Hiya, You got me convinced. Maybe that's why I'm not a firewall operator....
Regards, Rick ----- Original Message ----- From: "Zlatko Krastev" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 2:28 PM Subject: Re: Backups through a firewall > You cannot hide them so I see no reason to change them. If firewall is > set-up correct it should allow traffic outside DMZ to those ports. If an > intruder compromised a TSM node in DMZ you modified ports are known. > The main security issue (IMO) is than *SM is using same port for backups > and for admin client sessions. And opening this port in the firewall opens > ability to connect as administrator to the server. > > Zlatko Krastev > IT Consultant > > > > > Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> > Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > cc: > > Subject: Re: Backups through a firewall > > Hi, > > Wanda wrote: > > All the firewall guy had to do was create a rull that allows TCP/IP > traffic > > through the firewall for port 1500 for the particular client address. > > > > If you use SCHEDMODE PROMPTED, I believe you also have to enable port > 1501. > > If you want to use the web client to do TSM backups/restores remotely, > that > > uses port 1581. > > > > All those ports are configurable, i.e., you can tell TSM client and > server > > to use different ports if you want > > I would STRONGLY suggest to choose different ports. I believe there's a > list > out there, I think it's through IANA (www.iana.org - somebody please > confirm > that) that tells which port is 'registered' . Pick some free ports high > up, > preferably not next to each other (I would go pick like 7492, 9816 and > 9752- > handpicked these :) ). Wouldn't want some h*cker discovering you're using > 1234 with some sec hole somewhere and let him just try 1235 and 1236, now > would we? > > But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least > someone on the list will tell you, and you'll never forget (and neither > will > I). > > Regards, > > Rick >
