[Veritas-bu] Still Another Question on Firewalls, Ports and S ecurity

I'm not a big fan of doing backup of data across a firewall, if you have
data on the outside of a firewall it is in harms way and is not really to be
trusted, and poking holes in your fire wall allows for easier security
breaches.

In the customers that I have running backups outside their firewall I have
them set up a master outside the fire wall and share the library inside the
firewall

This way they only need the vmd and tldd ports opened for communication.  I
think maybe also ltid and tldcd, but I may be mistaken, and the volume
database host would be the master inside the firewall.  Anyway this way they
have the data backed up and only a couple of holes that have definite start
hosts and end hosts.

Wouldn't it be safer and more secure to not have unique data outside the
firewall, rather have a staging area internally that has a duplicate image
of the data outside the fire wall before it's released in production?  And
even burning the firewall servers onto CD's and having them run that way so
no changes can be made to the system?

I'm just a left over system admin =)

Bob

-----Original Message-----
From: Mark Smiles [mailto:msmiles AT lucent DOT com]
Sent: Thursday, January 04, 2001 10:47 AM
To: John_Wang AT enron DOT net
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Still Another Question on Firewalls, Ports
andSecurity


John,

Your précis is excellent and very clear in describing creating a  TCP/IP
connection with assigned port-pairs between source and destination across a
firewall.

I would like to second this email with a request to any Veritas personnel on
this
forum,
to respond  in the forum and give some plain old english examples with
clarification

of how to do backups across a firewall with Veritas Netbackup.

Maybe this can be also peer reviewed on the forum before dissemination in
the form
of a
public tech bulletin.

Thanks,

Mark Smiles


John_Wang AT enron DOT net wrote:

> Hello
>
> I'm not entirely certain if it's really all of those ports that need to be
> opened.   With TCP/IP connections there's the concept of origination port
and
> destination port,   the language in the Netbackup manual implies to me
that they
> are discussing the origination ports not the destination ports whereas
what
> firewall people want is the destination ports and are usually quite happy
> allowing all origination ports to specific destination ports.
>
> For example, in a typical telnet session, the telnet client chooses a
random
> origination port above 1024 i.e.: a non-priviledged port and opens a
connection
> to the destination port of  23.   To a firewall administrator, this would
be
> just opening a hole TO port 23.
>
> The fact that the manual references large priviledged ranges such as
512-1024
> would suggest that Netbackup used priviledged source ports as an assurance
of
> authenticity i.e.: in a Unix machine, only the root user could bind such
an
> origination port hence one could trust the connection.   This theory would
be
> collaborated by the existence of the various options such as
> "ALLOW_NON_RESERVED_PORTS" and "CLIENT_RESERVED_PORT_WINDOW".   Note also
that
> the language for "CLIENT_RESERVED_PORT_WINDOW" says "Specifies the range
of
> reserved ports on this computer used for connecting to Netbackup on other
> computers." which seems to me to be saying that these are origination port
> numbers.   I've been through the manual looking for definitive indications
of
> how the TCP traffic is arranged but aside from such obfuscated references
> suggesting that they are only talking about source ports, there is no
explicit
> description of what they are doing, certainly not in the format that a
firewall
> administrator would expect.
>
> I would suspect that what they really should've documented was something
like
> "priviledged ports from the servers to port 13782 on the client", etc.
No
> doubt there should be such a statement for each service provided.   If
this is
> the case than although the documented 512 - 1024 in the manual is correct,
what
> the firewall administrator wants to hear is "Open port 13782 outgoing, to
the
> client from priviledged ports."   Indeed, most commercial firewall
> administrators may not even care if the originating port is priviledged or
not
> and would want to hear "Open port 13782 outgoing to the client.".   Note:
I'm
> using 13782 (bpcd) as an example, no doubt there would be several of these
ports
> but nothing like the ranges suggested.
>
> Why would anyone document network traffic in the reverse fashion of how
people
> want the information?   I can only surmise that they must've been around
in the
> early days of firewalling where you tended to block reserved port to
reserved
> port connections and allow all non reserved originations to connect hence
the
> ability to switch from using priviledged ports (<1024) to non-priviledged
ports
> (>1024) would've been an asset.   Besides, it's doubtful that their
technical
> writers would be well versed in TCP/IP.
>
> Anybody out there willing to try observing real world network connections
at
> their site with snoop or some other sniffer?   I'd be interested to see
the
> source and destination ports of any packets with the SYN bit flagged as
those
> would be the packets initiating the session and defining the ports to be
used.
> I'll eventually do it here but I have a lot of traffic to sort through at
my
> site.
>
> Regards,
> John I Wang
> Sr. Systems Engineer
> Steverson Information Professionals
>
> ---
> Enron Broadband Services
> 3 Allen Center 3AC872e
> ph (713) 345-6863
>
> |--------+----------------------->
> |        |          dfdwyer@tecoe|
> |        |          nergy.com    |
> |        |                       |
> |        |          01/04/01     |
> |        |          09:34 AM     |
> |        |                       |
> |--------+----------------------->
>
>------------------------------------------------------------------------|
>   |
|
>   |       To:     veritas-bu AT mailman.eng.auburn DOT edu
|
>   |       cc:     (bcc: John Wang/Contractor/Enron Communications)
|
>   |       Subject:     [Veritas-bu] Still Another Question on Firewalls,
|
>   |       Ports and Security
|
>
>------------------------------------------------------------------------|
>
> I think I'm pretty clear now on which ports have to be accommodated within
the
> firewall to allow NetBackup connections but there is still one question
floating
> around out there that begs answering ...
>
> "Is there a way to limit which ports NetBackup will use (something less
than the
> complete 512 to 1024 range) thereby insuring that a minimum number of
ports will
> have to be defined to the firewall software?"
>
> My security guys are having a baby buffalo at the notion of allowing
NetBackup
> to have 512 ports available for use. I personally don't know if that
number is
> good or not nor if it represents a real security concern. They are more
> interested in a total number of available ports being 25 - 50. And oh by
the
> way, they want to choose the range as well (ie; 1000 - 1024).
>
> Any information would be greatly appreciated. I suspect that if the answer
is
> "You can't do it that way" They'll set me up with the 512 - 1024 range.
But hey
> ... I gotta at least say I asked.
>
> Regards,
>
> Dennis
>
> "Time is not a test of the truth"
> Translation: Just because you've always done it that way, doesn't make it
right
>
> Dennis F. Dwyer
> Enterprise Storage Manager
> Tampa Electric Company
>
> (813) 225-5181  - Voice
> (813) 275-3599  - FAX
>
> Visit our corporate website at www.tecoenergy.com
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu