Compliance audits might identify open ports on QRadar xSeries appliances due to Intergated Management Modules (IMM) that have listeners open for remotely managing xSeries Hardware. These ports might be identified during a port scan.
Scan report returned by IBM or third-party scanners might return results during a security audit that the following ports are listening on IBM Security QRadar xSeries Appliances:
- UDP 427
- TCP 443
- TCP 3389
- TCP 3900
- TCP 5900
The root cause is scanner products that locate open ports required by the IBM Integrated Management Module (IMM) for managing IBM xSeries appliances. The following products have identified the IMM port values as open listening ports: QRadar Vulnerability Manager, Nessus, and Nmap scanners.
Diagnosing The Problem
Investigations can show port 427, 443, 3389, 3900 and 5900 as open when the QRadar appliance is scanned during routine security audits.
Resolving The Problem
During a security audit, an administrator requested information on ports UDP 427, TCP 443, TCP 3389, TCP 3900, and TCP 5900 that were identified as open ports during a scan. The ports identified during the scan belonged to the Integrated Management Module (IMM).
The ports required for IMM are listed at the following website:
TCP/IP ports on the CMM and IMM2 management processors
- UDP port 427: Required for Service Location Protocol (SLP) connections.
This port enables a client to dynamically locate a TN3270 and TN5250 service, then attach to the least-loaded server. UDP port 427 is a default port, but it can be reassigned to a different value.
For information on the default port assignments for UDP 427 & TCP 3900, see http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_mmportassignpage.html
For information about SLP, see the following link: https://www.ibm.com/docs/en/spectrum-control/5.3.2?topic=standards-service-location-protocol
- TCP Port 443: This port allows SSL connections. This must remain open to allow a secure connection to the browser connecting to the IMM2.
- TCP port 3389: Ethernet over USB support.
This port is enabled when Ethernet over USB is configured or enabled on the appliance or when the operating system is Windows and Windows supports RDP. This port can initiate a session to the server over the management network. This means that the default port 3389 must be open as long as commands over the USB interface is allowed. Administrators can disable TCP port 3389 by disabling "Allow commands on the USB interface".
For information on how to disable Ethernet over USB refer to: Enabling and disabling the LAN over USB interface.sonas.doc/imm_users_guide_60y1465.pdf
- TCP port 3900: Remote Presence.
This port is used for remote disk, storage, and KVM operations. TCP port 3900 is a default port, but it can be reassigned to a different value. Port 3900 is also required for RDP, HTML5 and, Java connections.
For information on the default port assignments for UDP 427 & TCP 3900, see TCP/IP ports on the XCC, IMM2, and CMM management processors
- TCP port 5900: Remote Console video redirect.
Port 5900 is required in addition to 3900 when using RDP or Java connections.
Was this topic helpful?
27 October 2021