IBM Analytics Ideas

Welcome to the idea forum for IBM Analytics! 

Our team welcomes any feedback  and suggestions you have for improving our offerings / products!  This forum allows us to connect your offering / product improvement ideas with IBM product and engineering teams.

 

If you have not registered on this portal please click on the following link and register.  To complete registration you will need to open the email you will receive from Aha to confirm your identity.  https://ibm.biz/AnalyticsIdeasPortalRegister

 

Ability to limit open ports in Watson Explorer Content Analytics

Description:

System: Watson Explorer Content Analytics

Actor: User security enhancement – ability to limit the number of open ports for listening in a distributed system.

Currently ports 49152 to 65535 are required to be open for listening when using Watson Explorer Content Analytics in a distributed format. Best practices in securing an environment is to have all ports closed, then only opening ports that are required to run the application. Given this, the ability to select a port range for Watson Explorer to listen to would solve this problem. Other IBM products, which have large a range of ports open provide the capability to limit their port range in this manner.

Description: There is a requirement from our customer for Watson Explorer to limit the range of open ports for listening, so to better secure the application in this and other environments.

Use Case:

System: Watson Explorer Content Analytics

Actor: Security

Use case for the system:

WebSphere, IHS, WebSphere Plug-in, and Watson Explorer Content Analytics have been installed on a system.

Watson Explorer is configured to limit its port range.

The server firewall is configured to open corresponding ports to match the port range defined in Watson Explorer.

The distributed Watson Explorer applications communicate to one another through the configured port ranges that have been opened through the firewall ports.

Business Justification:

The WEX Product should adhere to industry security practices that should require only limited number of ports be used to run an application and that only those ports that are necessary be opened and configured.  Watson Explorer is requiring that 16,410 ports be opened and listening in a distributed environment. Having this many ports open expose those ports on a system to nefarious exploits which is frowned upon for a software supporting and enterprise solution.   This range is a too broad in a secure environment and can lead to problems in the application approved for use in those environments. This security vulnerability can prevent IBM from offering this product as to businesses as a enterprise solution and furthermore expose their customers to inherent exploit within the product. 

  • Scott Rakow
  • Aug 4 2017
  • Planned
Real Scenario + Problem Statement
Role Summary User security enhancement required (PMR 76344,082,000) for Watson Explorer
Who would benefit from this IDEA?
Revenue Opportunity
Idea Priority High
How should it work?
Owning Tribe Advanced Analytics & Data Science
Owning Segment Analytics Platform
Submitter Tags
Customer
Geo - Use for OBDR Reporting only
Why is it useful?
  • Attach files
  • Admin
    YUTAKA MORIYA commented
    September 1, 2017 06:12

    I think your concern comes from this page.

    https://www.ibm.com/support/knowledgecenter/en/SS8NLW_11.0.2/com.ibm.discovery.es.ad.doc/iiysatcpport.htm

    Anonymous or dynamic ports for CCL, file transfers (ESFTP), and index copy 49152 to 65535 On all servers

     

    Actually, those ports are used for the communications among WEX nodes only.

    Thus, you do not need to open the ports for the external.

    For example, you can put all servers inside the firewall and configure the firewall to close these ports for the external.

     

    I think this is a simple solution and hope this make sense.

     

    Regards

  • Scott Rakow commented
    September 1, 2017 14:40

    You are correct in that is where I am referencing this from. However being behind a firewall is not a good enough reason in some environments to have that many ports open. Firewalls can be breached and in security scans showing that many ports open (even behind a firewall) are frowned upon, unless a very strong justification can be shown. That is an extremely large number of ports to have open.

  • Admin
    YUTAKA MORIYA commented
    September 4, 2017 06:26

    WEX uses available ports randomly from 49152 to 65535, not all ports are opened.

    Mark as "Planned" to improve the documentation.

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions