Auditor Help: Ecora Auditor Professional in a DMZ

Using Auditor Professional in a DMZ is challenging because most (if not all) ports needed for Auditor operation are locked down due to security concerns. There are a variety of methods to consider; the implementation choice is dependent upon DMZ configuration and the company's business goals.

In general, Ecora Auditor Professional performs three functions:

  • Collecting configuration data from targets; the configuration data is stored in an intermediate form in a file called repo.dat.bz2
  • Storing the configuration in a database (the data stored in the repo.dat.bz2 file is imported into the database)
  • Generating configuration reports from information in the database.

For each functions, consider the requirements and impact on the DMZ. One extreme is installing Auditor on each target to gather and report on configuration settings for an individual machine. The other end of the spectrum is opening the ports. Normally, neither of these options is a reasonable solution for a DMZ, so consider solutions between two extremes.

Collecting configuration data from targets within the DMZ

In this case, Ecora Auditor console and database are installed on a workstation within the DMZ. When collecting information from target machines, an implementation of IPSEC channels between the Auditor console and the target machines may be used to handle host-to-host authentication and encryption.

Resources  See also the port usage in Auditor.

Storing data in the database and generating reports

There are a couple of options depending upon the business goals. If all report generation can occur on the machine within the DMZ, the simplest and most secure option is to import the data directly into the database on the Auditor console machine. This is the default mode when doing data collections with the database enabled. Reports can be generated on a scheduled basis and provided for viewing via standard methods for sharing reports (share, IIS server, etc.).

Resources  See also Publishing Auditor Reports.

If the goal is to collect information from inside the DMZ, then create reports outside the DMZ, the data must be transferred outside the DMZ. Reports can be generated from one central server.
A few possibilities to consider:

  • Connect to a database outside the DMZ (requires a port to be open to communicate with SQL) to write configuration data during import process. If you write to SQL through the firewall, it can be a port other than 1433, and can only be opened during the necessary time and that time can be staggered if necessary.
  • Use a secure file copy tool to copy repo.dat.bz2 files to a machine outside the DMZ (import data to an Ecora database server outside the DMZ on a scheduled basis). This requires a port to be open for file copying on a regular basis.
  • Use standard IIS tools to provide access to configuration files. A machine outside the DMZ running Auditor file archiving would copy and import them to the database on a scheduled basis.