In a message dated: Wed, 05 Jul 2000 19:11:55 EDT
John Abreau said:
>We're trying to set up a Veritas backup system, and it's been suggested
>that we add an additional network card to each host to create an extra LAN
>for the backups. I'm concerned because this will bypass out firewall.
>However, one of the reasons we need to do this is that the existing
>Veritas setup is apparently overloading the firewall, and the backup
>processes lose their connections and abort when this happens.
>
>How do other sites do this sort of thing? How do you make it secure? I
>would imagine something like ipchains on Linux could be configured to
>restrict the new network so only Veritas activity gets passed along, but I
>don't know what the equivalent on Solaris would be.
>
>The hosts to backup include Solaris, NT, and Linux systems.
Well, we're avoiding it by not backing up anything outside our firewall at
this point :) (nothing out there we can't recreate in 10 minutes at this point)
I think what I would do is create a private subnet by adding a second ethernet
interface as suggested, but then connect it back to the inside via a separate
firewall, maybe a Linux IPChains system. If you use private address space
here, like 192.168 addresses, none of that can get routed to the internet.
Keep the Linux firewall completely shut to everything except ssh and the port
Veritas needs to connect to these systems. You might even go so far as to
keep the Veritas port closed *except* when the backups are actually running.
You could do this via cron and a couple shell scripts. If you know that
backups kick off at 10:55 each night, have cron on the firewall open the port,
then when backups are finished, have it close the port. That way no one can
get in at any time, and your exposure is limited to only when backups are
actually running.
--
Seeya,
Paul
----
"I always explain our company via interpretive dance.
I meet lots of interesting people that way."
Niall Kavanagh, 10 April, 2000
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
