Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Amanda through a VPN?

2004-09-08 16:49:36
Subject: Re: Amanda through a VPN?
From: KEVIN ZEMBOWER <KZEMBOWE AT jhuccp DOT org>
To: amanda-users AT amanda DOT org
Date: Wed, 08 Sep 2004 16:44:10 -0400 
Frank and Rebecca, thank you for your comments and suggestions.

I understand that I'll still need to work with the firewall administrators. 
It's just seems so much more complex to do Amanda's ports right -- only open 
the ones needed, using only the protocol and in only the right direction -- 
than to say "Open port 10080 in both direction between tapehost and client". 
Right now, the firewall seems to have ports 10080-84 opened correctly (tested 
with telnet and tcpdump). They could just let this be.

Our setup is that our web servers are outside the firewall, but the tapehost 
and other administrative hosts, as well as all the Windows-based desktops are 
inside. We use 176.14/16 addresses inside, but 'real' IP addresses outside. 
However, the hosts are side-by-side in the same rack.

If I do go with some sort of VPN, am I on the right track here?:
Both the tapehost and the client(s) all have to have a VPN (daemon? client?) on 
them, such as OpenVPN or vtun. I ask the firewall folks to open one port, like 
10080, to TCP and UDP, in both directions to and from the tapehosts and the 
client(s). The notes in amanda.conf state that the OS routing tables control 
which interface is used, so I make some change there to connect from the 
tapehost to the clients using the VPN. This will all probably be clear to me 
when I pick a VPN and read the documentation.

Thanks, again, for your advice and suggestions.

-Kevin

>>> Frank Smith <fsmith AT hoovers DOT com> 09/08/04 04:05PM >>>
--On Wednesday, September 08, 2004 14:41:34 -0400 KEVIN ZEMBOWER <KZEMBOWE AT 
jhuccp DOT org> wrote:

> Has anyone ever set up Amanda to work through a VPN as an alternative to
> working correctly through a firewall? I'm not sure a VPN is even the right
> tool to use.

Yes, we use VPNs to backup some of the data at our remote colos.  I'm not sure
its going to make your firewall setup any easier to implement (it will still
require some firewall changes), but once you get the VPN working you can change
what goes through it without having to modify the intervening firewalls.

> I'm so frustrated with our networking group, which implements a single change
> in the firewall, then requires that we wait until the next morning to make a
> second trial if the first one doesn't work. I believe that no one really
> thorough understands the firewall software, an Elron CommandView firewall,
> which seems to be out of production. The last mention I can find of it
> through Google dates to 1999. Links to their website redirect to zixcorp.com.

Personally, I'd be scared if I were depending on a firewall that hasn't been
updated for 5 years.

> 
> Consequently, I'm exploring other options to get Amanda to work through or
> around this firewall. The first I thought of was a VPN. However, I only know
> what I've read about VPNs; I've never set one up or worked with it. Would a
> VPN work?

Yes, it can.

> Is it the right tool to use, short of getting the firewall to work properly
> in the first place?

It depends.  How sensitive is your data?  The backups are streamed in in the 
clear,
although possibly compressed, so there is the potential for someone to grab it
as it goes by.  With a VPN the data stream (at least between the VPN boxes) is
encrypted, so impractical for someone to steal the data in that portion of the
data path.  If your network is secure (relative to the sensitivity of your data)
then it may not have much of an advantage.  If it is very sensitive data and
you are sending it across the Internat then a VPN should be a requirement.

> Any recommendation on specific VPN solutions to use? Anyone done this before?
>I tried searching on 'vpn' in this list's archives, but didn't turn up 
>anything.

Being a thrifty person, I'm a fan of using a pair of cheap Linux boxes (my
backups can soak a 10Mb link over a couple of 800MHz Pentiums without any
problems with a 2.4 kernel and FreeS/WAN), the 2.6 kernels have IPSEC
capabilities built in.  As a bonus you can run iptables (netfilter) on the
same boxes and firewall what goes through your tunnel.

You may have to do some work setting up routing on both ends so your backups
actually use the VPN.

Frank

> 
> Thanks for all your help and suggestions.
> 
> -Kevin Zembower
> 
> -----
> E. Kevin Zembower
> Internet Systems Group manager
> Johns Hopkins University
> Bloomberg School of Public Health
> Center for Communications Programs
> 111 Market Place, Suite 310
> Baltimore, MD  21202
> 410-659-6139
> 



-- 
Frank Smith                                      fsmith AT hoovers DOT com 
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Amanda through a VPN?, Frank Smith
Next by Date:  errors backing up with samba, Jason Castonguay
Previous by Thread:  RE: Amanda through a VPN?, Rebecca Pakish Crum
Next by Thread:  Re: Amanda through a VPN?, Frank Smith
Indexes:  [Date] [Thread] [Top] [All Lists]