2013-01-15 09:48 PM
Since Snapmirror is a pull method - what stops someone who can packet sniff the network, from pulling volumes off the source filer?
With /etc/snapmirror.allow being the only security on the source, it seems that there is a risk here.
Use case: OnTap 8.1.1 7-mode, FC SAN w/multiple customers. Customers would replicate over their particular network segments.
Due to FC, can't put any of the volumes in a specific vFiler, must be in vFiler0.
VLANs could be restricted to snapmirror traffic (good)
Restrictions could be made to limit to IP (good, but not enough)
However, anyone with control over their network would be able to spoof the destination IP. Then would be able to initiate snapmirrors and pull data from vol0 and potentially other vols that could be discovered.
Any way to stop this? Am I missing something?
(ipsec looked to be an option, but is not available in OnTap 8 7-mode)