Hi Frank, Thanks for sharing this with me as it is very useful and will allow me to possibly remove the OpenVPN part from the design that we are considering since Bacula seems to be able to take care of this matter for us as a built in feature.
I guess that I still have the major question of being able to traverse firewalls and routers since as you have mentioned that the Bacula server initiates the connections to the clients and the client software does not initiate any connection to the server although I think that would be a nice feature as well. We want to close off as many of the ports to the Bacula server as we can since it is the only service on that server in the most secure way possible. Thanks again and have a good day, Lonnie On Fri, October 6, 2006 07:58, Frank Sweetser wrote: > On Fri, Oct 06, 2006 at 07:36:55AM -0500, [EMAIL PROTECTED] wrote: > >> Greetings All, >> >> >> Although TLS is a good protocal from what I have read, establishing a >> VPN >> allows the client side to easily tunnel over firewalls and seems to be a >> more secure method in that the vpn will be using certificates to >> establish the liks which is better than open passwords from my basic >> initial reading. > > When I said that bacula uses the same libraries that OpenVPN does, I > meant *exactly* the same. OpenVPN uses the same openssl libraries and TLS > certificate code for authentication and key exchange. If you're using > the TLS code in bacula, the passwords you've read about don't even come > into play until after TLS authentication has sucesfully completed and the > tunnel is encrypted. > >> We will have only a very few open ports to the Bacula cluster and it >> appeared to me that having the client side initiate an OpenVPN >> connection to the main director server, perform the encrypted backup, >> and disconnect until the next scheduled backup is an optimal method >> although I may be wrong. > > The problem is that with OpenVPN, you want to have lots of clients > connecting to a single server. With bacula, you have a single server > connecting to lots of clients. This means that the server wouldn't be > able to initiate a backup job unless the client had chosen to bring up the > tunnel first. I'm not even sure how well it would work to have a single > OpenVPN client on the director > server simultaneously connecting to mulitple OpenVPN servers on the bacula > clients. > > I'd bet that if you try to shoehorn a VPN based solution around bacula, > you'll end up with a lot more headaches, but not much more security. > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution > that WPI Network Engineer | is simple, elegant, and wrong. - HL > Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
