ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ADSM thru Firewalls?

1999-09-24 22:42:03
Subject: Re: ADSM thru Firewalls?
From: "Allen S. Rout" <asr AT NERSP.NERDC.UFL DOT EDU>
Date: Fri, 24 Sep 1999 22:42:03 -0400 
=> On Fri, 24 Sep 1999 14:22:32 -0700, Danley Mike-xopr43 <M.Danley AT MOTOROLA 
DOT COM> said:

> We have a major issue trying to leverage our huge ADSM infrastructure on
> distributed nodes that have to sit in a DMZ area (untrusted network). There
> are a couple key considerations and technology issues to keep in mind:

> * We wish to have an ADSM server sitting in the DMZ but talking back to our
> 3494 Robot in the trusted network.
>  - Mount & unmount require an IP connection. Assumed to be unsecure

> * We actually run the notion of a quarantine zone (QZ) which essentially is
> a dedicated sub-net that sits between the DMZ and the trusted network.
> There is firewall present here. More importantly, we have several QZ's we
> would like to service with on ADSM server (AIX or Solaris).This too is
> thought to introduce a security problem.

> * We've been told if ADSM was able to invoke the backup's from the server as
> opposed to the client, we could easily secure this link. However, IBM
> maintains this can't be done. (neither does Net Backup).

> So the bottom line is; does anyone have a positive experience in using ADSM
> to backup boxes that sit on the other side of a firewall?
> Any other way to look at the solution?


Well, some of your problem descriptions are rather vague, but:

When I think 'secure connection thru hostile net', I think SSH.  If your
endpoints are unix and under your control, you can do SSH port-forwarding; (*)
This could possibly be a point of failure for your application, but it would
enable you to connect 'in the clear' to a machine in your local trusted zone,
and securely forward all traffic that hits the ADSM port on that node to the
remote node.

This can be amazingly useful: We have at times in the past forwarded e.g. all
our IMAP and POP connections from wronghost.our.domain to imap.our.domain,
allowing us to transparently interpose an encrypted hop.

I'm not sure you could do this to your 3494; I doubt your SE would be happy if
you jacked into the industrial PC running it and tried to install an SSH
package... :)

But why do you have an untrusted network between your server and your 3494,
when you've got to have a SCSI connection between them too??

Further, could you clarify what you mean by

"if ADSM was able to invoke the backup's from the server as opposed to the
client,"

?  This would be precisely how I would describe normal schedule-controlled
backups, so I think we have a vocabulary mismatch.


(*) You can do this with other platforms too, we've got some port-forwarding
going to and from some NT boxes, for instance, but UNIXen are the most
convenient.


Allen S. Rout
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  BSDi client, David N. Reiss
Next by Date:  Re: dsmcsvc.exe process on NT, Leo Humar
Previous by Thread:  ADSM thru Firewalls?, Danley Mike-xopr43
Next by Thread:  Re: ADSM thru Firewalls?, Alan R. White
Indexes:  [Date] [Thread] [Top] [All Lists]