Firewall issues

Before installing the shipping server on an exposed host, consider that the storage bays may be filled, packets are susceptible to snooping, and other servers can be accessible.

  • Storage bays can be filled.

    Using the shipping server on an exposed host enables anyone coming in from the network to fill storage bays on the local network, on any machine where a shipping server is available. To avoid full disks and the related problems:

    • Create all storage bays in the local network on their own partitions, so that filling the bays does not degrade system performance.
    • Install the shipping server only on machines that need it: servers with replicassynchronization servers and machines used by administrators.
  • Packets are susceptible to snooping.

    In normal update packets, information is not encoded. Therefore, anyone shipping packets across an unsecured network must encrypt the packets. Also, the format of an update packet is not very complicated; a dedicated programmer could figure out the format and create a packet with operations that damage a VOB or schema repository or user database. Encrypting the data makes this kind of attack much more difficult.

  • Other servers can be accessible.

    Allowing shipping server access also allows access to all servers created by the albd_server. Because the albd_server assigns port numbers in the allowed range to other servers running locally, programs from the outside network can connect to all of those servers. Therefore, the exposed host that runs the shipping server must not run other HCL VersionVault servers.