Dear All,
I am trying to join DMZ webseal nodes to my existing policy server cluster. My network team is apprehensive of dangers in opening up ssh port 22. Is that really that dangerous? What is the general practice around here., do we not add DMZ webseals to cluster? Joining those as restricted nodes does not provide enough security? I feel keeping access to Policy Admin on those nodes is more of a  security compromise than opening port 22. Appreciate your thoughts on this. Thank you!

-Raj.

------------------------------
Rajkumar
------------------------------

Raj,

It's not unusual for the security team to not want anything listening on port 22 on a DMZ machine - this is a common port for hackers to attack and this is why it is usually treated carefully.  If you are using a recent version of the appliance (maybe 9.0.6 and later) you have the ability to change the port on which the SSH daemon is listening.  Just go into the 'System -> Administrator Settings' on your appliance and change the 'SSH Daemon Port' setting.  Generally the security folk are OK with the SSH daemon listening on a different port.

I hope that this helps.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Thu August 20, 2020 12:59 PM
From: Rajkumar Godi
Subject: DMZ webSEAL in Cluster, do I need to worry about open ssh port 22?

Dear All,
I am trying to join DMZ webseal nodes to my existing policy server cluster. My network team is apprehensive of dangers in opening up ssh port 22. Is that really that dangerous? What is the general practice around here., do we not add DMZ webseals to cluster? Joining those as restricted nodes does not provide enough security? I feel keeping access to Policy Admin on those nodes is more of a  security compromise than opening port 22. Appreciate your thoughts on this. Thank you!

-Raj.

------------------------------
Rajkumar
------------------------------