Network Controls
dbWatch Control Center implements several layers of network-level control to protect communication, ensure identity verification, and allow deployment into secured or segmented environments.
These controls are designed to:
- Enforce secure authentication between clients, nodes, and servers
- Limit and regulate network access by IP, domain, and certificate authority
- Provide flexibility for network design and port exposure
1. Certificate-Based Node Authentication
All nodes in a dbWatch domain—including the central server, monitor nodes, and UI clients—must authenticate using certificates issued by the domain’s internal Certificate Authority (CA).
- Each node is provisioned a node certificate, TLS keypair, and identity context
- Communications over port 7100/tcp are TLS-wrapped and use mutual certificate validation
- Clients that do not present valid certificates signed by the domain CA will be rejected
This model provides a cryptographically strong zero-trust foundation for internal communication.
Read more in:
Certificate Infrastructure
Crypto Catalog
2. Built-in Firewall – IP Filtering and Domain Isolation
Control Center includes an internal firewall that adds fine-grained access controls beyond standard OS-level firewalls:
- Supports IP-based filtering to allow or block incoming connections by address or range
- Enforces domain-bound routing to ensure that nodes from foreign or untrusted domains cannot initiate or receive connections
- Can be centrally managed via the Control Center UI or through configuration files
- Acts as a first layer of network boundary enforcement, independent of system firewalls
This firewall is optional but highly recommended for multi-node or DMZ-style deployments.
Read more in:
Internal Control Center Firewall
3. Port Listening and Connection Direction
dbWatch Control Center is flexible in how it listens for and initiates network traffic:
- Default listening port is 7100/tcp for all inter-node and client-node communication
- Optionally, web-based dashboards may be exposed via port 8080 if explicitly enabled
- Nodes can be configured to only initiate connections (useful in restricted firewall zones) or to accept inbound connections (typical for servers)
- Listening behavior is configured via the `node.connections` file and domain topology
This flexibility allows dbWatch to be deployed in restrictive environments such as:
- Environments with no inbound ports allowed (outbound-only)
- Air-gapped or split-network DMZ architectures
- Cross-region or multi-cloud topologies with explicit NAT traversal
Read more in:
Network and Communications
Web Dashboards and Ports
Recommendations
- Restrict incoming connections using both the Control Center firewall and external firewall rules
- Use certificate-based access exclusively—do not bypass or disable authentication controls
- Change default port settings if required by local security policy
- Disable the web server (port 8080) unless actively used
- Regularly audit the `node.connections` file for unknown peers or unintended exposure
Related Topics
For help configuring port restrictions, secure firewall policies, or multi-node authentication, contact:
support@dbwatch.com