commvault.com commvault.com
Solved

Network firewall direction

  • 2 March 2021
  • 4 replies
  • 646 views
ApK
Rank
Userlevel 2
Badge +6

Hi all.

 

Today we have a network setup where Commserve and MediaAgents resides on one network and clients on another.network seperated by a firewall. We use one-way direction connection, where clients opens the connection to the Commserve/MediaAgents.

 

My questions is, wouldn't it be more secure to have a one-way direction connection from the CommServe/MediaAgents to the clients and not like we have it today. As I understands it, it was the standard way of doing the network settings in the “old” days.

 

Regards

-Anders

icon

Best answer by Edd Rimmer 2 March 2021, 14:21

View original

4 replies

Edd Rimmer
Rank
Userlevel 4
Badge +7

Hey Anders,

The most secure way to go about this (assuming you have a DMZ of some sort) would be to have a network gateway client in your DMZ and configure firewalls accordingly - so clients connect to the CS/MA’s via the proxy. The direction of traffic would be Client → proxy in DMZ ← CS/MA (everything connecting TO the proxy).

There are many different DMZ and firewall configurations which could be used here - but if you don’t have a DMZ and are just simply firewalling ports - then really I don’t see how one direction is more secure than the other - but consider the fact that if having the Commserve initiate the connections, this can put extra strain on the Commserve.

Of all the things I've lost, I miss my mind the most
Alireza B
Rank
Userlevel 4
Badge +9

Hi Anders,

As Edd mentioned having a proxy based connection is the most secure way. Coming back to your question though it also depends where client is sitting. If client for example is exposed to external users\networks then yes having a connection coming from internal\CS to client is best practice. In case the client is exploited you don’t want to allow connection initiation from client to internal. If client is also internal then yeh don’t worry about direction.

ApK
Rank
Userlevel 2
Badge +6

Thank you guys for your replies.

We do have 50+ networks we do backup of, but today we just have a single firewall opening from all the networks to our backup network, but sounds like I should look into the proxy version.

If I setup a proxy, I guess this proxy needs to be of a certain size CPU/memory wise, to not slow down the backup/restore speeds, are there any recommendations on the size?

 

Regards

-Anders

Damian Andre
Rank
Userlevel 7
Badge +23

Thank you guys for your replies.

We do have 50+ networks we do backup of, but today we just have a single firewall opening from all the networks to our backup network, but sounds like I should look into the proxy version.

If I setup a proxy, I guess this proxy needs to be of a certain size CPU/memory wise, to not slow down the backup/restore speeds, are there any recommendations on the size?

 

Regards

-Anders

Yes, there is - here you go. This is the recommended spec, you could always adjust based on what you are seeing around usage (assuming its a VM).

 

https://documentation.commvault.com/commvault/v11_sp20/article?p=7296.htm

 

‘Network gateway’ is the new name, but its the same thing as a network proxy

Reply


Terms & ConditionsCookie settings