ADSM-L

Re: Firewall backups

2004-04-22 18:49:26
Subject: Re: Firewall backups
From: Neil Rasmussen <rasmussn AT US.IBM DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 22 Apr 2004 15:49:01 -0700
I have no comment on the best method of firewall implementation. However,
I could not let the statement that TSM Sends it username/password as plain
text go by without comment.

Neither the TSM Client nor the Web-GUI send the username/password in the
clear. I am not sure where this information came from but it just is not
true. Here is a post from about a year ago that explains how the password
is sent, the explanation goes for the Client as well as the Web-GUI:

http://msgs.adsm.org/cgi-bin/get/adsm0302/707.html


Regards,

Neil Rasmussen
Software Development
Data Protection for Oracle
rasmussn AT us.ibm DOT com




Sal Mangiapane <salm AT vitalds DOT com>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
04/21/2004 08:06 PM
Please respond to
salm


To
ADSM-L AT VM.MARIST DOT EDU
cc

Subject
Re: Firewall backups






We operate through firewalls differently:

We have a small VPN device that we use to create an IPSec VPN tunnel and
only have entries in the firewall for this tunnel, then we
run all ITSM traffic through the tunnel.  Makes for simpler firewall
settings and adds extra security  because username/password is
sent as plain text by ITSM.

You will also want to limit the Web-GUI client for security reasons too
(plain text -- too).

I can provide more details, contact me directly:

salm(at)vitalds(dot)com or 724-758-3981

Sal
Vital Data Systems


> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
> Gill, Geoffrey L.
> Sent: Wednesday, April 21, 2004 6:43 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Firewall backups
>
>
> We're trying to get backups running outside a firewall and below are the
> results of a test. The network folks sent me this log to show the ports
> which communicating during backup. On the left is the server IP on the
right
> is the client IP.
>
> The client settings are below. The question is how to get all to
communicate
> on one specified port so they can tighten down acls. I've read the
write-up
> on this and thought everything was set properly but I must be missing
> something. If someone has advice it would be greatly appreciated.
>
>
>
> Thanks,
>
>
>
> COMMmethod                           TCPIP
>
> TCPServeraddress                     xxx.xxx.xxx.xxx
>
> TCPCLIENTADDRESS               xxx.xxx.xxx.xxx
>
> WEBPORTS                             1582,1583
>
> TCPPort                                    1500
>
> TCPCLIENTPORT                      1501
>
> HTTPPort                                  1581
>
>
>
> Apr 20 17:04:50 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37317) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:04:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2200), 1 packet
>
> Apr 20 17:05:04 PDT: list TSM-Filter denied tcp xxx.xxx.xxx.xxx(37316)
->
> xxx.xxx.xxx.xxx(1501), 2 packets
>
> Apr 20 17:05:04 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37317) ->
> xxx.xxx.xxx.xxx(1501), 4 packets
>
> Apr 20 17:05:04 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2200), 5648 packets
>
> Apr 20 17:05:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37318) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:05:51 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37319) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:06:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37320) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:06:51 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37321) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:07:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37322) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:07:51 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37323) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:08:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37324) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:08:51 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37325) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:09:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37326) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:09:51 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37327) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:10:06 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2200), 61959 packets
>
> Apr 20 17:10:21 PDT: list TSM-Filter permitted tcp
xxx.xxx.xxx.xxx(37328) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:10:25 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2235), 1 packet
>
> Apr 20 17:10:41 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2235), 8 packets
>
> Apr 20 17:10:41 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500)
->
> xxx.xxx.xxx.xxx(2200), 2586 packets
>
>
>
> Geoff Gill
> TSM Administrator
> NT Systems Support Engineer
> SAIC
> E-Mail:   gillg AT saic DOT com
> Phone:  (858) 826-4062
> Pager:   (877) 854-0975
>

<Prev in Thread] Current Thread [Next in Thread>