ADSM-L

Re: TSM backing up in a DMZ zone.

2002-08-18 05:39:57
Subject: Re: TSM backing up in a DMZ zone.
From: Don France <DFrance-TSM AT ATT DOT NET>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Sun, 18 Aug 2002 02:44:04 -0700
Excellent suggestion, Mark;  we recommend private/backup-only network for
all our customers,,, most had been moving toward the "cheap" side, so if a
switch goes down, the network & server teams go into major fire-drill mode.
Our suggestion  is for all production servers be dual-homed, which gives (a)
separation of backup/restore traffic, and (b) alternative path with nominal
network admin if they lose a network segment or switch.

Re. IPX, the stated TSM direction (see v5.1 Windows) is fewer protocols;  IP
and FC will be about all that's left, with IPX and NetBIOS being dropped.
So, security (as in this DMZ scenario) is best handled by network def.s in
the switches -- and isolate the TSM server to just the DMZ segments for DMZ
clients.

Don France
Technical Architect -- Tivoli Certified Consultant
Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390
San Jose, Ca
(408) 257-3037
mailto:don_france AT att DOT net

Professional Association of Contract Employees
(P.A.C.E. -- www.pacepros.com)



-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Mark Stapleton
Sent: Saturday, August 17, 2002 9:37 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: TSM backing up in a DMZ zone.


> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
> Seay, Paul
>
> See my responses inline.
>
>
> From: William Rosette [mailto:Bill_Rosette AT PAPAJOHNS DOT COM]
> Sent: Wednesday, July 31, 2002 10:01 AM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: TSM backing up in a DMZ zone.
>
>
> HI TSMr's,
>
>       I have a DMZ Zone going in this Tuesday and they are asking me (TSM
> admin) to see if TSM can backup servers/clients in the DMZ zone.  I have
> heard some talk on this ADSM user group about that very thing.
> We are going
> to be using a Cisco Pix Firewall and eventually use a Nokia Checkpoint.  I
> gave them some options but I want to know if there are any more
> options that
> y'all might have.  Here are the ones I suggested.
>
> 1. Put a TSM remote server in the DMZ and share the library
> (3494) with the
> other server.
> This one requires port 3494 to be opened through the firewall so that the
> TSM server can talk to the library.  This one to me has some serious risks
> if the TSM server is broken into.  The reason is there is no
> security in the
> library to block the mtlib and lmcpd interfaces from being used to mount
> tapes belonging to other systems from being mounted in the drives of this
> remote TSM server.
>
> 2. Since most clients (NT & Linux servers) backup in 5 to 15 minutes and
> will not need to be backed up maybe once a week, open an obscure
> port once a
> week for 30 minutes for all backups.
> The port on the TSM server side has to be set for all clients.  But, you
> could create a small second TSM server processs on the machine inside the
> firewall or locate the remote one inside the firewall that uses this
> specific port and only allows connections from the NT & LINIX servers.
> Then, set your firewall up so that only port and connection works
> to the TSM
> server.  This is probably the most secure.
>
> The big negative is that the backup will be slow depending on
> your firewall
> and network.
>
> 3. Port access through Cisco script when backup happens.
> I am not familiar with this but it looks like 2 with some more security.
>
> 4. Direct connect to TSM server.
> Not sure what you meen by Direct Connect.
>
>
> I understand that probably each one has its security leaks and some more
> than others.  Is there someone who can share a good DMZ SLA?

There's another way.

1. Install a second NIC in each client in the DMZ.
2. Install a second NIC on the TSM server.
3. Create a private network for the DMZ clients and the TSM server to use.
4. Designate a TCP port for the server and clients to communicate through.
5. Set client backups to prompted instead of polling.
6. Turn on the second TSM server NIC
7. Run the backup
8. Close the server NIC.

(Steps 6-8 should run as a client schedule event with a PRESCHEDULECMD.)

This obviates the security risks in having a TSM server in the DMZ.

[I'd suggest using IPX only (instead of IP) for the private network comm
protocol (for additional security), but there seem to be some issues with
using IPX only on the TSM 5.1 server.]


--
Mark Stapleton (stapleton AT berbee DOT com)
Certified TSM consultant
Certified AIX system engineer
MCSE

<Prev in Thread] Current Thread [Next in Thread>