ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Snapmirror security? Stopping man-in-the-middle

JIM_SURLOW
‎2013-01-15 09:48 PM
3,056 Views

Since Snapmirror is a pull method - what stops someone who can packet sniff the network, from pulling volumes off the source filer?

With /etc/snapmirror.allow being the only security on the source, it seems that there is a risk here.

Use case:  OnTap 8.1.1 7-mode, FC SAN w/multiple customers. Customers would replicate over their particular network segments.

Due to FC, can't put any of the volumes in a specific vFiler, must be in vFiler0. 

VLANs could be restricted to snapmirror traffic (good)

Restrictions could be made to limit to IP (good, but not enough)

However, anyone with control over their network would be able to spoof the destination IP.  Then would be able to initiate snapmirrors and pull data from vol0 and potentially other vols that could be discovered.

Any way to stop this?  Am I missing something?

(ipsec looked to be an option, but is not available in OnTap 8 7-mode)

Thanks,

0 Kudos
View By:
Tags (1)
1 REPLY 1

PZI1234567
‎2013-01-16 12:22 AM
3,056 Views

We put snapmirror traffic on the IPSEC tunnel that is setup by outside router.  Also the option snapmirror.check.ip can provide some additional security.

0 Kudos
All Community Forums
Public