A firewall is a security tool that restricts the number of ports on your machine that traffic can be sent to and received from other computers. When you use a firewall to restrict communication to a small number of ports, you can limit how your machines are accessible and ensure that only the programs you specify can be contacted by people outside of your organization. For example, it is common to allow only web traffic to go through to a web server and prevent all other types of traffic. Firewalls can be implemented through hardware, software, or a combination of both.
Firewalls help to prevent some attacks, such as worms and some Trojan horses. These attacks enter or leave your system through open ports that are exposed by programs running on your machine but are not intended to be exposed to the open internet. Firewalls do not protect you from viruses attached to emails or from threats inside your network. Therefore, although firewalls are important, they should not be the only component of your overall security strategy. Antivirus software and solid authentication and authorization techniques are examples of other security measures that should be deployed in conjunction with firewalls.
Firewalls that work by limiting open ports are different from web application firewalls, which actively work to analyze incoming web traffic and can block suspicious content. Web application firewalls can be beneficial tools in your overall security strategy but are not the focus of this topic.
It's a security best practice to implement a perimeter network, also known as a demilitarized zone (DMZ) or screened subnetwork, to prevent external users from directly accessing ArcGIS Monitor. A perimeter network functions as the only exposed point in your network that is accessible to external users. It adds a layer of security to your organization's network.
The following sections provide information on using firewalls to protect a Monitor deployment.
Protecting Monitor with firewalls
There are several appropriate strategies that you can take to protect Monitor with firewalls. The following strategies use firewalls to separate your internal network (in which security is regulated) from the external network (in which security cannot be guaranteed).
Integrating an existing reverse proxy
If your organization already uses a reverse proxy, you can configure it to route requests to Monitor on your secure internal network.
A less secure option uses a single firewall to restrict traffic to Monitor. In this configuration, Monitor resides behind the firewall in the secure internal network and usually, only port 30443 is left open.
For robust network security, place multiple layers of defense between external clients and your internal network. If a single firewall is the only layer of defense, a breach of that layer opens your secure network up to potential malicious activity. For this reason, this type of security configuration is not recommended.
Firewalls between Monitor machines
When deployed across multiple network environments, firewalls may exist between Monitor Server and Monitor Agent machines. To allow network communication between Monitor machines, you must open the ports used by Monitor.