[Veritas-bu] Still Another Question on Firewalls, Ports andSecurity

This is a multi-part message in MIME format.
--------------41B7A4FF33F0A12CF469A427
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

John,

Your précis is excellent and very clear in describing creating a  TCP/IP
connection with assigned port-pairs between source and destination across a
firewall.

I would like to second this email with a request to any Veritas personnel on 
this
forum,
to respond  in the forum and give some plain old english examples with 
clarification

of how to do backups across a firewall with Veritas Netbackup.

Maybe this can be also peer reviewed on the forum before dissemination in the 
form
of a
public tech bulletin.

Thanks,

Mark Smiles


John_Wang AT enron DOT net wrote:

> Hello
>
> I'm not entirely certain if it's really all of those ports that need to be
> opened.   With TCP/IP connections there's the concept of origination port and
> destination port,   the language in the Netbackup manual implies to me that 
> they
> are discussing the origination ports not the destination ports whereas what
> firewall people want is the destination ports and are usually quite happy
> allowing all origination ports to specific destination ports.
>
> For example, in a typical telnet session, the telnet client chooses a random
> origination port above 1024 i.e.: a non-priviledged port and opens a 
> connection
> to the destination port of  23.   To a firewall administrator, this would be
> just opening a hole TO port 23.
>
> The fact that the manual references large priviledged ranges such as 512-1024
> would suggest that Netbackup used priviledged source ports as an assurance of
> authenticity i.e.: in a Unix machine, only the root user could bind such an
> origination port hence one could trust the connection.   This theory would be
> collaborated by the existence of the various options such as
> "ALLOW_NON_RESERVED_PORTS" and "CLIENT_RESERVED_PORT_WINDOW".   Note also that
> the language for "CLIENT_RESERVED_PORT_WINDOW" says "Specifies the range of
> reserved ports on this computer used for connecting to Netbackup on other
> computers." which seems to me to be saying that these are origination port
> numbers.   I've been through the manual looking for definitive indications of
> how the TCP traffic is arranged but aside from such obfuscated references
> suggesting that they are only talking about source ports, there is no explicit
> description of what they are doing, certainly not in the format that a 
> firewall
> administrator would expect.
>
> I would suspect that what they really should've documented was something like
> "priviledged ports from the servers to port 13782 on the client", etc.   No
> doubt there should be such a statement for each service provided.   If this is
> the case than although the documented 512 - 1024 in the manual is correct, 
> what
> the firewall administrator wants to hear is "Open port 13782 outgoing, to the
> client from priviledged ports."   Indeed, most commercial firewall
> administrators may not even care if the originating port is priviledged or not
> and would want to hear "Open port 13782 outgoing to the client.".   Note: I'm
> using 13782 (bpcd) as an example, no doubt there would be several of these 
> ports
> but nothing like the ranges suggested.
>
> Why would anyone document network traffic in the reverse fashion of how people
> want the information?   I can only surmise that they must've been around in 
> the
> early days of firewalling where you tended to block reserved port to reserved
> port connections and allow all non reserved originations to connect hence the
> ability to switch from using priviledged ports (<1024) to non-priviledged 
> ports
> (>1024) would've been an asset.   Besides, it's doubtful that their technical
> writers would be well versed in TCP/IP.
>
> Anybody out there willing to try observing real world network connections at
> their site with snoop or some other sniffer?   I'd be interested to see the
> source and destination ports of any packets with the SYN bit flagged as those
> would be the packets initiating the session and defining the ports to be used.
> I'll eventually do it here but I have a lot of traffic to sort through at my
> site.
>
> Regards,
> John I Wang
> Sr. Systems Engineer
> Steverson Information Professionals
>
> ---
> Enron Broadband Services
> 3 Allen Center 3AC872e
> ph (713) 345-6863
>
> |--------+----------------------->
> |        |          dfdwyer@tecoe|
> |        |          nergy.com    |
> |        |                       |
> |        |          01/04/01     |
> |        |          09:34 AM     |
> |        |                       |
> |--------+----------------------->
>   >------------------------------------------------------------------------|
>   |                                                                        |
>   |       To:     veritas-bu AT mailman.eng.auburn DOT edu                    
>     |
>   |       cc:     (bcc: John Wang/Contractor/Enron Communications)         |
>   |       Subject:     [Veritas-bu] Still Another Question on Firewalls,   |
>   |       Ports and Security                                               |
>   >------------------------------------------------------------------------|
>
> I think I'm pretty clear now on which ports have to be accommodated within the
> firewall to allow NetBackup connections but there is still one question 
> floating
> around out there that begs answering ...
>
> "Is there a way to limit which ports NetBackup will use (something less than 
> the
> complete 512 to 1024 range) thereby insuring that a minimum number of ports 
> will
> have to be defined to the firewall software?"
>
> My security guys are having a baby buffalo at the notion of allowing NetBackup
> to have 512 ports available for use. I personally don't know if that number is
> good or not nor if it represents a real security concern. They are more
> interested in a total number of available ports being 25 - 50. And oh by the
> way, they want to choose the range as well (ie; 1000 - 1024).
>
> Any information would be greatly appreciated. I suspect that if the answer is
> "You can't do it that way" They'll set me up with the 512 - 1024 range. But 
> hey
> ... I gotta at least say I asked.
>
> Regards,
>
> Dennis
>
> "Time is not a test of the truth"
> Translation: Just because you've always done it that way, doesn't make it 
> right
>
> Dennis F. Dwyer
> Enterprise Storage Manager
> Tampa Electric Company
>
> (813) 225-5181  - Voice
> (813) 275-3599  - FAX
>
> Visit our corporate website at www.tecoenergy.com
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

--------------41B7A4FF33F0A12CF469A427
Content-Type: text/x-vcard; charset=us-ascii;
 name="msmiles.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Mark Smiles
Content-Disposition: attachment;
 filename="msmiles.vcf"

begin:vcard 
n:Smiles;Mark
tel;cell:+ 44 7880 782 385
tel;work:+44 1344 29 6042
x-mozilla-html:TRUE
org:CIO Emea;IT
version:2.1
email;internet:msmiles AT lucent DOT com
title:Unix Systems Manager
adr;quoted-printable:;;Kingswood,=0D=0AKings Ride;Ascot;Berkshire;SL5 
8AD;United Kingdom
fn:Mark Smiles
end:vcard

--------------41B7A4FF33F0A12CF469A427--