58 IBM Tivoli Remote Control Across Firewalls
2.1 Design
In this section we address design considerations for the implementation of IBM
Tivoli Remote Control in a secure environment. In fact, we assume that the Tivoli
environment is already deployed within the enterprise. Thus, no information on
planning for the IBM Tivoli Management Framework and the Tivoli Firewall
Security Toolbox is provided in this section. For more information about the IBM
Tivoli Management Framework architecture, refer to the
Tivoli Management
Framework Planning for Deployment Guide
, GC32-0803, and for more
information about the Tivoli Firewall Security Toolbox architecture, refer to the
Firewall Security Toolbox User ’s Guide
, GC23-4826.
Furthermore, as the main topic of this book is to describe IBM Tivoli Remote
Control in a firewall environment, this section focuses more on the IBM Tivoli
Remote Control Proxy planning considerations than on the whole picture of IBM
Tivoli Remote Control planning. You can get more information about architecture
considerations and configuration for a standard IBM Tivoli Remote Control
environment in the
IBM Tivoli Remote Control User’s Guide
, SC23-4842.
We should also point out that we will not cover planning for the Remote Control
component, as the Remote Control Proxies provide a better technology and are
more flexible in responding to all security constraints an enterprise may have.
2.1.1 Logical design
In order to force the RC Controller to use an RC Target Proxy, some specific
Remote Control policies need to be configured. This means that a new Logical
structure must be defined for each secure environment served by a different RC
Target-Controller Proxy architecture.
In order to satisfy this requirement, and because the Remote Control object is a
Tivoli managed resource, a new Policy Region must be created to host the new
Remote Control Tool (RC Tool) object. This RC Tool will manage the list of
Targets for a specific secure zone served by the same RC Target Proxy. All RC
Tools created in this Policy Region will respond to the same set of RC policies as
they apply to a Policy Region and not to a specific RC Object. You should create
as many Policy Regions as RC Target-Controller Proxy architectures you plan to
have.
The main RC policies that need be reviewed for a secure environment are:
rc_def_proxy: Defines whether to use Remote Control Proxies or not.
rc_def_ports: Defines the ports to use for Controller-Target communications.
rc_def_encryption: Defines data encryption using DES method.