ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Dealing with firewalls

2002-01-06 18:23:02
Subject: Re: Dealing with firewalls
From: Remco Post <r.post AT SARA DOT NL>
Date: Mon, 7 Jan 2002 00:19:54 +0100 
Hi,

> My site has installed a filewall. Eventually all systems that need to be
> accessible from the Internet will be outside the firewall, and all systems
> used exclusively by our own staff and students will be inside the firewall.
> We would like to use our existing TSM server to back up the systems outside
> the firewall as well as those inside. As far as I can tell, there are
> essentially only two approaches to doing this.
>
> The first approach is to configure the firewall to pass TCP traffic to and
> from port 1500 on the TSM server and configure clients outside the firewall
> to use polling mode scheduling. Some of my co-workers have suggested a
> variant of this approach in which the TSM server and its clients would be
> reconfigured to use a different port. The hope is that this would reduce
> the risk of attacks that depended on knowing the port number for TSM.
> There are some concerns about the firewall's ability to handle the volume
> of traffic to and from the TSM server.
>
Usually, internet accessable systems have very little data that changes al
lot. Furthermore, if you schedule backups at times that other traffic through
the firewall is at a minimum, you'll get your backups done foaster. A modern
PC can firewall about 100 Mbit/s (any recent PC or so) even with quite
complicated rules.

If you configure the fw to only allow traffict to your TSM server on 1500 from
your outside ip-range, changing port numbers won't help a bit. NOT open is
closed ;)

If you also open the 1501 port for your server to the clients, you don't even
need to set polling mode. It's not uncommon to allow all outgoing traffic with
source and or dest port above 1024 (or even recommended, depending on the type
of filter), so this should not be a big issue (unless you want to protect the
world from your users, which is not uncommon either ;)

> The second approach is to equip the TSM server with an additional network
> interface connected to the subnet outside the firewall. Our TSM server
> currently runs under OS/390, with one TCP/IP address space dedicated to
> supporting TSM connections. We could either configure the existing address
> space to support the new interface or add another address space to support
> the new interface.
>
I guess that all servers outside the firewall would need a separate ip-range
anyway. If you chose to go this way, considder putting up a second firewall
just to protect the systems outside (DMZ appoach). Otherwise your TSM server
is wide open to the world, a situation you'll probably wouldn't like;) A DMZ
that is shielded of in some way (eg. a simple filter in the router) may save
you from a lot of problems.

> How are other TSM sites dealing with firewalls? Is there any security
> advantage in using a port other than 1500 for TSM? If we select the second
> approach, is there any security advantage in a separate TCP/IP address
> space for the new network interface?
>

--
Met vriendelijke groeten,
Met vriendelijke groeten,

Remco Post

SARA - Stichting Academisch Rekencentrum Amsterdam
High Performance Computing  Tel. +31 20 592 8008    Fax. +31 20 668 3167

"I really didn't foresee the Internet. But then, neither did the computer
industry. Not that that tells us very much of course - the computer industry
didn't even foresee that the century was going to end." -- Douglas Adams
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PRESCHEDULECMD not mapping drives on NT 4.2.1.18 client, TAZ
Next by Date:  Daily full backup, Zosimo Noriega
Previous by Thread:  Dealing with firewalls, Thomas Denier
Next by Thread:  Dealing with firewalls, Sam Sheppard
Indexes:  [Date] [Thread] [Top] [All Lists]