Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] Using TLS only for one specific client -- it is possible?

2013-03-12 10:59:42
Subject: [Bacula-users] Using TLS only for one specific client -- it is possible?
From: Konstantin Khomoutov <flatworm AT users.sourceforge DOT net>
To: bacula-users AT lists.sourceforge DOT net
Date: Tue, 12 Mar 2013 18:57:01 +0400 
I have a Bacula installation on my corporate LAN for some time,
and since this is LAN I did not bother with setting up TLS.

Now a need emerged to back up exactly one remote client (it's
actually a VPS).  For some reason Bacula appears to be a rather
suitable thing to employ for this task, except for one thing: since
this client is accessible via Internet, all communications have to be
secure hence employing TLS appears to be a way to go.

As far as I understand it, backing up a client goes like this:
1) The Director contacts the FD and tells it to upload such and such
   files to a specific SD.  It tells the FD which SD and also passes
   it a special cookie to authenticate against that SD.
2) The FD contacts the SD and uploads its stuff.

So I should have the Director->FD and FD->SD communications protected
by TLS.  This means that FD should have TLS enabled for both inbound and
outgoing connections, and SD should listen on a port with TLS enabled.

The problem is that I thought it will be possible to enable TLS only on
that one remote FD and add a TLS-enabled "listener" to my local SD,
and leave the LAN intact.  So I imagined I would set up TLS on the
remote FD, do the same in the appropriate Client resource in my
Director, and set up the second Storage resource in my SD config,
listening on a different port and having TLS enabled *only there.*

Unfortunately, SD says there can be only one Storage resource in the SD
configuration file.  So it now appears that TLS in Bacula supposes an
all or nothing approach.

I also know about stunnel, but I'm hesitant to use it due to these
reasons:
1) At least two stunnel instances will be required to be set up and
   maintained.
2) Using stunnel involves unnecessary copying of (lots of) data.

Another thing I considered is running another SD with a separate
configuration file.  This is doable as well but has its own apparent
downsides like the need to fork and maintain a separate init script,
inability to do copy jobs to media attached to the "main" SD etc.

So, before I settle on either full-on TLS setup or stunnel or
something else I'd like to ask if anyone here knows if it's
somehow possible to do what I need: to make just a single client use
TLS and leave everything else as is?

I'm running Director and SD on the same Debian server which has Bacula
5.2.6 installed.  The remote FD will probably run Bacula 5.0.3.

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] tapes randomly become unrecognizeable, John Drescher
Next by Date:  Re: [Bacula-users] tapes randomly become unrecognizeable, Dan Langille
Previous by Thread:  Re: [Bacula-users] tapes randomly become unrecognizeable, Simon Tyler
Next by Thread:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Martin Simmons
Indexes:  [Date] [Thread] [Top] [All Lists]