AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only

  • 1.  bare metal restore of VIO

    Posted Fri September 16, 2011 11:20 AM

    Originally posted by: JagdipSingh


    Hi,
    tftp has been identified as security hole in our organization.
    that cause trouble with bare metal restores , installs from NIM to LPARS.
    what are the alternatives to backup VIO LPAR, AIX LPARs and restore
    bare metal if NIM can not be used ?
    can netbackup directly take backup of VIO or AIX LPAR and do bare
    metal restore ?
    is there any other backup / restore solution which can if netbackup
    can not ?
    #AIX-Forum


  • 2.  Re: bare metal restore of VIO

    Posted Fri September 16, 2011 03:17 PM

    Originally posted by: mmveiga


    All the OS I know use TFTP for installations over the network : Solaris Jumpstart, RHEL Kickstart and AIX NIM . I don't know about backup software like Netbackup.

    We had the same concerns too about security TFTP and NFS, we used AIX IP filters to limit the servers that have access to those resources, a very good source of information is http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fipsec_setting_filters.htm

    Regards,
    Marcelo.
    #AIX-Forum


  • 3.  Re: bare metal restore of VIO

    Posted Sat September 17, 2011 01:44 PM

    Originally posted by: SystemAdmin


    please describe what exactly you fear to happen if you use tftp. then people can give you a qualified answer.
    #AIX-Forum


  • 4.  Re: bare metal restore of VIO

    Posted Tue September 20, 2011 12:17 PM

    Originally posted by: Kosala


    IINM, TFTP is used as a part of the bootp remote boot protocol stack. Once the kernel image is booted (what we call a SPOT), the rest of the file transfer happens through NFS. That explains why TFTP is used in every single netboot method (things have not changed for past couple of decades :)).

    There is alt_disk_install method for creating backups... but hope your company can afford a extra disk drive for each partitiion ;).

    Cheers,
    Ko
    #AIX-Forum


  • 5.  Re: bare metal restore of VIO

    Posted Tue September 20, 2011 04:44 PM

    Originally posted by: ers_kentwick


    Try this:
    Install and configure tcp-wrappers on your NIM server.
    For tcp-wrappers: set the "hosts_allow" to allow TFTP only from selected hosts or subnets.
    For /etc/inetd.conf: set the tftp entry to use tcp-wrappers (see documentation for tcp-wrapper).
    #AIX-Forum


  • 6.  Re: bare metal restore of VIO

    Posted Wed September 21, 2011 01:15 PM

    Originally posted by: SystemAdmin


    and the effect of the tcp wrapper config would be: he can prevent the confidential? bootimage from being downloaded by unauthorized hosts.

    or would he rather like to prevent random host in his network from impersonating as a bootp server and hand out conspicuously modified boot images to unsuspecting yet-to-be-installed hosts?

    both are pretty made-up answers to the question "why do I fear to use tftp", at least in a datacenter environment with decent physical access regulation and network separation in place. you do not do your nim installs over the internet, do you?

    I believe the topic deserves more thought than:
    "tftp is bad"
    "tcp wrappers are good"

    I personally would refuse to invest valuable time into eliminating tftp from server installs.
    Have the manager that fears tftp pass a design-change-request to ibm to have nim and hw microcode use https or sftp and move on.

    cheers
    D.
    #AIX-Forum


Related Content