Timur I. Bakeyev (b_a_t) wrote,
Timur I. Bakeyev

  • Mood:

Кто еще говорит, что пропраетарные решения лучше опенсорсных?

Дано - CommVault Galaxy® Data Protection 7.0 for Enterprise Deployments. Вот рекомендации по настройке фаервола:

Setting up the Customer Firewall

The customer firewall must be configured to pass the necessary TCP/IP traffic to allow the backup to function. The backup software requires that both MSI backup servers and the client servers be listening on particular TCP ports at all times, allowing either end to initiate a connection. The result of this is the firewall on the customer side must be configured to permit both inbound and outbound connections. The backup software requires that 25 TCP ports be opened from the MSI servers to the customer servers (inbound), ports 8400-8425. Ports 8400 through 8403 are used for the backup control connection, 8404 through 8425 are used for the actual data transfer. Similarly, ports 8400 through 8403 must be opened from the customer server(s) to the MSI servers for the control connection, but ports 1300 through 4000 are used for the data connection. Thus, 8400 through 8403 and 1300 through 4000 must be open from the customer to the MSI servers (outbound). Although ports 8400 through 8425 are always opened inbound at the firewall, only ports 8400 through 8403 are listening for incoming TCP connections at any given moment The ports used for the data connection are negotiated and only opened as necessary, thus reducing the opportunity for an attacker to discover them.

While it is true that 25 TCP ports must be opened at all times, the firewall needs only to permit traffic originating from or destined to the two MSI backup servers, which have static, public IP addresses. This mitigates risk as the customer firewall still protects ports 8400 through 8425 from random attacks. A potential attacker would need to spoof the MSI IP addresses and guess the TCP sequence numbers to successfully exploit any vulnerabilities within this range. A port scan would not reveal they are open since they are only open to the MSI backup servers. In addition, ports 8400 through 8425 are not commonly used ports so a potential attacker would need to have advance knowledge of the backup software running on the customer’s servers.

Как там Арканоид говорил? За такое угробище среднему третьекурснику выше двойки бы не поставили?
Tags: unix, work

  • 45, но нифига не ягодка.

    Последние лет 5, если не больше, захожу сюда только отметить очередную прибавку в возрасте... Что поделать, ФейсБук(он же МордоКнига) поглотил нас…

  • LJ 18th anniversary

    #mylivejournal #lj18 #happybirthday

  • 42!

    Традиционный пост на День рождения :) The number 42 is, in The Hitchhiker's Guide to the Galaxy by Douglas Adams, the "Answer to the…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded