Firewalls provide security by blocking unauthorized access to networked computing and communications resources. Internet Protocol (IP) ports are configured in firewalls, permitting specific kinds of information to flow to and from opened IP address:port combinations, in specific directions (in, out or both). Firewall functionality is most often provided by either a stand-alone network appliance, or firewall software running on a general-purpose computer.
SnapProtect provides additional firewall protection for the SnapProtect application software, which you configure from the CommCell Console.
CommCell components separated by a firewall must be configured to reach each other through the firewall using connection routes. Once configured, they can communicate to perform data management operations like backup, browse, and restore.
CommCell components can be configured to operate across:
- Direct Connections using port tunnels
- Port-forwarding gateways
- The perimeter network (sometimes called a DMZ) using a SnapProtect proxy
- HTTP proxies (including WiFi connections)
- Combinations of these
The pages in the Firewall area of Books Online explain the configuration required to operate CommCell components across different types of firewall, and the locations where they may be deployed.
- Outside of Books Online, you may sometimes hear a perimeter network referred to as a demilitarized zone, or DMZ.
- Client names when used in SnapProtect firewall configuration are case-sensitive. When configuring the firewall, be sure to enter the client name of each client in the same case as it appears in the CommCell Console.
Key features the Firewall software offers to support firewall communication include:
- Centralized configuration from the CommCell Console, for an individual client or for groups of clients.
- Opening multiple ports for data transfer, to improve backup and restore performance.
- Support for port-forwarding routers. Multiple CommCell components on the internal network can be exposed to the outside world via a single gateway IP address. Roaming clients can reach specific internal machines by opening tunnel or data connections to specific ports configured on a port-forwarding gateway.
- Support for SnapProtect proxy configurations. The software supports placing a SnapProtect agent in a perimeter network, and configuring the firewall to allow connections from inside and outside networks into the perimeter network only.
- HTTPS encryption in the tunnels. The SnapProtect product supports HTTPS encapsulation in all tunnel connections. This provides SSL and TLS encryption protecting all data in transit and allows for better compatibility with traffic filtering firewalls. HTTPS traffic after authentication is encrypted with AES using 256-bit keys.
- Tunnel authentication using a CommCell-specific certificate. Encryption details:
- When data is transmitted using HTTPS, all tunnel connections are both encrypted and authenticated.
- CommCell hosts can be locked down to use CommCell-specific certificates for SSL/TLS authentication that is unique for every CommCell deployment.
- Certificates are encrypted using 2048-bit RSA and 3DES keys.
- CAs (certificate authorities) are provided through the CommServe host. (External CAs are not required or supported.)