Frank and Rebecca, thank you for your comments and suggestions. I understand that I'll still need to work with the firewall administrators. It's just seems so much more complex to do Amanda's ports right -- only open the ones needed, using only the protocol and in only the right direction -- than to say "Open port 10080 in both direction between tapehost and client". Right now, the firewall seems to have ports 10080-84 opened correctly (tested with telnet and tcpdump). They could just let this be.
Our setup is that our web servers are outside the firewall, but the tapehost and other administrative hosts, as well as all the Windows-based desktops are inside. We use 176.14/16 addresses inside, but 'real' IP addresses outside. However, the hosts are side-by-side in the same rack. If I do go with some sort of VPN, am I on the right track here?: Both the tapehost and the client(s) all have to have a VPN (daemon? client?) on them, such as OpenVPN or vtun. I ask the firewall folks to open one port, like 10080, to TCP and UDP, in both directions to and from the tapehosts and the client(s). The notes in amanda.conf state that the OS routing tables control which interface is used, so I make some change there to connect from the tapehost to the clients using the VPN. This will all probably be clear to me when I pick a VPN and read the documentation. Thanks, again, for your advice and suggestions. -Kevin >>> Frank Smith <[EMAIL PROTECTED]> 09/08/04 04:05PM >>> --On Wednesday, September 08, 2004 14:41:34 -0400 KEVIN ZEMBOWER <[EMAIL PROTECTED]> wrote: > Has anyone ever set up Amanda to work through a VPN as an alternative to > working correctly through a firewall? I'm not sure a VPN is even the right > tool to use. Yes, we use VPNs to backup some of the data at our remote colos. I'm not sure its going to make your firewall setup any easier to implement (it will still require some firewall changes), but once you get the VPN working you can change what goes through it without having to modify the intervening firewalls. > I'm so frustrated with our networking group, which implements a single change > in the firewall, then requires that we wait until the next morning to make a > second trial if the first one doesn't work. I believe that no one really > thorough understands the firewall software, an Elron CommandView firewall, > which seems to be out of production. The last mention I can find of it > through Google dates to 1999. Links to their website redirect to zixcorp.com. Personally, I'd be scared if I were depending on a firewall that hasn't been updated for 5 years. > > Consequently, I'm exploring other options to get Amanda to work through or > around this firewall. The first I thought of was a VPN. However, I only know > what I've read about VPNs; I've never set one up or worked with it. Would a > VPN work? Yes, it can. > Is it the right tool to use, short of getting the firewall to work properly > in the first place? It depends. How sensitive is your data? The backups are streamed in in the clear, although possibly compressed, so there is the potential for someone to grab it as it goes by. With a VPN the data stream (at least between the VPN boxes) is encrypted, so impractical for someone to steal the data in that portion of the data path. If your network is secure (relative to the sensitivity of your data) then it may not have much of an advantage. If it is very sensitive data and you are sending it across the Internat then a VPN should be a requirement. > Any recommendation on specific VPN solutions to use? Anyone done this before? >I tried searching on 'vpn' in this list's archives, but didn't turn up anything. Being a thrifty person, I'm a fan of using a pair of cheap Linux boxes (my backups can soak a 10Mb link over a couple of 800MHz Pentiums without any problems with a 2.4 kernel and FreeS/WAN), the 2.6 kernels have IPSEC capabilities built in. As a bonus you can run iptables (netfilter) on the same boxes and firewall what goes through your tunnel. You may have to do some work setting up routing on both ends so your backups actually use the VPN. Frank > > Thanks for all your help and suggestions. > > -Kevin Zembower > > ----- > E. Kevin Zembower > Internet Systems Group manager > Johns Hopkins University > Bloomberg School of Public Health > Center for Communications Programs > 111 Market Place, Suite 310 > Baltimore, MD 21202 > 410-659-6139 > -- Frank Smith [EMAIL PROTECTED] Sr. Systems Administrator Voice: 512-374-4673 Hoover's Online Fax: 512-374-4501
