Manualshelf

HP StorageWorks Application Recovery Manager Installation and Licensing Guide (T4395-96002, February 2008)

ManualsBrandsHP ManualsSoftwareHP Application Recovery Manager Cell Manager Windows Media Kit
81828384858687888990
Maintaining the Installation
Security Considerations
Chapter 370
The strict hostname checking setting on the other hand, provides
enhanced validation of users. The validation uses the hostname as it is
resolved by the Cell Manager using the reverse DNS lookup from the IP
obtained from the connection. This imposes the following limitations and
considerations:
Limitations IP based validation of users can only be as strong as the anti-spoof
protection in the network. The security designer must determine
whether the existing network provides a sufficient degree of
anti-spoof safety for the particular security requirements. Anti-spoof
protection can be added by segmenting the network with firewalls,
routers, VPN, and such.
The separation of users within a certain client is not as strong as the
separation between clients. In a high security environment, one must
not mix regular and powerful users within the same client.
Hosts that are used in user specifications cannot be configured to use
DHCP, unless they are bound to a fixed IP and configured in the DNS.
Be aware of the limitations in order to correctly assess the degree of
safety that can be achieved with the strict hostname checking.
Hostname
Resolution
The hostname that Application Recovery Manager uses for validation
may differ between the default user validation and strict hostname
checking in the following situations:
Reverse DNS lookup returns a different hostname. This can be either
intentional or can indicate misconfiguration of either the client or the
reverse DNS table.
The client is multihomed (has multiple network adapters and/or
multiple IP addresses). Whether this consideration applies to a
specific multihomed client, depends on its role in the network and on
the way it is configured in the DNS.
The client is a cluster.
The nature of checks that are enabled with this setting may require
reconfiguration of Application Recovery Manager users. Existing
specifications of Application Recovery Manager users must be checked to
see if they could be affected by any of the above reasons. Depending on
the situation, existing specifications may need to be changed or new
specifications added to account for all the possible IPs from which the
connections can come.