Firewall Configuration Using

DTN Prophet X™

Firewall Configuration Using

Restricted Ports

DTN ProphetX is a trademark

and the property of DTN.

DTN ProphetX™ Firewall Configuration

Abstract

This paper describes how DTN ProphetX works with an organization’s existing firewall security. You will learn about DTN ProphetX requirements for transport control protocol (TCP) connections and the Internet protocol (IP) ports needed to establish a Quote Server™ connection.

Components of a Secured System / Page 3
Establishing a DTN ProphetX Connection with a Firewall / Page 4
Firewall Limitations / Page 6
Security and Policy Concerns / Page 6

Copyright

Copyright (c) 2005-2006, DTN. This document and the software it describes are copyrighted with all rights reserved. Neither this document nor the software may be copied in whole or in part without the prior written consent of the copyright owner. Printed in the United States of America.

Components of a Secured System

A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of routers, proxy servers, host computers, gateways, and networks with the appropriate security software. A number of newer commercial firewalls, such as Microsoft’s Proxy Server 2.0, are attempting to put all of the components in a single box. The following diagram shows a firewall configuration.

For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of IP addresses, or as capable of routing to a number of IP addresses, all associated with domain name service (DNS) entries. The firewall might respond as all of these hosts (a virtual machine) or pass on packets bound for these hosts to assigned computers.

Establishing a DTN ProphetX Connection with a Firewall

When you use DTN ProphetX to connect to a DTN Quote Server over the Internet, certain IP ports are required to establish the connection. If you use a firewall to connect to the Internet, it must be configured such that the following outbound IP ports are not blocked.

Firewall Ports / Uses
20001-20004 / DTN Connection Control Protocol:
Initial primary TCP connection to DTN ProphetX server ports 1-4
DNS Server Names / IP Address / ProphetX Ports
ProphetX1.DTN.COM / 66.112.149.33 / 1 - 4
ProphetX2.DTN.COM / 66.112.149.39 / 1 - 4
ProphetX3.DTN.COM / 66.112.146.201 / 1 - 4
ProphetX4.DTN.COM / 66.112.146.205 / 1 - 4
ProphetX5.DTN.COM / 66.112.149.45 / 1 - 4
ProphetX6.DTN.COM / 66.112.149.51 / 1 - 4
ProphetX7.DTN.COM / 66.112.146.194 / 1 - 4
ProphetX8.DTN.COM / 66.112.146.198 / 1 - 4
ProphetX9.DTN.COM / 66.112.146.189 / 1 - 4
ProphetX10.DTN.COM / 66.112.146.191 / 1 - 4

Microsoft Proxy Server – Example

The following steps describe how to set up the Microsoft Proxy Server to enable the necessary ports for DTN ProphetX connections. Use this example as a guideline for configuring your proxy server for DTN ProphetX.

Start the Microsoft Internet Service Manager, and then click Winsock Proxy Service properties.

Click the Protocols tab, and click Add.

Add each primary (initial) port required for DTN ProphetX (listed under “Establishing a DTN ProphetX Connection with a Firewall” by typing or selecting values for the following fields:

Protocol Name

Port

Type

Direction

For example, if you want to add port 20004, you would enter the following:

Protocol Name: DTN ProphetX1.DTN.COM

Port: 20004

Type TCP: (default)

Direction: Outbound.

4. Click OK to add the protocol definition.

Firewall Limitations

Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection handling mechanism, you will not be able to use DTN ProphetX through the firewall.

Security and Policy Concerns

Some organizations might have security or policy concerns that require them to limit how fully they support DTN ProphetX in their firewall configuration. These concerns might be based on network capacity planning or low confidence in the firewall technology being used. You may wish to restrict inbound and outbound traffic on these open ports (20001-20004) to specific IP addresses of our servers – thus presenting casual hackers from exploiting your open ports. For specific IP addresses, please contact DTN Market Access technical support.

A useful reference for firewall design, including policy and security considerations is:

Building Internet Firewalls (D. Brent Chapman and Elizabeth D. Zwicky, O’Reilly & Associates, Inc., 1995).

DTN ProphetX Web Services

DTN ProphetX utilizes Web Services connectivity for the purpose and ability to perform dynamic Symbols searches. The requirements for the symbol search drilldown follow:

DTN ProphetX client must be able to access:

Port 80 - HTTP