Firewall Wizards mailing list archives
Re: sms and adsm over firewalls
From: jrg () gbnet net (James R Grinter)
Date: Tue, 8 Jun 1999 22:36:36 +0100
On Fri 4 Jun, 1999, Antonomasia <ant () notatla demon co uk> wrote:
Matthew_S_Cramer () armstrong com:Using ADSM on an unprotected network is dangerous. From what I understand anyone can fire up the client and restore files to an unprotected server as it authenticates using just the IP address and maybe a weak password. I don't allow ADSM across my firewall.I was reading an IBM redbook on ADSM the other day. It had a short section on authentication which said absolutely nothing to make me understand what it actually does. Anyway, having worked with it a little and never having seen any authentication config details, I'd go with the above assessment.
My understanding of version 3 at least (but I'd go search through archives at adsm.org and ask that list if you really want to know) is that the client authenticates the server (is it really the server that it's talking to?) and the server authenticates the client (is it really that client?) via a challenge-response kind of method based upon a shared secret. You can also set the client/server to renegotiate a password after a number of days (I don't know who generates the new one, and how good it is, though. Obviously it must store it locally, if you don't want to have to type it in each time - so if the host is compromised then someone could back up more files. They couldn't delete backups unless you gave that host permission to do that). It definitely *does not* use the IP address as any form of authenticator. However, my local ADSM expert said that the problem with allowing unprotected machines to access the server was that you can't limit where server-administrators can connect from, and it would allow someone to start password guessing. Anyone can get the 'dsmadmc' client, after all. So I'd agree with the conclusion, just not the way it was reached. James.
Current thread:
- sms and adsm over firewalls Bernd Rudack (Jun 02)
- <Possible follow-ups>
- Re: sms and adsm over firewalls Matthew_S_Cramer (Jun 03)
- Re: sms and adsm over firewalls Antonomasia (Jun 04)
- Re: sms and adsm over firewalls Neil Ratzlaff (Jun 14)
- Re: sms and adsm over firewalls James R Grinter (Jun 14)