--On Wednesday, September 08, 2004 16:44:10 -0400 KEVIN ZEMBOWER <KZEMBOWE AT
jhuccp DOT org> wrote:
> Frank and Rebecca, thank you for your comments and suggestions.
>
> I understand that I'll still need to work with the firewall administrators.
> It's just seems so much more complex to do Amanda's ports right -- only open
> the ones needed, using only the protocol and in only the right direction --
> than to say "Open port
> 10080 in both direction between tapehost and client". Right now, the firewall
> seems to have ports 10080-84 opened correctly (tested with telnet and
> tcpdump). They could just let this be.
Amanda uses more ports than 10080-84 (and don't forget that the 10080 port
at least is UDP and not TCP). For use with a firewall you need to build
Amanda with the --with-tcpportrange= and --with-udpportrange= options to
control which ports to use, and configure the firewall to match. Look
at PORT.USAGE in the docs directory.
>
> Our setup is that our web servers are outside the firewall, but the tapehost
> and other administrative hosts, as well as all the Windows-based desktops
> are inside. We use 176.14/16 addresses inside, but 'real' IP addresses
> outside. However, the hosts are side-by-side in the same rack.
Other options include running a separate private backside network on the
hosts involved, or using something like rsync to mirror the data onto
the tape server (or some other local client) and using Amanda to backup
the mirror.
The rsync method is the easiest to set up, only one port through
the firewall. It can also shorten your backup window and give you
better control over the time the data is actually copied from the
source.
> If I do go with some sort of VPN, am I on the right track here?:
> Both the tapehost and the client(s) all have to have a VPN (daemon?
> client?) on them, such as OpenVPN or vtun. I ask the firewall folks to
> open one port, like 10080, to TCP and UDP, in both directions to and from
> the tapehosts and the client(s). The notes in amanda.conf state that the
> OS routing tables control which interface is used, so I make some change
> there to connect from the tapehost to the clients using the VPN. This
> will all probably be clear to me when I pick a VPN and read the
> documentation.
You have the basic idea. The actual implementation depends on the software
you choose. Be careful that your tunnel setup doesn't expose all of your
tapehost to the world.
Frank
> Thanks, again, for your advice and suggestions.
>
> -Kevin
>
>>>> Frank Smith <fsmith AT hoovers DOT com> 09/08/04 04:05PM >>>
> --On Wednesday, September 08, 2004 14:41:34 -0400 KEVIN ZEMBOWER <KZEMBOWE AT
> jhuccp DOT org> wrote:
>
>> Has anyone ever set up Amanda to work through a VPN as an alternative to
>> working correctly through a firewall? I'm not sure a VPN is even the right
>> tool to use.
>
> Yes, we use VPNs to backup some of the data at our remote colos. I'm not sure
> its going to make your firewall setup any easier to implement (it will still
> require some firewall changes), but once you get the VPN working you can
> change
> what goes through it without having to modify the intervening firewalls.
>
>> I'm so frustrated with our networking group, which implements a single change
>> in the firewall, then requires that we wait until the next morning to make a
>> second trial if the first one doesn't work. I believe that no one really
>> thorough understands the firewall software, an Elron CommandView firewall,
>> which seems to be out of production. The last mention I can find of it
>> through Google dates to 1999. Links to their website redirect to zixcorp.com.
>
> Personally, I'd be scared if I were depending on a firewall that hasn't been
> updated for 5 years.
>
>>
>> Consequently, I'm exploring other options to get Amanda to work through or
>> around this firewall. The first I thought of was a VPN. However, I only know
>> what I've read about VPNs; I've never set one up or worked with it. Would a
>> VPN work?
>
> Yes, it can.
>
>> Is it the right tool to use, short of getting the firewall to work properly
>> in the first place?
>
> It depends. How sensitive is your data? The backups are streamed in in the
> clear,
> although possibly compressed, so there is the potential for someone to grab it
> as it goes by. With a VPN the data stream (at least between the VPN boxes) is
> encrypted, so impractical for someone to steal the data in that portion of the
> data path. If your network is secure (relative to the sensitivity of your
> data)
> then it may not have much of an advantage. If it is very sensitive data and
> you are sending it across the Internat then a VPN should be a requirement.
>
>> Any recommendation on specific VPN solutions to use? Anyone done this before?
>> I tried searching on 'vpn' in this list's archives, but didn't turn up
>> anything.
>
> Being a thrifty person, I'm a fan of using a pair of cheap Linux boxes (my
> backups can soak a 10Mb link over a couple of 800MHz Pentiums without any
> problems with a 2.4 kernel and FreeS/WAN), the 2.6 kernels have IPSEC
> capabilities built in. As a bonus you can run iptables (netfilter) on the
> same boxes and firewall what goes through your tunnel.
>
> You may have to do some work setting up routing on both ends so your backups
> actually use the VPN.
>
> Frank
>
>>
>> Thanks for all your help and suggestions.
>>
>> -Kevin Zembower
>>
>> -----
>> E. Kevin Zembower
>> Internet Systems Group manager
>> Johns Hopkins University
>> Bloomberg School of Public Health
>> Center for Communications Programs
>> 111 Market Place, Suite 310
>> Baltimore, MD 21202
>> 410-659-6139
>>
>
>
>
> --
> Frank Smith fsmith AT hoovers DOT com
> Sr. Systems Administrator Voice: 512-374-4673
> Hoover's Online Fax: 512-374-4501
>
--
Frank Smith fsmith AT hoovers DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
|
