Firewalls provide security by blocking unauthorized access to networked computing and communications resources. Internet Protocol (IP) ports are configured in firewalls, permitting specific kinds of information to flow to and from opened IP address:port combinations, in specific directions (in, out or both). Firewall functionality is most often provided by either a stand-alone network appliance, or firewall software running on a general-purpose computer.
SnapProtect provides additional firewall protection for the SnapProtect application software, which you configure from the CommCell Console.
CommCell components separated by a firewall must be configured to reach each other through the firewall using connection routes. Once configured, they can communicate to perform data management operations like backup, browse, and restore.
CommCell components can be configured to operate across:
- Direct Connections using port tunnels
- Port-forwarding gateways
- The perimeter network (sometimes called a DMZ) using a SnapProtect proxy
- HTTP proxies (including WiFi connections)
- Combinations of these
The pages in the Firewall area of Books Online explain the configuration required to operate CommCell components across different types of firewall, and the locations where they may be deployed.
- Outside of Books Online, you may sometimes hear a perimeter network referred to as a demilitarized zone, or DMZ.
- Client names when used in SnapProtect firewall configuration are case-sensitive. When configuring the firewall, be sure to enter the client name of each client in the same case as it appears in the CommCell Console.
The SnapProtect Firewall software supports firewall communication through these key features:
- Centralized configuration from the CommCell Console, for an individual client or for defined groups of clients.
- Predefined firewall topologies that simplify setting up connectivity between client groups through a SnapProtect firewall and/or a proxy group.
- Opening multiple ports for data transfer, to improve backup and restore performance.
- Support for port-forwarding routers. Multiple CommCell components on the internal network can be exposed to the outside world via a single gateway IP address, through support for network address translation (NAT). Roaming clients can reach specific internal machines by opening tunnel or data connections to specific ports configured on a port-forwarding gateway.
- Support for SnapProtect proxy configurations. The software supports placing a SnapProtect agent in a perimeter network, and configuring the firewall to allow connections from inside and outside networks into the perimeter network only.
- HTTPS encryption in the tunnels. The SnapProtect software supports HTTPS encapsulation in all tunnel connections, which protects all data in transit by using the TLS 1.2 protocol with the AES256-GCM-SHA384 cipher suite. After a successful authentication, and based on the configuration, HTTPS traffic can be encrypted with the AES256-GCM-SHA384 cipher suite; however, if you want to save CPU cycles, you can set up connections using plain text.
- Tunnel authentication using a CommCell-specific certificate. Encryption details:
- When data is transmitted using HTTPS, all tunnel connections are both encrypted and authenticated.
- CommCell hosts can be locked down to use CommCell-specific certificates for SSL/TSL authentication that is unique for every CommCell deployment.
- Certificates are encrypted using 2048-bit RSA and 3DES keys.
- CAs (certificate authorities) are provided through the CommServe host. (External CAs are neither required nor supported.)