Veritas-bu

[Veritas-bu] backing up a firewall

2001-03-23 15:17:56
Subject: [Veritas-bu] backing up a firewall
From: Kyle_Chapman AT G1 DOT com (Chapman, Kyle)
Date: Fri, 23 Mar 2001 15:17:56 -0500
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0B3D6.59239010
Content-Type: text/plain;
        charset="ISO-8859-1"

do you have one centrally located backup server?  or multiple backup
servers, one per vlan?  many people are doing hosting and other types of
customer transactions on internal servers, so I can see why people restrict
ports.  people use nat quite a bit and hide nat behind the firewall or
double layer it....  firewall->router->than internal hosts.
my feeling is that unless you have tons of security concerns, network design
issues, customer data issues, you should be able to backup a firewall with
out being too restrictive.  the firewall also needs to be configured
correctly.  if it allows packets that have source addr's that are internal
hitting its external interface, and they are allowed to pass....  the
firewall has real problems.  I have seen people with issues like that, and I
can understand why they restrict internal servers heavily...

-----Original Message-----
From: Price, Michael [mailto:MPrice AT dantis DOT com]
Sent: Friday, March 23, 2001 1:30 PM
To: Chapman, Kyle; 'Tim.McMurphy AT telus DOT com'
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: RE: [Veritas-bu] backing up a firewall


    We restrict ports internally because we have different customers on
different vlans.
 

-----Original Message-----
From: Chapman, Kyle [mailto:Kyle_Chapman AT G1 DOT com]
Sent: Friday, March 23, 2001 7:57 AM
To: 'Tim.McMurphy AT telus DOT com'
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: [Veritas-bu] backing up a firewall


is it firewall-1 you are trying to backup?  we do that as well.  I created a
rule on the firewall allowing access to the firewall itself by the NetBackup
server.  I don't know why you would restrict ports if the host is internal
to the firewall, external is another story.  if it is internal, and all your
rules are fine, you don't allow source-routing, you shouldn't have to
restrict ports.
 
KSC
301-918-0466
Network/Systems Engineer
www.g1.com <http://www.g1.com/> 
 
 
Here is a really great OS
www.freebsd.org <http://www.freebsd.org/>  
 


------_=_NextPart_001_01C0B3D6.59239010
Content-Type: text/html;
        charset="ISO-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">


<META content="MSHTML 5.00.2919.6307" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=202350520-23032001>do 
you 
have one centrally located backup server?&nbsp; or multiple backup servers, one 
per vlan?&nbsp; many people are doing hosting and other types of customer 
transactions on internal servers, so I can see why people restrict ports.&nbsp; 
people use nat quite a bit and hide nat behind the firewall or double layer 
it....&nbsp; firewall-&gt;router-&gt;than internal hosts.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=202350520-23032001>my 
feeling is that unless you have tons of security concerns, network design 
issues, customer data issues, you should be able to backup a firewall with out 
being too restrictive.&nbsp; the firewall also needs to be configured 
correctly.&nbsp; if it allows packets that have source addr's that are internal 
hitting its external interface, and they are allowed to pass....&nbsp; the 
firewall has real problems.&nbsp; I have seen people with issues like that, and 
I can understand why they restrict internal servers 
heavily...</SPAN></FONT></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
  <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> Price, Michael 
  [mailto:MPrice AT dantis DOT com]<BR><B>Sent:</B> Friday, March 23, 2001 1:30 
  PM<BR><B>To:</B> Chapman, Kyle; 'Tim.McMurphy AT telus DOT com'<BR><B>Cc:</B> 
  'veritas-bu AT mailman.eng.auburn DOT edu'<BR><B>Subject:</B> RE: 
[Veritas-bu] 
  backing up a firewall<BR><BR></DIV></FONT>
  <DIV><FONT color=#0000ff face=Arial size=2><SPAN 
  class=731473118-23032001>&nbsp;&nbsp;&nbsp; We restrict ports internally 
  because we have different customers on different vlans.</SPAN></FONT></DIV>
  <DIV>&nbsp;</DIV>
  <BLOCKQUOTE style="MARGIN-RIGHT: 0px">
    <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma 
    size=2>-----Original Message-----<BR><B>From:</B> Chapman, Kyle 
    [mailto:Kyle_Chapman AT G1 DOT com]<BR><B>Sent:</B> Friday, March 23, 2001 
7:57 
    AM<BR><B>To:</B> 'Tim.McMurphy AT telus DOT com'<BR><B>Cc:</B> 
    'veritas-bu AT mailman.eng.auburn DOT edu'<BR><B>Subject:</B> [Veritas-bu] 
backing 
    up a firewall<BR><BR></DIV></FONT>
    <DIV><FONT face=Arial size=2><SPAN class=052555413-23032001>is it 
firewall-1 
    you are trying to backup?&nbsp; we do that as well.&nbsp; I created a rule 
    on the firewall allowing access to the firewall itself by the NetBackup 
    server.&nbsp; I don't know why you would restrict ports if the host is 
    internal to the firewall, external is another story.&nbsp; if it is 
    internal, and all your rules are fine, you don't allow source-routing, you 
    shouldn't have to restrict ports.</SPAN></FONT></DIV>
    <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
    <DIV><FONT face=Arial size=2>KSC</FONT></DIV>
    <DIV><FONT face=Arial size=2>301-918-0466</FONT></DIV>
    <DIV><FONT face=Arial size=2>Network/Systems Engineer</FONT></DIV>
    <DIV><FONT face=Arial size=2><A 
    href="http://www.g1.com/";>www.g1.com</A></FONT></DIV>
    <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
    <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
    <DIV><FONT face=Arial size=2>Here is a really great OS</FONT></DIV>
    <DIV><FONT face=Arial size=2><A 
    href="http://www.freebsd.org/";>www.freebsd.org</A> </FONT></DIV>
    <DIV>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C0B3D6.59239010--

<Prev in Thread] Current Thread [Next in Thread>