Re: binding TSM server to specific ip-addresses

Tue, 03 May 2005 07:03:25 -0700 

Hi all,

Richard Sims wrote: 
Remco -

Perhaps you could elaborate on how this would be useful? Having the
server ignore requests which come into the system via a certain path
doesn't seem productive.


It is, actually, from a security perspective. This way, one could
dedicate an instance to a subnet and be very sure it is impossible to
reach from other subnets.

One other use would be to have each instance listen on port 1500 of a
dedicated IP address (rather than a dedicated port on a shared IP
address), though I currently don't envision using TSM that way.


Anyway, what you envision seems better effected via a firewall
implemented at the environmental level (in the OS, or a router)
rather than in an application (TSM).


Host based firewalls could accomplish the same but:

1- add additional load to the host, unneeded since this could very
easily be programmed in the server
2- add additional cost in system administration
3- on AIX the is neither a built-in firewall, nor do any of the freeware
firewalls support AIX.
4- this is very easily implemented in the systemcalls required to set up
a TCP server anyway.

The network firewall is ineffective against hosts on the same subnet.
Not that I distrust these, but auditors might...

The reason I'd like to see this implemented in TSM is that the
application seems to be the proper place to configure the application. A
great many applications (webserver, ftp servers, dns servers etc.) all
provide this feature.

Richard Sims

On Apr 27, 2005, at 5:17 AM, Remco Post wrote:

Hi All,

We are running TSM v. 5.2.3 on AIX 5.2. Currently all of our TSM
server instances listen on all IP addresses configured in the OS. I
was wondering if anyone has found a way to make the TSM server not
listen for connections on one or more ip-addresses. I'm sure this
would be very usefull in my environment.



--
Met vriendelijke groeten,

Remco Post

SARA - Reken- en Netwerkdiensten                      http://www.sara.nl
High Performance Computing  Tel. +31 20 592 3000    Fax. +31 20 668 3167

"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams

Reply via email to