Maintain a directory mirror - Help

This is a discussion on Maintain a directory mirror - Help ; I have a setup where several mail toasters read/write to a NFS-mounted filer. I want to keep a mirror of the filer volume on another machine, just in case the filer dies. One way is to mount the filer volume ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Maintain a directory mirror

  1. Maintain a directory mirror

    I have a setup where several mail toasters read/write to a NFS-mounted
    filer. I want to keep a mirror of the filer volume on another machine,
    just in case the filer dies.

    One way is to mount the filer volume on another Linux box and run
    mirrordir every 'n' minutes to mirror the filer volume on to another
    directory on the Linux box. But mirrodir is still <1.0 release and I
    am looking for a tool that maintains the state of the mounted FS and
    replicates changes as they occur rather than run mirrordir every 'n'
    minutes.

    Any ideas apart from running commercial software like Veritas??

    TIA,

    Siddhartha

  2. Re: Maintain a directory mirror

    Siddhartha Jain wrote:
    > I have a setup where several mail toasters read/write to a NFS-mounted
    > filer. I want to keep a mirror of the filer volume on another machine,
    > just in case the filer dies.
    >
    > One way is to mount the filer volume on another Linux box and run
    > mirrordir every 'n' minutes to mirror the filer volume on to another
    > directory on the Linux box. But mirrodir is still <1.0 release and I
    > am looking for a tool that maintains the state of the mounted FS and
    > replicates changes as they occur rather than run mirrordir every 'n'
    > minutes.
    >
    > Any ideas apart from running commercial software like Veritas??


    Rsync is good.

    http://samba.anu.edu.au/rsync/

  3. Re: Maintain a directory mirror

    Rsync and mirrodir are similar utilities. I was looking for a daemon
    that can monitor FS changes thru the kernel and replicate the changes.
    I guess there is no such utility.

    Thanks anwyays.

    Siddhartha



    jzilla wrote in message news:<401e2c4b$0$1745$5a62ac22@freenews.iinet.net.au>...
    > Siddhartha Jain wrote:
    > > I have a setup where several mail toasters read/write to a NFS-mounted
    > > filer. I want to keep a mirror of the filer volume on another machine,
    > > just in case the filer dies.
    > >
    > > One way is to mount the filer volume on another Linux box and run
    > > mirrordir every 'n' minutes to mirror the filer volume on to another
    > > directory on the Linux box. But mirrodir is still <1.0 release and I
    > > am looking for a tool that maintains the state of the mounted FS and
    > > replicates changes as they occur rather than run mirrordir every 'n'
    > > minutes.
    > >
    > > Any ideas apart from running commercial software like Veritas??

    >
    > Rsync is good.
    >
    > http://samba.anu.edu.au/rsync/


  4. Re: Maintain a directory mirror

    Siddhartha Jain wrote:
    > Rsync and mirrodir are similar utilities. I was looking for a daemon
    > that can monitor FS changes thru the kernel and replicate the changes.
    > I guess there is no such utility.
    >
    > Thanks anwyays.
    >
    > Siddhartha


    If you want to do such things I would recommend you not use NFS. Try
    Intermezzo or Coda - these are replicating network filesystems (with
    many other great features).

    If not for those rich alternatives, have some consideration for the lack
    of security in NFS.

    --
    Ben M.

    ----------------
    What are Software Patents for?
    To protect the small enterprise from bigger companies.

    What do Software Patents do?
    In its current form, they protect only companies with
    big legal departments as they:
    a.) Patent everything no matter how general
    b.) Sue everybody. Even if the patent can be argued
    invalid, small companies can ill-afford the
    typical $500k cost of a law-suit (not to mention
    years of harassment).

    Don't let them take away your right to program
    whatever you like. Make a stand on Software Patents
    before its too late.

    Read about the ongoing battle at http://swpat.ffii.org/
    ----------------


  5. Re: Maintain a directory mirror

    I would've loved to deploy something other than NFS, not for security
    reasons but fopr better performance and features. Security isn't a
    concern because it will be a separate private LAN.

    However, I am constrained to use NFS because the NetApp filer won't
    support any other protocol betwee Unix and the NetApp.

    Thanks for the suggestions though.


    Ben Measures wrote in message news:...
    > Siddhartha Jain wrote:
    > > Rsync and mirrodir are similar utilities. I was looking for a daemon
    > > that can monitor FS changes thru the kernel and replicate the changes.
    > > I guess there is no such utility.
    > >
    > > Thanks anwyays.
    > >
    > > Siddhartha

    >
    > If you want to do such things I would recommend you not use NFS. Try
    > Intermezzo or Coda - these are replicating network filesystems (with
    > many other great features).
    >
    > If not for those rich alternatives, have some consideration for the lack
    > of security in NFS.
    >
    > --
    > Ben M.
    >
    > ----------------
    > What are Software Patents for?
    > To protect the small enterprise from bigger companies.
    >
    > What do Software Patents do?
    > In its current form, they protect only companies with
    > big legal departments as they:
    > a.) Patent everything no matter how general
    > b.) Sue everybody. Even if the patent can be argued
    > invalid, small companies can ill-afford the
    > typical $500k cost of a law-suit (not to mention
    > years of harassment).
    >
    > Don't let them take away your right to program
    > whatever you like. Make a stand on Software Patents
    > before its too late.
    >
    > Read about the ongoing battle at http://swpat.ffii.org/
    > ----------------


  6. Re: Maintain a directory mirror

    "Siddhartha Jain" wrote in message
    news:2c39af62.0402032142.6ac201f8@posting.google.c om

    > I would've loved to deploy something other than NFS, not for security
    > reasons but fopr better performance and features. Security isn't a
    > concern because it will be a separate private LAN.


    Why is it that some people seem to think that "security" only means some
    sort of attack from the outside?

    Most security problems actually occur from inside the LAN, due to poor
    adminstrative methods, some of which may leave the system/network open to
    intrusion. "Security" means reliable system/network operation and protection
    from any number of potential problems, including hardware failure, user
    error, and administrative blunders.

    Attacks from "outside" are just a subset of security concerns.


    tony


    --
    use hotmail for any email replies



    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
    http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
    -----== Over 100,000 Newsgroups - 19 Different Servers! =-----

  7. Re: Maintain a directory mirror

    ynotssor wrote:
    > "Siddhartha Jain" wrote in message
    > news:2c39af62.0402032142.6ac201f8@posting.google.c om
    >
    >
    >>I would've loved to deploy something other than NFS, not for security
    >>reasons but fopr better performance and features. Security isn't a
    >>concern because it will be a separate private LAN.

    >
    >
    > Why is it that some people seem to think that "security" only means some
    > sort of attack from the outside?


    Its all too easy for an outside attack to become an inside attack. Just
    one way of this being done is to email (custom) trojans to gain control
    of a computer on the inside.

    It is the unfortunate case that once/if an attack is launched from the
    inside, many (private) networks fall all too easily, completely, and
    undetectably because of this oversight.

    If you can possibly do so, take all necessary measures to secure each
    computer on the inside, especially your servers.

    --
    Ben M.

    ----------------
    What are Software Patents for?
    To protect the small enterprise from bigger companies.

    What do Software Patents do?
    In its current form, they protect only companies with
    big legal departments as they:
    a.) Patent everything no matter how general
    b.) Sue everybody. Even if the patent can be argued
    invalid, small companies can ill-afford the
    typical $500k cost of a law-suit (not to mention
    years of harassment).

    Don't let them take away your right to program
    whatever you like. Make a stand on Software Patents
    before its too late.

    Read about the ongoing battle at http://swpat.ffii.org/
    ----------------


  8. Re: Maintain a directory mirror

    > Why is it that some people seem to think that "security" only means some
    > sort of attack from the outside?


    Why do you assume, like the respondent to your post, that "private"
    simply means "unroutable to the WAN, but gated through NAT or
    similar"? To me, a private LAN is a LAN that doesn't have any gateway
    - in either direction - to the outside world.

    It's perfectly valid to design a system around the assumption that all
    the people on the local wire are trusted, especially if you physically
    monitor the local wire to make sure nothing unauthorized is plugged
    into it. Such a system would not survive being connected to the
    Internet, but I didn't see that as a requirement.

  9. Re: Maintain a directory mirror

    Lewin A.R.W. Edwards wrote:
    > Why do you assume, like the respondent to your post, that "private"
    > simply means "unroutable to the WAN, but gated through NAT or
    > similar"? To me, a private LAN is a LAN that doesn't have any gateway
    > - in either direction - to the outside world.


    That's not the definition of a private LAN to most people. A private LAN
    address is just a LAN that uses ip addresses in the private ranges.

    I must admit that we did jump the gun a little and assume that the
    private LAN had an internet connection. However, the point still stands:
    you need to consider security from the inside too.

    > It's perfectly valid to design a system around the assumption that all
    > the people on the local wire are trusted, especially if you physically
    > monitor the local wire to make sure nothing unauthorized is plugged
    > into it. Such a system would not survive being connected to the
    > Internet, but I didn't see that as a requirement.


    This is definitely not a good idea, and is not taught in any network
    security books I know. Whilst external attacks are definitely on the
    rise, the most costly attacks are still attacks from the inside (by
    unknowingly manipulated or knowingly malicious employees).
    http://www.csoonline.com/analyst/report400.html

    By making all of the computers on the private LAN "trusted" you just
    move the security from a virtual realm to a physical one, and this takes
    far more effort to maintain.

    --
    Ben M.

    ----------------
    What are Software Patents for?
    To protect the small enterprise from bigger companies.

    What do Software Patents do?
    In its current form, they protect only companies with
    big legal departments as they:
    a.) Patent everything no matter how general
    b.) Sue everybody. Even if the patent can be argued
    invalid, small companies can ill-afford the
    typical $500k cost of a law-suit (not to mention
    years of harassment).

    Don't let them take away your right to program
    whatever you like. Make a stand on Software Patents
    before its too late.

    Read about the ongoing battle at http://swpat.ffii.org/
    ----------------


  10. Re: Maintain a directory mirror

    "Lewin A.R.W. Edwards" wrote in message
    news:608b6569.0402050554.13fc3385@posting.google.c om

    >> Why is it that some people seem to think that "security" only means
    >> some sort of attack from the outside?

    >
    > Why do you assume, like the respondent to your post, that "private"
    > simply means "unroutable to the WAN, but gated through NAT or
    > similar"? To me, a private LAN is a LAN that doesn't have any gateway
    > - in either direction - to the outside world.


    We weren't talking about what constitutes a private LAN. Why are you
    changing the subject?

    I mentioned the very incomplete picture that some people have of what
    constitutes "security".

    You have declared yourself as one of those who whose idea of security is
    simply hostile intrusion from trusted users or hostile outside attackers,
    rather than the larger picture that include hardware/software function and
    proper functioning of all components.


    tony

    --
    use hotmail for any email replies



    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
    http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
    -----== Over 100,000 Newsgroups - 19 Different Servers! =-----

  11. Re: Maintain a directory mirror

    Security is about understanding the value of a resource, understanding
    the risk of it being compromised and then designing appropriate
    preventive/punitive controls to cover the risks.

    In my case, I am well too aware of NFS's insecurity. To cover that the
    private LAN is private in the sense that it does not talk to the
    outside world (not routed or NAT-ed), the hosts and the filer are in a
    private VLAN so that they do not talk to each other, MACs are bound to
    the ports with MACs defined in the MAC tables of the hosts.

    Now, I could additionally use encryption over NFS. First, I would have
    to bear the cost of using a filer that supports NFS-Secure. Can I
    afford that?? No.

    Now if I Network admin turned evil and decided to mirror all the
    client and filer ports and read all mails then so be it. I trust the
    Network admin with far more important things that this. So if he
    turned evil there are other places he could do more damage.

    The point I would like to stress is that security doesn't exist in a
    vacuum. You have to create controls taking into account the existing
    setup and $$$$$.

    Siddhartha (CISSP)


    "ynotssor" <"ynotssor"> wrote in message news:<4022f5c6_8@corp.newsgroups.com>...
    > "Lewin A.R.W. Edwards" wrote in message
    > news:608b6569.0402050554.13fc3385@posting.google.c om
    >
    > >> Why is it that some people seem to think that "security" only means
    > >> some sort of attack from the outside?

    > >
    > > Why do you assume, like the respondent to your post, that "private"
    > > simply means "unroutable to the WAN, but gated through NAT or
    > > similar"? To me, a private LAN is a LAN that doesn't have any gateway
    > > - in either direction - to the outside world.

    >
    > We weren't talking about what constitutes a private LAN. Why are you
    > changing the subject?
    >
    > I mentioned the very incomplete picture that some people have of what
    > constitutes "security".
    >
    > You have declared yourself as one of those who whose idea of security is
    > simply hostile intrusion from trusted users or hostile outside attackers,
    > rather than the larger picture that include hardware/software function and
    > proper functioning of all components.
    >
    >
    > tony


+ Reply to Thread