Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Amanda through a VPN?

2004-09-08 16:09:29
Subject: Re: Amanda through a VPN?
From: Frank Smith <fsmith AT hoovers DOT com>
To: KEVIN ZEMBOWER <KZEMBOWE AT jhuccp DOT org>, amanda-users AT amanda DOT org
Date: Wed, 08 Sep 2004 15:05:30 -0500 
--On Wednesday, September 08, 2004 14:41:34 -0400 KEVIN ZEMBOWER <KZEMBOWE AT 
jhuccp DOT org> wrote:

> Has anyone ever set up Amanda to work through a VPN as an alternative to
> working correctly through a firewall? I'm not sure a VPN is even the right
> tool to use.

Yes, we use VPNs to backup some of the data at our remote colos.  I'm not sure
its going to make your firewall setup any easier to implement (it will still
require some firewall changes), but once you get the VPN working you can change
what goes through it without having to modify the intervening firewalls.

> I'm so frustrated with our networking group, which implements a single change
> in the firewall, then requires that we wait until the next morning to make a
> second trial if the first one doesn't work. I believe that no one really
> thorough understands the firewall software, an Elron CommandView firewall,
> which seems to be out of production. The last mention I can find of it
> through Google dates to 1999. Links to their website redirect to zixcorp.com.

Personally, I'd be scared if I were depending on a firewall that hasn't been
updated for 5 years.

> 
> Consequently, I'm exploring other options to get Amanda to work through or
> around this firewall. The first I thought of was a VPN. However, I only know
> what I've read about VPNs; I've never set one up or worked with it. Would a
> VPN work?

Yes, it can.

> Is it the right tool to use, short of getting the firewall to work properly
> in the first place?

It depends.  How sensitive is your data?  The backups are streamed in in the 
clear,
although possibly compressed, so there is the potential for someone to grab it
as it goes by.  With a VPN the data stream (at least between the VPN boxes) is
encrypted, so impractical for someone to steal the data in that portion of the
data path.  If your network is secure (relative to the sensitivity of your data)
then it may not have much of an advantage.  If it is very sensitive data and
you are sending it across the Internat then a VPN should be a requirement.

> Any recommendation on specific VPN solutions to use? Anyone done this before?
>I tried searching on 'vpn' in this list's archives, but didn't turn up 
>anything.

Being a thrifty person, I'm a fan of using a pair of cheap Linux boxes (my
backups can soak a 10Mb link over a couple of 800MHz Pentiums without any
problems with a 2.4 kernel and FreeS/WAN), the 2.6 kernels have IPSEC
capabilities built in.  As a bonus you can run iptables (netfilter) on the
same boxes and firewall what goes through your tunnel.

You may have to do some work setting up routing on both ends so your backups
actually use the VPN.

Frank

> 
> Thanks for all your help and suggestions.
> 
> -Kevin Zembower
> 
> -----
> E. Kevin Zembower
> Internet Systems Group manager
> Johns Hopkins University
> Bloomberg School of Public Health
> Center for Communications Programs
> 111 Market Place, Suite 310
> Baltimore, MD  21202
> 410-659-6139
> 



-- 
Frank Smith                                      fsmith AT hoovers DOT com
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Amanda through a VPN?, Rebecca Pakish Crum
Next by Date:  Re: Amanda through a VPN?, KEVIN ZEMBOWER
Previous by Thread:  Amanda through a VPN?, KEVIN ZEMBOWER
Next by Thread:  RE: Amanda through a VPN?, Rebecca Pakish Crum
Indexes:  [Date] [Thread] [Top] [All Lists]