[Veritas-bu] firewall between master and media servers

They may have access to the tapes, but they would have to reimport them to
make any sense of them, and would have to spend a great deal of time with a
lot of luck to have any valuable data, especially if you multiplex, and I
think most admins would notice a drive being used to do an import when no
jobs are running on either of his or her masters.

Bob

-----Original Message-----
From: KevinB AT paccessglobal DOT com [mailto:KevinB AT paccessglobal DOT com]
Sent: Thursday, February 15, 2001 8:46 AM
To: bbakh AT veritas DOT com; ITerry AT cyberdialogue DOT com;
veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] firewall between master and media servers


If someone hacks the external Master they have access to all tapes.
Depending on configuration, actually retrieving data may be difficult to
impossible, but, now it puts the security responsibility in a different
area.  By this I mean that by default all firewall related issues should
have a high security awareness but internal backups typically would have
somewhat less.  Based on the cost of more monitoring/management it would
probably be cheaper to purchase two smaller robots (one for each side of the
firewall).  Obviously both security and backups are site specific so this
configuration is an a valid option, just one that should be closely
scrutinized.

-----Original Message-----
From: Bob Bakh [mailto:bbakh AT veritas DOT com]
Sent: Wednesday, February 14, 2001 10:33 PM
To: Ian M Terry; veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] firewall between master and media servers


I'm going to get back on my Firewall soap box.

I don't think running NetBackup across a firewall is an inefficient and
insecure way of backing up.  What seems to work better, and the customers
I've set this up with seem to agree, is having a master on both sides of the
firewall sharing the same robot.

Since you can run Media Manager independent of NetBackup, I say set up two
Media Manger servers, one as the robot control host and volume Database
host, and the other as a slave owing a driver in the robot controlled by
server A.

Now have NetBackup set up as a master on both nodes, now you have a master
on both sides of your firewall, and still one storage of tapes.  Now all you
need are two ports to communicate through the firewall.  One for VMD to
manage tape assignments, and one for tldd, or tl8d or whatever to control
the robot, there may be one more but I'm not positive right now.

This reduces security holes, and makes backups and restores easier.

Just my opinion, but I've been known to have my head up my A** =)

Bob

-----Original Message-----
From: Ian M Terry [mailto:ITerry AT cyberdialogue DOT com]
Sent: Wednesday, February 14, 2001 1:26 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] firewall between master and media servers



thanks to all - NAT was the evil villain.  all is rockin now!  just had to
adjust a few firewall rules and disable NATing here and there.

-ian

---++---++---++-
Ian Terry x7024
Systems Administrator
Cyber Dialogue
---++---++---++-

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu