Unsolved
This post is more than 5 years old
1 Message
0
2271
Security Question about Packet Reflect
We are implementing a Celerra device for user network storage. The Celerra device will have an interface on a trusted and untrusted network. Can packet reflect prevent an end user, sourced from the untrusted network, from using the device as a gateway into the trusted network?
It seems as if packet reflect would take care of reply traffic, but would the user (intentionally or unintentionally) have the ability to initiate traffic on the Celerra device to the trusted network? -- If so, what are the probable ways for the user to do this? Can this be done by saving code/app in their legitimate network storage location which then can be executed to initiate the traffic from the Celerra device thereby skirting the packet reflect defense?
Thanks in advance.
ral67_xyz
147 Posts
1
January 13th, 2010 08:00
Hi,
welcome to the forum.
The Celerra data movers do not route or forward traffice between interfaces.
Since the data movers run a closed kernel there also isnt any way for a user to get additional code executed there.
For attaching to untrusted network or DMZ's though the best practice is put a firewall in between.
Take a look at the Celerra documentation - there is a manual detailing which ports are needed for waht purpose.
If you need to restrict content you also want to put that into a VDM and put other access measures there.
Which one's depend on the protocol used - for CIFS you can create another CIFS server and limit which interfaces can be used, for NFS you can export by VLAN.
Of course you also want to separate the control station - i.e. not put it onto the restricted network.
regards
Rainer
P.S.: please consider posting in the general Celerra support forum section here
This section is for 3rd party developers - there arent may people reading here so your chances of getting responses are lower.