ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Dealing with firewalls

2015-10-04 17:13:40
Subject: Dealing with firewalls
From: Sam Sheppard [mailto:SHS AT SDDPC.SANNET DOT GOV]
To: ADSM-L AT VM.MARIST DOT EDU 
---------------------------- Top of message ----------------------------
>>--> 01-04-02  14:29  S.SHEPPARD     (SHS)    Dealing with firewalls
>>--> 01-04-02  14:29  S.SHEPPARD     (SHS)    Dealing with firewalls

I can comment on a couple of things we saw in a similar configuration.
One of our TSM OS/390 servers has a client behind a firewall.  We just
opened up the appropriate ports and everything worked fine, except the
performance was terrible.  We installed an additional OSA card attached
directly to the switch on the subnet behind the firewall and performance
improved by a factor of 10.

Sam Sheppard
San Diego Data Processing Corp.
-----------------------------------------------------------------------`
---------------------------- Top of message ----------------------------
---------------------------- Top of message ----------------------------
>>--> 01-04-02  13:01  ..NETMAIL     ()     Dealing with firewalls
>>--> 01-04-02  13:01  ..NETMAIL     ()     Dealing with firewalls
Date: Fri, 4 Jan 2002 15:38:19 -0500
From: "Thomas Denier" <Thomas.Denier AT MAIL.TJU DOT EDU>
Subject: Dealing with firewalls
To: ADSM-L AT VM.MARIST DOT EDU
_________________________________Top_of_Message_____________________________
____

My site has installed a filewall. Eventually all systems that need to be
accessible from the Internet will be outside the firewall, and all systems
used exclusively by our own staff and students will be inside the firewall.
We would like to use our existing TSM server to back up the systems outside
the firewall as well as those inside. As far as I can tell, there are
essentially only two approaches to doing this.

The first approach is to configure the firewall to pass TCP traffic to and
from port 1500 on the TSM server and configure clients outside the firewall
to use polling mode scheduling. Some of my co-workers have suggested a
variant of this approach in which the TSM server and its clients would be
reconfigured to use a different port. The hope is that this would reduce
the risk of attacks that depended on knowing the port number for TSM.
There are some concerns about the firewall's ability to handle the volume
of traffic to and from the TSM server.

The second approach is to equip the TSM server with an additional network
interface connected to the subnet outside the firewall. Our TSM server
currently runs under OS/390, with one TCP/IP address space dedicated to
supporting TSM connections. We could either configure the existing address
space to support the new interface or add another address space to support
the new interface.

How are other TSM sites dealing with firewalls? Is there any security
advantage in using a port other than 1500 for TSM? If we select the second
approach, is there any security advantage in a separate TCP/IP address
space for the new network interface?

-----------------------------------------------------------------------`
=========================================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Long-Term Storage, Jolley , Bill [mailto:bill.jolley
Next by Date:  Re: Long-Term Storage, SAIC
Previous by Thread:  Re: Dealing with firewalls, Prather, Wanda
Next by Thread:  Re: TDS for TSM, William Rosette
Indexes:  [Date] [Thread] [Top] [All Lists]