Hybrid Dome9 Host Based Security, Cloud Security Groups and Network ACLs

In this topic:

    A Dome9 agent may be installed within an AWS VPC Instance. In such a case multiple levels of security are provided and may include Network ACLs, VPC Security Groups, Azure NSGs and Dome9 Security Groups.

    In order for the agent to work correctly, the following definitions must be made.

    Dome9 Agent for Windows and Linux connects back to the following services on the Dome9 Central Cloud Service in order to operate normally

    Agent Service 

    The agent service is used by the Dome9 Agents to get policy changes from Dome9 central and to report health and their network attachment. Dome9 Agents connect to the agent service every 180 seconds.
    Destination: agents.dome9.com
    Protocol: HTTPS (TCP), port 443

    Notification Service

    The notification service is used to notify agents that there is a policy change and they should contact the main agent service immediately. The notification service uses long-polling that allows central to notify the agents without having the agents to listen on any port and without putting any strain on the agent resources.
    Destination: notifications.dome9.com
    Protocol: HTTPS (TCP), port 443

    OSSEC Service (FIM)

    The hosted OSSEC service is used to accept traffic from the OSSEC moduled in the Dome9 agent.
    This service is only required for customers utilizing the FIM functionality.
    Protocol: UDP, port 1514

    Dome9 has a Magic IP called 'Dome9 Service' that contains all these IP addresses.
    If you wish to restrict egress traffic from your servers, you can use this object to allow egress HTTPS traffic Dome9 servers (also enable UDP 1514 if OSSEC/FIM is enabled).

    If on AWS VPC and restricting traffic via NACL, then due to the NACL stateless nature - make sure to allow the return path as well (the responses from Dome9 service).
    In the FIM use case, either allow all UDP traffic from Dome9 OSSEC service IP address, *or* open all Ephemeral ports to inbound traffic (at the NACL level) and then restrict it further (to only allow traffic from Dome9 servers) using dedicated SG rules (and utilizing Dome9's Magic IP).