ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TSM backing up in a DMZ zone.

2002-08-03 10:28:22
Subject: Re: TSM backing up in a DMZ zone.
From: "Seay, Paul" <seay_pd AT NAPTHEON DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Sat, 3 Aug 2002 10:10:38 -0400 
See my responses inline.

Paul D. Seay, Jr.
Technical Specialist
Naptheon Inc.
757-688-8180


-----Original Message-----
From: William Rosette [mailto:Bill_Rosette AT PAPAJOHNS DOT COM]
Sent: Wednesday, July 31, 2002 10:01 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: TSM backing up in a DMZ zone.


HI TSMr's,

      I have a DMZ Zone going in this Tuesday and they are asking me (TSM
admin) to see if TSM can backup servers/clients in the DMZ zone.  I have
heard some talk on this ADSM user group about that very thing.  We are going
to be using a Cisco Pix Firewall and eventually use a Nokia Checkpoint.  I
gave them some options but I want to know if there are any more options that
y'all might have.  Here are the ones I suggested.

1. Put a TSM remote server in the DMZ and share the library (3494) with the
other server.
This one requires port 3494 to be opened through the firewall so that the
TSM server can talk to the library.  This one to me has some serious risks
if the TSM server is broken into.  The reason is there is no security in the
library to block the mtlib and lmcpd interfaces from being used to mount
tapes belonging to other systems from being mounted in the drives of this
remote TSM server.

2. Since most clients (NT & Linux servers) backup in 5 to 15 minutes and
will not need to be backed up maybe once a week, open an obscure port once a
week for 30 minutes for all backups.
The port on the TSM server side has to be set for all clients.  But, you
could create a small second TSM server processs on the machine inside the
firewall or locate the remote one inside the firewall that uses this
specific port and only allows connections from the NT & LINIX servers.
Then, set your firewall up so that only port and connection works to the TSM
server.  This is probably the most secure.

The big negative is that the backup will be slow depending on your firewall
and network.

3. Port access through Cisco script when backup happens.
I am not familiar with this but it looks like 2 with some more security.

4. Direct connect to TSM server.
Not sure what you meen by Direct Connect.


I understand that probably each one has its security leaks and some more
than others.  Is there someone who can share a good DMZ SLA?


Thank You,
Bill Rosette
Data Center/IS/Papa Johns International
WWJD
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Backups of a file when it hasn't changed., Talafous, John G.
Next by Date:  Re: Backups of a file when it hasn't changed., Seay, Paul
Previous by Thread:  Re: TSM backing up in a DMZ zone., William Rosette
Next by Thread:  Re: TSM backing up in a DMZ zone., Mark Stapleton
Indexes:  [Date] [Thread] [Top] [All Lists]