Hello

I'm not entirely certain if it's really all of those ports that need to be
opened.   With TCP/IP connections there's the concept of origination port and
destination port,   the language in the Netbackup manual implies to me that they
are discussing the origination ports not the destination ports whereas what
firewall people want is the destination ports and are usually quite happy
allowing all origination ports to specific destination ports.

For example, in a typical telnet session, the telnet client chooses a random
origination port above 1024 i.e.: a non-priviledged port and opens a connection
to the destination port of  23.   To a firewall administrator, this would be
just opening a hole TO port 23.

The fact that the manual references large priviledged ranges such as 512-1024
would suggest that Netbackup used priviledged source ports as an assurance of
authenticity i.e.: in a Unix machine, only the root user could bind such an
origination port hence one could trust the connection.   This theory would be
collaborated by the existence of the various options such as
"ALLOW_NON_RESERVED_PORTS" and "CLIENT_RESERVED_PORT_WINDOW".   Note also that
the language for "CLIENT_RESERVED_PORT_WINDOW" says "Specifies the range of
reserved ports on this computer used for connecting to Netbackup on other
computers." which seems to me to be saying that these are origination port
numbers.   I've been through the manual looking for definitive indications of
how the TCP traffic is arranged but aside from such obfuscated references
suggesting that they are only talking about source ports, there is no explicit
description of what they are doing, certainly not in the format that a firewall
administrator would expect.

I would suspect that what they really should've documented was something like
"priviledged ports from the servers to port 13782 on the client", etc.   No
doubt there should be such a statement for each service provided.   If this is
the case than although the documented 512 - 1024 in the manual is correct, what
the firewall administrator wants to hear is "Open port 13782 outgoing, to the
client from priviledged ports."   Indeed, most commercial firewall
administrators may not even care if the originating port is priviledged or not
and would want to hear "Open port 13782 outgoing to the client.".   Note: I'm
using 13782 (bpcd) as an example, no doubt there would be several of these ports
but nothing like the ranges suggested.

Why would anyone document network traffic in the reverse fashion of how people
want the information?   I can only surmise that they must've been around in the
early days of firewalling where you tended to block reserved port to reserved
port connections and allow all non reserved originations to connect hence the
ability to switch from using priviledged ports (<1024) to non-priviledged ports
(>1024) would've been an asset.   Besides, it's doubtful that their technical
writers would be well versed in TCP/IP.

Anybody out there willing to try observing real world network connections at
their site with snoop or some other sniffer?   I'd be interested to see the
source and destination ports of any packets with the SYN bit flagged as those
would be the packets initiating the session and defining the ports to be used.
I'll eventually do it here but I have a lot of traffic to sort through at my
site.

Regards,
John I Wang
Sr. Systems Engineer
Steverson Information Professionals

---
Enron Broadband Services
3 Allen Center 3AC872e
ph (713) 345-6863




|--------+----------------------->
|        |          dfdwyer@tecoe|
|        |          nergy.com    |
|        |                       |
|        |          01/04/01     |
|        |          09:34 AM     |
|        |                       |
|--------+----------------------->
  >------------------------------------------------------------------------|
  |                                                                        |
  |       To:     veritas-bu AT mailman.eng.auburn DOT edu                      
  |
  |       cc:     (bcc: John Wang/Contractor/Enron Communications)         |
  |       Subject:     [Veritas-bu] Still Another Question on Firewalls,   |
  |       Ports and Security                                               |
  >------------------------------------------------------------------------|



I think I'm pretty clear now on which ports have to be accommodated within the
firewall to allow NetBackup connections but there is still one question floating
around out there that begs answering ...

"Is there a way to limit which ports NetBackup will use (something less than the
complete 512 to 1024 range) thereby insuring that a minimum number of ports will
have to be defined to the firewall software?"

My security guys are having a baby buffalo at the notion of allowing NetBackup
to have 512 ports available for use. I personally don't know if that number is
good or not nor if it represents a real security concern. They are more
interested in a total number of available ports being 25 - 50. And oh by the
way, they want to choose the range as well (ie; 1000 - 1024).

Any information would be greatly appreciated. I suspect that if the answer is
"You can't do it that way" They'll set me up with the 512 - 1024 range. But hey
... I gotta at least say I asked.

Regards,

Dennis

"Time is not a test of the truth"
Translation: Just because you've always done it that way, doesn't make it right

Dennis F. Dwyer
Enterprise Storage Manager
Tampa Electric Company

(813) 225-5181  - Voice
(813) 275-3599  - FAX

Visit our corporate website at www.tecoenergy.com

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu