ADSM-L

Re: TSM backing up in a DMZ zone.

2002-08-25 05:57:32
Subject: Re: TSM backing up in a DMZ zone.
From: Zlatko Krastev/ACIT <acit AT ATTGLOBAL DOT NET>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Sun, 25 Aug 2002 10:44:16 +0300
Mark,

I have to disagree with you. This is a nice solution from TSM performance
perspective but throws away most of the security achieved by building a
DMZ. The idea of DMZ is to isolate exposed servers and id case of
intrusion in one of them internal corporate network still to be not
reachable by intruder. If we assume an intrusion as "a failure" DMZ is
trying to eliminate some of single-point-of-failure threats.
In fact what you suggest renders DMZ as part of internal network but just
a separate segment. If a DMZ-server is compromised the intruder will not
attack the firewall (fortified and full of intrusion detection alarms) but
will attack the TSM server box and all other servers on the "TSM
backup/archive network segment".
Opening of port 1500 from DMZ to (only) TSM server is a solution. The
drawback is that port 1500 is used for both B/A, API and Administrative
clients. This still is less vulnerable - instead of attacking the whole
box (OS, Mail, TSM Web admin, etc.) only TSM data port is exposed. For
example TSM vulnerability described in Tivoli Flash 4
(http://www.tivoli.com/support/storage_mgr/flash_httpport.html) is not
exposed.

Zlatko Krastev
IT Consultant




Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by:        "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To:     ADSM-L AT VM.MARIST DOT EDU
cc:

Subject:        Re: TSM backing up in a DMZ zone.

> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
> Seay, Paul
>
> See my responses inline.
>
>
> From: William Rosette [mailto:Bill_Rosette AT PAPAJOHNS DOT COM]
> Sent: Wednesday, July 31, 2002 10:01 AM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: TSM backing up in a DMZ zone.
>
>
> HI TSMr's,
>
>       I have a DMZ Zone going in this Tuesday and they are asking me
(TSM
> admin) to see if TSM can backup servers/clients in the DMZ zone.  I have
> heard some talk on this ADSM user group about that very thing.
> We are going
> to be using a Cisco Pix Firewall and eventually use a Nokia Checkpoint.
I
> gave them some options but I want to know if there are any more
> options that
> y'all might have.  Here are the ones I suggested.
>
> 1. Put a TSM remote server in the DMZ and share the library
> (3494) with the
> other server.
> This one requires port 3494 to be opened through the firewall so that
the
> TSM server can talk to the library.  This one to me has some serious
risks
> if the TSM server is broken into.  The reason is there is no
> security in the
> library to block the mtlib and lmcpd interfaces from being used to mount
> tapes belonging to other systems from being mounted in the drives of
this
> remote TSM server.
>
> 2. Since most clients (NT & Linux servers) backup in 5 to 15 minutes and
> will not need to be backed up maybe once a week, open an obscure
> port once a
> week for 30 minutes for all backups.
> The port on the TSM server side has to be set for all clients.  But, you
> could create a small second TSM server processs on the machine inside
the
> firewall or locate the remote one inside the firewall that uses this
> specific port and only allows connections from the NT & LINIX servers.
> Then, set your firewall up so that only port and connection works
> to the TSM
> server.  This is probably the most secure.
>
> The big negative is that the backup will be slow depending on
> your firewall
> and network.
>
> 3. Port access through Cisco script when backup happens.
> I am not familiar with this but it looks like 2 with some more security.
>
> 4. Direct connect to TSM server.
> Not sure what you meen by Direct Connect.
>
>
> I understand that probably each one has its security leaks and some more
> than others.  Is there someone who can share a good DMZ SLA?

There's another way.

1. Install a second NIC in each client in the DMZ.
2. Install a second NIC on the TSM server.
3. Create a private network for the DMZ clients and the TSM server to use.
4. Designate a TCP port for the server and clients to communicate through.
5. Set client backups to prompted instead of polling.
6. Turn on the second TSM server NIC
7. Run the backup
8. Close the server NIC.

(Steps 6-8 should run as a client schedule event with a PRESCHEDULECMD.)

This obviates the security risks in having a TSM server in the DMZ.

[I'd suggest using IPX only (instead of IP) for the private network comm
protocol (for additional security), but there seem to be some issues with
using IPX only on the TSM 5.1 server.]


--
Mark Stapleton (stapleton AT berbee DOT com)
Certified TSM consultant
Certified AIX system engineer
MCSE

<Prev in Thread] Current Thread [Next in Thread>