--On Wednesday, September 08, 2004 16:44:10 -0400 KEVIN ZEMBOWER <[EMAIL PROTECTED]> wrote:
> Frank and Rebecca, thank you for your comments and suggestions. > > I understand that I'll still need to work with the firewall administrators. It's > just seems so much more complex to do Amanda's ports right -- only open the ones > needed, using only the protocol and in only the right direction -- than to say "Open > port > 10080 in both direction between tapehost and client". Right now, the firewall seems > to have ports 10080-84 opened correctly (tested with telnet and tcpdump). They could > just let this be. Amanda uses more ports than 10080-84 (and don't forget that the 10080 port at least is UDP and not TCP). For use with a firewall you need to build Amanda with the --with-tcpportrange= and --with-udpportrange= options to control which ports to use, and configure the firewall to match. Look at PORT.USAGE in the docs directory. > > Our setup is that our web servers are outside the firewall, but the tapehost > and other administrative hosts, as well as all the Windows-based desktops > are inside. We use 176.14/16 addresses inside, but 'real' IP addresses > outside. However, the hosts are side-by-side in the same rack. Other options include running a separate private backside network on the hosts involved, or using something like rsync to mirror the data onto the tape server (or some other local client) and using Amanda to backup the mirror. The rsync method is the easiest to set up, only one port through the firewall. It can also shorten your backup window and give you better control over the time the data is actually copied from the source. > If I do go with some sort of VPN, am I on the right track here?: > Both the tapehost and the client(s) all have to have a VPN (daemon? > client?) on them, such as OpenVPN or vtun. I ask the firewall folks to > open one port, like 10080, to TCP and UDP, in both directions to and from > the tapehosts and the client(s). The notes in amanda.conf state that the > OS routing tables control which interface is used, so I make some change > there to connect from the tapehost to the clients using the VPN. This > will all probably be clear to me when I pick a VPN and read the > documentation. You have the basic idea. The actual implementation depends on the software you choose. Be careful that your tunnel setup doesn't expose all of your tapehost to the world. Frank > Thanks, again, for your advice and suggestions. > > -Kevin > >>>> Frank Smith <[EMAIL PROTECTED]> 09/08/04 04:05PM >>> > --On Wednesday, September 08, 2004 14:41:34 -0400 KEVIN ZEMBOWER <[EMAIL PROTECTED]> > wrote: > >> Has anyone ever set up Amanda to work through a VPN as an alternative to >> working correctly through a firewall? I'm not sure a VPN is even the right >> tool to use. > > Yes, we use VPNs to backup some of the data at our remote colos. I'm not sure > its going to make your firewall setup any easier to implement (it will still > require some firewall changes), but once you get the VPN working you can change > what goes through it without having to modify the intervening firewalls. > >> I'm so frustrated with our networking group, which implements a single change >> in the firewall, then requires that we wait until the next morning to make a >> second trial if the first one doesn't work. I believe that no one really >> thorough understands the firewall software, an Elron CommandView firewall, >> which seems to be out of production. The last mention I can find of it >> through Google dates to 1999. Links to their website redirect to zixcorp.com. > > Personally, I'd be scared if I were depending on a firewall that hasn't been > updated for 5 years. > >> >> Consequently, I'm exploring other options to get Amanda to work through or >> around this firewall. The first I thought of was a VPN. However, I only know >> what I've read about VPNs; I've never set one up or worked with it. Would a >> VPN work? > > Yes, it can. > >> Is it the right tool to use, short of getting the firewall to work properly >> in the first place? > > It depends. How sensitive is your data? The backups are streamed in in the clear, > although possibly compressed, so there is the potential for someone to grab it > as it goes by. With a VPN the data stream (at least between the VPN boxes) is > encrypted, so impractical for someone to steal the data in that portion of the > data path. If your network is secure (relative to the sensitivity of your data) > then it may not have much of an advantage. If it is very sensitive data and > you are sending it across the Internat then a VPN should be a requirement. > >> Any recommendation on specific VPN solutions to use? Anyone done this before? >> I tried searching on 'vpn' in this list's archives, but didn't turn up anything. > > Being a thrifty person, I'm a fan of using a pair of cheap Linux boxes (my > backups can soak a 10Mb link over a couple of 800MHz Pentiums without any > problems with a 2.4 kernel and FreeS/WAN), the 2.6 kernels have IPSEC > capabilities built in. As a bonus you can run iptables (netfilter) on the > same boxes and firewall what goes through your tunnel. > > You may have to do some work setting up routing on both ends so your backups > actually use the VPN. > > Frank > >> >> Thanks for all your help and suggestions. >> >> -Kevin Zembower >> >> ----- >> E. Kevin Zembower >> Internet Systems Group manager >> Johns Hopkins University >> Bloomberg School of Public Health >> Center for Communications Programs >> 111 Market Place, Suite 310 >> Baltimore, MD 21202 >> 410-659-6139 >> > > > > -- > Frank Smith [EMAIL PROTECTED] > Sr. Systems Administrator Voice: 512-374-4673 > Hoover's Online Fax: 512-374-4501 > -- Frank Smith [EMAIL PROTECTED] Sr. Systems Administrator Voice: 512-374-4673 Hoover's Online Fax: 512-374-4501
