Network Controls

dbWatch Control Center implements several layers of network-level control to protect communication, ensure identity verification, and allow deployment into secured or segmented environments.

These controls are designed to:

• Enforce secure authentication between clients, nodes, and servers
• Limit and regulate network access by IP, domain, and certificate authority
• Provide flexibility for network design and port exposure

1. Certificate-Based Node Authentication

All nodes in a dbWatch domain—including the central server, monitor nodes, and UI clients—must authenticate using certificates issued by the domain’s internal Certificate Authority (CA).

• Each node is provisioned a node certificate, TLS keypair, and identity context
• Communications over port 7100/tcp are TLS-wrapped and use mutual certificate validation
• Clients that do not present valid certificates signed by the domain CA will be rejected

This model provides a cryptographically strong zero-trust foundation for internal communication.

Read more in:
Certificate Infrastructure
Crypto Catalog

2. Built-in Firewall – IP Filtering and Domain Isolation

Control Center includes an internal firewall that adds fine-grained access controls beyond standard OS-level firewalls:

• Supports IP-based filtering to allow or block incoming connections by address or range
• Enforces domain-bound routing to ensure that nodes from foreign or untrusted domains cannot initiate or receive connections
• Can be centrally managed via the Control Center UI or through configuration files
• Acts as a first layer of network boundary enforcement, independent of system firewalls

This firewall is optional but highly recommended for multi-node or DMZ-style deployments.

Read more in:
Internal Control Center Firewall

3. Port Listening and Connection Direction

dbWatch Control Center is flexible in how it listens for and initiates network traffic:

• Default listening port is 7100/tcp for all inter-node and client-node communication
• Optionally, web-based dashboards may be exposed via port 8080 if explicitly enabled
• Nodes can be configured to only initiate connections (useful in restricted firewall zones) or to accept inbound connections (typical for servers)
• Listening behavior is configured via the `node.connections` file and domain topology

This flexibility allows dbWatch to be deployed in restrictive environments such as:

• Environments with no inbound ports allowed (outbound-only)
• Air-gapped or split-network DMZ architectures
• Cross-region or multi-cloud topologies with explicit NAT traversal

Read more in:
Network and Communications
Web Dashboards and Ports

Recommendations

• Restrict incoming connections using both the Control Center firewall and external firewall rules
• Use certificate-based access exclusively—do not bypass or disable authentication controls
• Change default port settings if required by local security policy
• Disable the web server (port 8080) unless actively used
• Regularly audit the `node.connections` file for unknown peers or unintended exposure

Related Topics

• Encryption
• Sensitive Data Transmitted
• Security Overview
• Audit Logging
• Certificate Infrastructure

For help configuring port restrictions, secure firewall policies, or multi-node authentication, contact:
support@dbwatch.com