ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ADSM thru Firewalls?

1999-09-25 15:25:55
Subject: Re: ADSM thru Firewalls?
From: "Alan R. White" <arw AT TIPPER.DEMON.CO DOT UK>
Date: Sat, 25 Sep 1999 20:25:55 +0100 
[snip]
> Further, could you clarify what you mean by
>
> "if ADSM was able to invoke the backup's from the server as opposed to the
> client,"
>
> ?  This would be precisely how I would describe normal schedule-controlled
> backups, so I think we have a vocabulary mismatch.
>
Not quite. If your client has schedmode set to prompted then yes, the server
does connect out to the client calling whatever port number the client bound
to when the 'dsmc schedule' process started (controllable through some
rarely used parameter I can't remember off the top of my head).

But, what happens next is that the client then re-connects back to the ADSM
server - it does not use the socket established by the call from the server.

So no matter whether you have schedmode prompted or polling, or if you use
client initiated backups or schedule controlled - the client always ends up
having to open a tcp connection to the server so any ssh or firewall configs
would have to take this into account.

In summary, if anyone is brave enough to put an ADSM client in a DMZ and the
server on the internal network (see numerous previous postings on this) then
you have to open up a port for server to call the client (internal -> DMZ)
and then a port for the client to call the server (DMZ -> internal).

As for putting a server in the DMZ, its not secure folks... don't do it
unless you have really worked through all the holes and have some senior
signoff for the risk. One good thing about a server in the DMZ is that you
wouldn't then have the possibility of someone hacking into a server on the
internal network from a client in the DMZ. Once on an ADSM server on the
internal network with dsmadmc widespread havoc on all ADSM clients on your
private network is possible (schedule commands as root/administrator on any
machine running dsmc schedule).

The only proposed improvement to the security situation I can come up with
is for development to seperate the port used for dsmadmc from the port used
for dsmc. You could then at least prevent admin connections to an ADSM
server inside the private network using regular port filtering. I'd be
really happy to hear if anyone can dream up a secure way to run ADSM.

My tuppence again.
Alan
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: data apparently bigger on adsm v3.1.2.40 then v2.1.7., Leo Humar
Next by Date:  Re: dsmcsvc.exe process on NT, John M. Sorensen
Previous by Thread:  Re: ADSM thru Firewalls?, Allen S. Rout
Next by Thread:  SQL server, mgmtclasses, & dsm.opt, ALLEN BARTH
Indexes:  [Date] [Thread] [Top] [All Lists]