Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
> On Thu, 14 Mar 2013 21:02:16 +0400, Konstantin Khomoutov said: > > On Wed, 13 Mar 2013 12:39:00 GMT > Martin Simmons wrote: > > [...] > > > The problem is that I thought it will be possible to enable TLS > > > only on that one remote FD and add a TLS-enabled "listener" to my > > > local SD, and leave the LAN intact. So I imagined I would set up > > > TLS on the remote FD, do the same in the appropriate Client > > > resource in my Director, and set up the second Storage resource in > > > my SD config, listening on a different port and having TLS enabled > > > *only there.* > > > > > > Unfortunately, SD says there can be only one Storage resource in > > > the SD configuration file. So it now appears that TLS in Bacula > > > supposes an all or nothing approach. > > > > Did you look at the TLS Require directive? It seems to allow for > > optional TLS. > > Yes, but this kind of defeats the point of using TLS in the first place. > I thought of not only enabling TLS but also enabling validation of > client (and server) certificates for invloved parties. That's true. > Otherwise this means any host from the internets will be able to > connect to my SD. I do understand that since the FD "dials back" to > SD, the Director provides some sort of authentication for them to > handshake, but it's hard to assess how strong is that. I, for one, > think it is not. You can (and should) use a firewall to prevent connections from unknown hosts on the internet. __Martin -- Own the Future-IntelĀ® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
On Wed, 13 Mar 2013 12:39:00 GMT Martin Simmons wrote: [...] > > The problem is that I thought it will be possible to enable TLS > > only on that one remote FD and add a TLS-enabled "listener" to my > > local SD, and leave the LAN intact. So I imagined I would set up > > TLS on the remote FD, do the same in the appropriate Client > > resource in my Director, and set up the second Storage resource in > > my SD config, listening on a different port and having TLS enabled > > *only there.* > > > > Unfortunately, SD says there can be only one Storage resource in > > the SD configuration file. So it now appears that TLS in Bacula > > supposes an all or nothing approach. > > Did you look at the TLS Require directive? It seems to allow for > optional TLS. Yes, but this kind of defeats the point of using TLS in the first place. I thought of not only enabling TLS but also enabling validation of client (and server) certificates for invloved parties. Otherwise this means any host from the internets will be able to connect to my SD. I do understand that since the FD "dials back" to SD, the Director provides some sort of authentication for them to handshake, but it's hard to assess how strong is that. I, for one, think it is not. > > I also know about stunnel, but I'm hesitant to use it due to these > > reasons: > > 1) At least two stunnel instances will be required to be set up and > >maintained. > > 2) Using stunnel involves unnecessary copying of (lots of) data. > > You could overcome 1 by using a single ssh command with the -L and -R > options to make the tunnels. Did not think of this, thanks for the tip! -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
On Mar 14, 2013, at 8:04 PM, Konstantin Khomoutov wrote: > On Thu, 14 Mar 2013 10:48:23 +0900 > Dan Langille wrote: > I also know about stunnel, but I'm hesitant to use it due to these reasons: 1) At least two stunnel instances will be required to be set up and maintained. 2) Using stunnel involves unnecessary copying of (lots of) data. >>> >>> You could overcome 1 by using a single ssh command with the -L and >>> -R options to make the tunnels. >> >> My preference of late is to not use TLS, but to use a VPN. I use >> OpenVPN on all my remote clients. > > I'm a big fan of OpenVPN myself, and I use it to connect several branch > offices with the central one, but I'm inclined to think that to back up > a bunch of web sites (static content + dumps of several MySQL > databases) hosted on a VPS a full-blown VPN solution appears to beslightly > over the top. Sure. YMMV. But for my situation, it's great. As for 'full blown', adding a new client to the mix is easy -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
On Thu, 14 Mar 2013 10:48:23 +0900 Dan Langille wrote: > >> I also know about stunnel, but I'm hesitant to use it due to these > >> reasons: > >> 1) At least two stunnel instances will be required to be set up and > >> maintained. > >> 2) Using stunnel involves unnecessary copying of (lots of) data. > > > > You could overcome 1 by using a single ssh command with the -L and > > -R options to make the tunnels. > > > > My preference of late is to not use TLS, but to use a VPN. I use > OpenVPN on all my remote clients. I'm a big fan of OpenVPN myself, and I use it to connect several branch offices with the central one, but I'm inclined to think that to back up a bunch of web sites (static content + dumps of several MySQL databases) hosted on a VPS a full-blown VPN solution appears to be slightly over the top. -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
On Mar 13, 2013, at 9:39 PM, Martin Simmons wrote: > >> I also know about stunnel, but I'm hesitant to use it due to these >> reasons: >> 1) At least two stunnel instances will be required to be set up and >> maintained. >> 2) Using stunnel involves unnecessary copying of (lots of) data. > > You could overcome 1 by using a single ssh command with the -L and -R options > to make the tunnels. > My preference of late is to not use TLS, but to use a VPN. I use OpenVPN on all my remote clients. -- Dan Langille - http://langille.org -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
> On Tue, 12 Mar 2013 18:57:01 +0400, Konstantin Khomoutov said: > > I have a Bacula installation on my corporate LAN for some time, > and since this is LAN I did not bother with setting up TLS. > > Now a need emerged to back up exactly one remote client (it's > actually a VPS). For some reason Bacula appears to be a rather > suitable thing to employ for this task, except for one thing: since > this client is accessible via Internet, all communications have to be > secure hence employing TLS appears to be a way to go. > > As far as I understand it, backing up a client goes like this: > 1) The Director contacts the FD and tells it to upload such and such >files to a specific SD. It tells the FD which SD and also passes >it a special cookie to authenticate against that SD. > 2) The FD contacts the SD and uploads its stuff. Correct (plus the Director contacts the SD before step 1). > So I should have the Director->FD and FD->SD communications protected > by TLS. This means that FD should have TLS enabled for both inbound and > outgoing connections, and SD should listen on a port with TLS enabled. > > The problem is that I thought it will be possible to enable TLS only on > that one remote FD and add a TLS-enabled "listener" to my local SD, > and leave the LAN intact. So I imagined I would set up TLS on the > remote FD, do the same in the appropriate Client resource in my > Director, and set up the second Storage resource in my SD config, > listening on a different port and having TLS enabled *only there.* > > Unfortunately, SD says there can be only one Storage resource in the SD > configuration file. So it now appears that TLS in Bacula supposes an > all or nothing approach. Did you look at the TLS Require directive? It seems to allow for optional TLS. > I also know about stunnel, but I'm hesitant to use it due to these > reasons: > 1) At least two stunnel instances will be required to be set up and >maintained. > 2) Using stunnel involves unnecessary copying of (lots of) data. You could overcome 1 by using a single ssh command with the -L and -R options to make the tunnels. __Martin -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Using TLS only for one specific client -- it is possible?
I have a Bacula installation on my corporate LAN for some time, and since this is LAN I did not bother with setting up TLS. Now a need emerged to back up exactly one remote client (it's actually a VPS). For some reason Bacula appears to be a rather suitable thing to employ for this task, except for one thing: since this client is accessible via Internet, all communications have to be secure hence employing TLS appears to be a way to go. As far as I understand it, backing up a client goes like this: 1) The Director contacts the FD and tells it to upload such and such files to a specific SD. It tells the FD which SD and also passes it a special cookie to authenticate against that SD. 2) The FD contacts the SD and uploads its stuff. So I should have the Director->FD and FD->SD communications protected by TLS. This means that FD should have TLS enabled for both inbound and outgoing connections, and SD should listen on a port with TLS enabled. The problem is that I thought it will be possible to enable TLS only on that one remote FD and add a TLS-enabled "listener" to my local SD, and leave the LAN intact. So I imagined I would set up TLS on the remote FD, do the same in the appropriate Client resource in my Director, and set up the second Storage resource in my SD config, listening on a different port and having TLS enabled *only there.* Unfortunately, SD says there can be only one Storage resource in the SD configuration file. So it now appears that TLS in Bacula supposes an all or nothing approach. I also know about stunnel, but I'm hesitant to use it due to these reasons: 1) At least two stunnel instances will be required to be set up and maintained. 2) Using stunnel involves unnecessary copying of (lots of) data. Another thing I considered is running another SD with a separate configuration file. This is doable as well but has its own apparent downsides like the need to fork and maintain a separate init script, inability to do copy jobs to media attached to the "main" SD etc. So, before I settle on either full-on TLS setup or stunnel or something else I'd like to ask if anyone here knows if it's somehow possible to do what I need: to make just a single client use TLS and leave everything else as is? I'm running Director and SD on the same Debian server which has Bacula 5.2.6 installed. The remote FD will probably run Bacula 5.0.3. -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users