Veritas-bu

[Veritas-bu] backing up a firewall

2001-03-23 15:36:42
Subject: [Veritas-bu] backing up a firewall
From: MPrice AT dantis DOT com (Price, Michael)
Date: Fri, 23 Mar 2001 14:36:42 -0600
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0B3D9.4EFE4C1C
Content-Type: text/plain;
        charset="iso-8859-1"

 
    We have a SAN with one master/media server and two other media servers.
The three servers multihost 6 drives in an STK L700.  Each customer server
is on a separate vlan routed to the SAN through a firewall.
 
    This is just a temporary environment, though.  But the basic scheme will
be the same in our new data center.  We will also soon be implementing
serverless backups via EMC.
 
 
 -----Original Message-----
From: Chapman, Kyle [mailto:Kyle_Chapman AT G1 DOT com]
Sent: Friday, March 23, 2001 2:18 PM
To: 'Price, Michael'; 'Tim.McMurphy AT telus DOT com'
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: RE: [Veritas-bu] backing up a firewall



do you have one centrally located backup server?  or multiple backup
servers, one per vlan?  many people are doing hosting and other types of
customer transactions on internal servers, so I can see why people restrict
ports.  people use nat quite a bit and hide nat behind the firewall or
double layer it....  firewall->router->than internal hosts.
my feeling is that unless you have tons of security concerns, network design
issues, customer data issues, you should be able to backup a firewall with
out being too restrictive.  the firewall also needs to be configured
correctly.  if it allows packets that have source addr's that are internal
hitting its external interface, and they are allowed to pass....  the
firewall has real problems.  I have seen people with issues like that, and I
can understand why they restrict internal servers heavily...

-----Original Message-----
From: Price, Michael [mailto:MPrice AT dantis DOT com]
Sent: Friday, March 23, 2001 1:30 PM
To: Chapman, Kyle; 'Tim.McMurphy AT telus DOT com'
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: RE: [Veritas-bu] backing up a firewall


    We restrict ports internally because we have different customers on
different vlans.
 

-----Original Message-----
From: Chapman, Kyle [mailto:Kyle_Chapman AT G1 DOT com]
Sent: Friday, March 23, 2001 7:57 AM
To: 'Tim.McMurphy AT telus DOT com'
Cc: 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: [Veritas-bu] backing up a firewall


is it firewall-1 you are trying to backup?  we do that as well.  I created a
rule on the firewall allowing access to the firewall itself by the NetBackup
server.  I don't know why you would restrict ports if the host is internal
to the firewall, external is another story.  if it is internal, and all your
rules are fine, you don't allow source-routing, you shouldn't have to
restrict ports.
 
KSC
301-918-0466
Network/Systems Engineer
www.g1.com <http://www.g1.com/> 
 
 
Here is a really great OS
www.freebsd.org <http://www.freebsd.org/>  
 


------_=_NextPart_001_01C0B3D9.4EFE4C1C
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.3103.1000" name=GENERATOR></HEAD>
<BODY>
<DIV>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=495402020-23032001>&nbsp;&nbsp;&nbsp; We have a SAN with one master/media 
server and two other media servers.&nbsp; The three servers multihost 6 drives 
in an STK L700.&nbsp; Each customer server is on a separate vlan routed to the 
SAN through a firewall.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=495402020-23032001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN 
class=495402020-23032001>&nbsp;&nbsp;&nbsp; This is just a temporary 
environment, though.&nbsp; But the basic scheme will be the same in our new 
data 
center.&nbsp; We will also soon be implementing serverless backups via 
EMC.</SPAN></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Tahoma><FONT size=2><SPAN 
class=495402020-23032001></SPAN></FONT></FONT>&nbsp;</DIV>
<DIV><FONT face=Tahoma><FONT size=2><SPAN 
class=495402020-23032001>&nbsp;</SPAN>-----Original 
Message-----<BR><B>From:</B> 
Chapman, Kyle [mailto:Kyle_Chapman AT G1 DOT com]<BR><B>Sent:</B> Friday, March 
23, 
2001 2:18 PM<BR><B>To:</B> 'Price, Michael'; 
'Tim.McMurphy AT telus DOT com'<BR><B>Cc:</B> 
'veritas-bu AT mailman.eng.auburn DOT edu'<BR><B>Subject:</B> RE: [Veritas-bu] 
backing 
up a firewall<BR><BR></DIV></FONT>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px"></FONT>
  <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=202350520-23032001>do 
  you have one centrally located backup server?&nbsp; or multiple backup 
  servers, one per vlan?&nbsp; many people are doing hosting and other types of 
  customer transactions on internal servers, so I can see why people restrict 
  ports.&nbsp; people use nat quite a bit and hide nat behind the firewall or 
  double layer it....&nbsp; firewall-&gt;router-&gt;than internal 
  hosts.</SPAN></FONT></DIV>
  <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=202350520-23032001>my 
  feeling is that unless you have tons of security concerns, network design 
  issues, customer data issues, you should be able to backup a firewall with 
out 
  being too restrictive.&nbsp; the firewall also needs to be configured 
  correctly.&nbsp; if it allows packets that have source addr's that are 
  internal hitting its external interface, and they are allowed to 
  pass....&nbsp; the firewall has real problems.&nbsp; I have seen people with 
  issues like that, and I can understand why they restrict internal servers 
  heavily...</SPAN></FONT></DIV>
  <BLOCKQUOTE style="MARGIN-RIGHT: 0px">
    <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma 
    size=2>-----Original Message-----<BR><B>From:</B> Price, Michael 
    [mailto:MPrice AT dantis DOT com]<BR><B>Sent:</B> Friday, March 23, 2001 
1:30 
    PM<BR><B>To:</B> Chapman, Kyle; 'Tim.McMurphy AT telus DOT 
com'<BR><B>Cc:</B> 
    'veritas-bu AT mailman.eng.auburn DOT edu'<BR><B>Subject:</B> RE: 
[Veritas-bu] 
    backing up a firewall<BR><BR></DIV></FONT>
    <DIV><FONT color=#0000ff face=Arial size=2><SPAN 
    class=731473118-23032001>&nbsp;&nbsp;&nbsp; We restrict ports internally 
    because we have different customers on different vlans.</SPAN></FONT></DIV>
    <DIV>&nbsp;</DIV>
    <BLOCKQUOTE style="MARGIN-RIGHT: 0px">
      <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma 
      size=2>-----Original Message-----<BR><B>From:</B> Chapman, Kyle 
      [mailto:Kyle_Chapman AT G1 DOT com]<BR><B>Sent:</B> Friday, March 23, 
2001 7:57 
      AM<BR><B>To:</B> 'Tim.McMurphy AT telus DOT com'<BR><B>Cc:</B> 
      'veritas-bu AT mailman.eng.auburn DOT edu'<BR><B>Subject:</B> 
[Veritas-bu] 
      backing up a firewall<BR><BR></DIV></FONT>
      <DIV><FONT face=Arial size=2><SPAN class=052555413-23032001>is it 
      firewall-1 you are trying to backup?&nbsp; we do that as well.&nbsp; I 
      created a rule on the firewall allowing access to the firewall itself by 
      the NetBackup server.&nbsp; I don't know why you would restrict ports if 
      the host is internal to the firewall, external is another story.&nbsp; if 
      it is internal, and all your rules are fine, you don't allow 
      source-routing, you shouldn't have to restrict ports.</SPAN></FONT></DIV>
      <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
      <DIV><FONT face=Arial size=2>KSC</FONT></DIV>
      <DIV><FONT face=Arial size=2>301-918-0466</FONT></DIV>
      <DIV><FONT face=Arial size=2>Network/Systems Engineer</FONT></DIV>
      <DIV><FONT face=Arial size=2><A 
      href="http://www.g1.com/";>www.g1.com</A></FONT></DIV>
      <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
      <DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
      <DIV><FONT face=Arial size=2>Here is a really great OS</FONT></DIV>
      <DIV><FONT face=Arial size=2><A 
      href="http://www.freebsd.org/";>www.freebsd.org</A> </FONT></DIV>
      <DIV>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C0B3D9.4EFE4C1C--

<Prev in Thread] Current Thread [Next in Thread>