Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Legato firewall question

2004-01-30 14:58:32
Subject: Re: [Networker] Legato firewall question
From: Kenneth Larsen <Kenneth.Larsen AT STERIA DOT DK>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 30 Jan 2004 20:59:56 +0100 
Agreed, but even one port open in a firewall is enough for a motivaed
hacker, so your best option there is to NOT have any traffic from your
internal LAN to the internet, Not really an option either!
Nor is it an option to just say "legato has to do this and this to make
thier product secure", while I totally agree that legato has to do
something on this front, I think the core of networker is still from way
back when the internet etc were not that widespread, we can't really
afford to idle while we wait for Legato ;o)

As it is right now, we can either chose to NOT backup through a firewall,
use a VPN tunnel, which can be made to run 1GB or so I have been told, for
a cost ofcause. Or go to our DMZ servers with a tape each day. I know what
I prefer....!

You should be able to firewall your vpn tunnel too. Perfomance will always
suffer when you do this security stuff. But if you stack your backups
right, you should be able to keep your tape drives streaming.

I would like to know more about your backup of different LAN's as we are
moving in the same direction here, and it would be nice to know what traps
lay ahead before I take the first step....


**************************************************
Med venlig hilsen / Regards
Kenneth Larsen
Steria
Tonsbakken 16-18
2740 Skovlunde
kel AT steria DOT dk - 44506261 - 26306261
**************************************************
With a revenue of 1.018bn Euro and more than 8,000 employees, Steria is
one of the top ten IT services companies in Europe.
Steria Denmarks ambition is to reach a yearly growth of 20% in the coming
3 years. Our focus expertise is in:  e-Business, e-Government,
Outsourcing, Infrastructure, CRM and Workflow.




Oscar Olsson <spam1 AT qbranch DOT se>
30-01-2004 20:30

        To:     Legato NetWorker discussion
<NETWORKER AT LISTMAIL.TEMPLE DOT EDU>, Kenneth Larsen <Kenneth.Larsen AT 
STERIA DOT DK>
        cc:
        Subject:        Re: [Networker] Legato firewall question


On Fri, 30 Jan 2004, Kenneth Larsen wrote:

KL> The legato through a firewall has been up quite a few times. And
proberly
KL> will continue to be so until legato makes a smooth solution.
KL> But until then, I think the easiest way is to make a VPN tunnel trough
the
KL> firewall and only allow legato to use it. It may cost a bit more in
KL> hardware but most firewall admins will problerly like that solution
better
KL> than having to open the ports required for legato make make it work.
KL>
KL> Before the backup starts you open the tunnel from the server, and when
its
KL> all done you close it down again, for optimal security. Ofcause you
will
KL> have to open the tunnel to make recoveries etc.
KL>
KL> I have heard though that legato is working on this firewall issue, and
KL> perhaps we will see something soon....

I think this approach is very easy to deface for a motivated hacker or
similar. Just time the attacks, and one will gain access to the entire
network, if successful. Also, considering the massive amounts of data that
has to be tunneled, a tunnel-interface in a routed switch will probably
make all packets that go through that tunnel to be software switched. Thus
the switch/router performance will be severely degraded. An external
device won't scale well either, considering that you will have up to 1gbit
of network throughput during the backup window in a large environment
(like ours), especially if the servers that get backed up are on several
different LANs.

To put it straight: There is no way of firewalling a legato-server to
complete satisfaction. In fact, it will probably generate more
problems/downtime to do so.

The real solution is to get Legato to throw away all that unnecessary RPC
junk and to use a single-port protocol instead, and make the server
initiate all TCP connections to the client, which allows people to use
state-aware filtering, or at least only allow tcp-traffic in one direction
with the "ESTABLISHED" bit set. Ofcourse, to run manual backups/recoveries
from the server would need a way for the client to send requests to the
server without having a pre-established TCP connection. However, this
could be a trade-off for sites with high security standards, since in that
case, restores will/should only be allowed to be initiated by the server
anyway.

By the way, while we're discussing Legato security, the auth mechanisms
(based on forward/reverse hostname resolving) seem kind of weak to me. I
haven't seen any security bulletins about buffer overflows and similar in
Legato at all. Is it really that secure or is it just because no
security-related people/corporations find any interest in a product that
is almost never directly exposed to the Internet?

//Oscar



--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] how to backup a mapped windows drive AND then restore it?, Oscar Olsson
Next by Date:  Re: [Networker] Stopping Groups from the command line, Chad Smykay
Previous by Thread:  Re: [Networker] Legato firewall question, Oscar Olsson
Next by Thread:  [Networker] Scanner doesn't restore index for SSID spanning two tapes, NEWHAM Debra
Indexes:  [Date] [Thread] [Top] [All Lists]