Solved

Veritas - getting it to use just one port

Posted on 2002-05-22
16
223 Views
Last Modified: 2010-04-11
Normally Veritas will try and use a broad random range of TCP/UDP ports to transfer data to the backup server.  This is a problem when trying to backup something at a higher security level off of a firewall.  Is there a means to screw down Veritas so that it only uses one port?
0
Comment
Question by:mmedwid
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 1

Expert Comment

by:s0mvnguy
ID: 7027925
I think you can create user defined share (\\xxx.xxx.xx.x:port number) and backup from there.

Hope this help
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7028247
It's random on both ends?  How is the connection ever made?  Usually one end will be locked down to a single port.  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028454
It's the destination port that is many and random.  I know this to be the case because I've seen the syslogging of the denies on our pix.  And later we confirmed this is the default behavior of veritas.  
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 300 total points
ID: 7028654
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028805
stevenlewis - that's just what I'm looking for.  Do you know if you can crank it down as low as one port?  e.g. a range of 5000 to 5000 or 4999 to 5000?  I imagine the issue would be if you had any other machines backing up at the same time and you had over-lap you'd be hosed.  But if you carefully arranged your backups not to have overlapping port #s - should be okay.  Any experience?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7029706
Why can't you just lock it down by the end that already has a single static port?  Are there details around this that make this not trustable or possible?  

I have a hard time believing that the destination (target for initial SYN packet) is random.  

Either way, as long as you trust the "source" that has the static port and know that it is on a secure segment and spoofing cannot come into play, you should be able to lock it down by using that end.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030654
As the document states - the destination port is definitely different each time.  It's not exactly random - it starts and port 5000 and next session will use 4999 and next 4998 and so on.  It must be from some stupid old programming that only allowed one host at a time to reach the backup server at a particular port.  Just a guess.  

I'm not sure I follow your last paragraph.  The device would be on a secure dmz - pix security level 50.  I'd call that zone somewhat trusted.  More trusted than outside anyhow.  The backup server is inside.  I want to open as few ports as is absolutely possible.  One is best.  If I receive no other answer - I'll just test cranking it down to one port and see if it plays.

0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030710
mmedwid I haven't tried it, test it and see.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:mmedwid
ID: 7030735
Will do.  Our backup guy is out for the long weekend.  Next week we'll try it out.  
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030751
Our backup guy is out for the long weekend
Must be nice LOL
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030807
The grass is always greener.  :-)
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039976
From our Mr. Backup dude...

"You can lower the number of ports, but that lowers the number for ALL clients.  Then you have all your clients competing for the few open ports that there are and only a few backup jobs run.  It's crazy, but that's the way their product works.  To back up through firewalls, you need a media server which is another expensive license, and another server on the other side of the firewall.  "

...anyone know any more on this?  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039991
btw - what crappy code that Veritas only allows on client to connect at on particular port at a time.  Unreal given what they charge for their crud.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7040016
I am still not exactly following how this transaction works.  The only way I can see it working from the way you are describing is if it works similar to FTP where a single port is used initially until new ports are negotiated at which point it is "deterministically random".  If this is not the case, than there has to be a single port or small group of ports that can be determined.

However, since you are not crossing the public interface and this is between you DMZ and your backup server, why not just allow all traffic from those servers to your backup server?  It's not ideal I will grant you, but unless there is something I am missing, it is really the only way.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7064939
At the end of the day - it looks like there is not good answer to my question.  But your pointing to that veritas documentation helped me get to that conclusion.  Thanks.
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7065580
mmedwid, wish we could have been more help
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now