows (using the  native Windows libraries).

trueITOptimizebranding polls Windows server WMI namespace. The specified user account must have local administrator access to query disk related details from the namespace.

Credential information is always encrypted using NTLM  and/or Kerberos encryption. 

SNMP

 TCP/UDP

161, 162

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

true ITOptimize branding uses a read-only community string to pull values from a set of server OIDs or Blade Chassis OIDs

No encryption is used for SNMP communication

Both SNMP v1 and v2 are supported.

VMware vSphere Web Service

 TCP

80, 443

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

Connections are made on port 443 by default

SSL connections to VMware web services api's to pull ESX server and guest utilization information

Password authentication is used, no keys are stored on the trueITObrandingserver.

VMware protocol discoveries require a local user account on each ESX host. The account must belong to at least the readonly role. It does NOT require access to the ESX shell.

Encrypted connection (SSL) to the default https port (443) key length is determined by server

SSH

 TCP

22

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

Discovery commands require root level access. "sudo" may be used to complete this task a guide can be found . Polling of Linux and Unix clients is completed using SNMP.

 

Server determine cipher type and key length.

SSH v2 is supported, v1 is not supported.

TCP ECHO

 TCP

7

 Echo functionality to make sure discovered device is alive - - -

ICMP ECHO

 IP

N/A

 Ping/Echo functionality to make sure discovered device is alive - - -

IPMI

 UDP

623

Discovery queries between 3K and 10K of data (on average) per discovered asset.

Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration.

IPMI connections between hosts require valid user credentials on the remote system.

Depending on configuration and BMC interface  
Postgres UDP 3306 Localhost only - internal ITO database connection Handled by ITO system Yes -
HTTP TCP 8090 Management Console interface for ITO Handled by DCO/ITO integration interface - -

HTTPs

 TCP

8643

Management Console interface for Intel DCM

Localhost only - -

HTTP

 UDP

8688

 Management Console interface for Intel DCM Localhost only - -

Postgres

 UDP

6443

 Localhost only - internal Intel DCM database connection Localhost only - -
Server Access - related protocols
VNC RFB 5900 (default) Bandwidth usage is very depended on screen activity and usage More info can be found   The encryption is depended on the OS and the installed VNC application -
SSH TCP 22 Since text only is transferred the bandwidth requirement is very limited. More info can be found   Server determine cipher type and key length -
RDP TCP 3389 (default) Bandwidth usage is very depended on screen activity and usage More info can be found   The encryption is depended on the OS and the installed application. Default 128-bit encryption, using the RC4 encryption algorithm -


A 1024-bit RSA key is generated and used for SSL communication. The key is self- signed and will generally require the user to trust the signing authority. When connecting to an  true ITO branding server, trueDCObrandingpresents a dialog asking the user to trust the certificate. The keystore where the RSA key is stored is password protected.

Packages being used in  true ITOptimize branding server

Packages and their version numbers being used in  true ITOptimize branding  server can be found  .

Firewall configuration

true ITOptimize branding  does not contain any firewall in the installation. The firewall must be allowing ports as needed from the above table of ports and protocols.

Software Vulnerability, Scan(s) and Certifications

Status in terms of general known vulnerabilities can be found  .

A software scanning tool is run against every release of the product. The results are investigated and needed action in terms of security updates etc. taken. The scanning tool used is named Nessus.
Nessus is a network vulnerability scan utility. It scans the server as a network device and not just a webserver. Please contact us for details.

Antivirus

Antivirus tools are not provided with the true ITOptimize branding server installation. Antivirus is allowed on the true ITOptimize branding server and target client. It is recommended to exclude the data folders for the databases to maintain performance and reduce problems when installing and upgrading ITO software.

Logging

Log files can be found in the .log folder in the installation directory of the true ITOptimize branding  server

Database architecture

true ITOptimize branding database technology is MariaDB version 5.2.14 and cannot be exchanged with any other database type or technology.


See also