topic Snapmirror security? Stopping man-in-the-middle in ONTAP Discussions https://community.netapp.com/t5/ONTAP-Discussions/Snapmirror-security-Stopping-man-in-the-middle/m-p/78665#M18337 <HTML><HEAD></HEAD><BODY><P>Since Snapmirror is a pull method - what stops someone who can packet sniff the network, from pulling volumes off the source filer?</P><P>With <SPAN style="font-family: courier new,courier;">/etc/snapmirror.allow</SPAN> being the only security on the source, it seems that there is a risk here.</P><P></P><P>Use case:&nbsp; OnTap 8.1.1 7-mode, FC SAN w/multiple customers. Customers would replicate over their particular network segments.</P><P></P><P> Due to FC, can't put any of the volumes in a specific vFiler, must be in vFiler0.&nbsp; </P><P>VLANs could be restricted to snapmirror traffic (good)</P><P>Restrictions could be made to limit to IP (good, but not enough)</P><P>However, anyone with control over their network would be able to spoof the destination IP.&nbsp; Then would be able to initiate snapmirrors and pull data from vol0 and potentially other vols that could be discovered.</P><P></P><P>Any way to stop this?&nbsp; Am I missing something?</P><P></P><P>(ipsec looked to be an option, but is not available in OnTap 8 7-mode)</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 05 Jun 2025 06:12:09 GMT JIM_SURLOW 2025-06-05T06:12:09Z Snapmirror security? Stopping man-in-the-middle https://community.netapp.com/t5/ONTAP-Discussions/Snapmirror-security-Stopping-man-in-the-middle/m-p/78665#M18337 <HTML><HEAD></HEAD><BODY><P>Since Snapmirror is a pull method - what stops someone who can packet sniff the network, from pulling volumes off the source filer?</P><P>With <SPAN style="font-family: courier new,courier;">/etc/snapmirror.allow</SPAN> being the only security on the source, it seems that there is a risk here.</P><P></P><P>Use case:&nbsp; OnTap 8.1.1 7-mode, FC SAN w/multiple customers. Customers would replicate over their particular network segments.</P><P></P><P> Due to FC, can't put any of the volumes in a specific vFiler, must be in vFiler0.&nbsp; </P><P>VLANs could be restricted to snapmirror traffic (good)</P><P>Restrictions could be made to limit to IP (good, but not enough)</P><P>However, anyone with control over their network would be able to spoof the destination IP.&nbsp; Then would be able to initiate snapmirrors and pull data from vol0 and potentially other vols that could be discovered.</P><P></P><P>Any way to stop this?&nbsp; Am I missing something?</P><P></P><P>(ipsec looked to be an option, but is not available in OnTap 8 7-mode)</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 05 Jun 2025 06:12:09 GMT https://community.netapp.com/t5/ONTAP-Discussions/Snapmirror-security-Stopping-man-in-the-middle/m-p/78665#M18337 JIM_SURLOW 2025-06-05T06:12:09Z Re: Snapmirror security? Stopping man-in-the-middle https://community.netapp.com/t5/ONTAP-Discussions/Snapmirror-security-Stopping-man-in-the-middle/m-p/78670#M18338 <HTML><HEAD></HEAD><BODY><P>We put snapmirror traffic on the IPSEC tunnel that is setup by outside router.&nbsp; Also the option snapmirror.check.ip can provide some additional security.</P></BODY></HTML> Wed, 16 Jan 2013 08:22:56 GMT https://community.netapp.com/t5/ONTAP-Discussions/Snapmirror-security-Stopping-man-in-the-middle/m-p/78670#M18338 PZI1234567 2013-01-16T08:22:56Z