Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Legato firewall question

2004-01-30 17:13:28
Subject: Re: [Networker] Legato firewall question
From: Oscar Olsson <spam1 AT QBRANCH DOT SE>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 30 Jan 2004 20:30:29 +0100 
On Fri, 30 Jan 2004, Kenneth Larsen wrote:

KL> The legato through a firewall has been up quite a few times. And proberly
KL> will continue to be so until legato makes a smooth solution.
KL> But until then, I think the easiest way is to make a VPN tunnel trough the
KL> firewall and only allow legato to use it. It may cost a bit more in
KL> hardware but most firewall admins will problerly like that solution better
KL> than having to open the ports required for legato make make it work.
KL>
KL> Before the backup starts you open the tunnel from the server, and when its
KL> all done you close it down again, for optimal security. Ofcause you will
KL> have to open the tunnel to make recoveries etc.
KL>
KL> I have heard though that legato is working on this firewall issue, and
KL> perhaps we will see something soon....

I think this approach is very easy to deface for a motivated hacker or
similar. Just time the attacks, and one will gain access to the entire
network, if successful. Also, considering the massive amounts of data that
has to be tunneled, a tunnel-interface in a routed switch will probably
make all packets that go through that tunnel to be software switched. Thus
the switch/router performance will be severely degraded. An external
device won't scale well either, considering that you will have up to 1gbit
of network throughput during the backup window in a large environment
(like ours), especially if the servers that get backed up are on several
different LANs.

To put it straight: There is no way of firewalling a legato-server to
complete satisfaction. In fact, it will probably generate more
problems/downtime to do so.

The real solution is to get Legato to throw away all that unnecessary RPC
junk and to use a single-port protocol instead, and make the server
initiate all TCP connections to the client, which allows people to use
state-aware filtering, or at least only allow tcp-traffic in one direction
with the "ESTABLISHED" bit set. Ofcourse, to run manual backups/recoveries
from the server would need a way for the client to send requests to the
server without having a pre-established TCP connection. However, this
could be a trade-off for sites with high security standards, since in that
case, restores will/should only be allowed to be initiated by the server
anyway.

By the way, while we're discussing Legato security, the auth mechanisms
(based on forward/reverse hostname resolving) seem kind of weak to me. I
haven't seen any security bulletins about buffer overflows and similar in
Legato at all. Is it really that secure or is it just because no
security-related people/corporations find any interest in a product that
is almost never directly exposed to the Internet?

//Oscar

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Solaris 9 & Legato 7.1???, Oscar Olsson
Next by Date:  Subscription probe for NETWORKER - please ignore, L-Soft list server at Temple University (1.8e)
Previous by Thread:  Re: [Networker] Legato firewall question, Chad Smykay
Next by Thread:  Re: [Networker] Legato firewall question, Kenneth Larsen
Indexes:  [Date] [Thread] [Top] [All Lists]