HP Application Recovery Manager software A.06.10 Installation and licensing guide (March 2008)
The strict hostname checking setting on the other hand, provides enhanced validation
of users. The validation uses the hostname as it is resolved by the Cell Manager using
the reverse DNS lookup from the IP obtained from the connection. This imposes the
following limitations and considerations:
Limitations
• IP based validation of users can only be as strong as the anti-spoof protection in
the network. The security designer must determine whether the existing network
provides a sufficient degree of anti-spoof safety for the particular security
requirements. Anti-spoof protection can be added by segmenting the network
with firewalls, routers, VPN, and such.
• The separation of users within a certain client is not as strong as the separation
between clients. In a high security environment, one must not mix regular and
powerful users within the same client.
• Hosts that are used in user specifications cannot be configured to use DHCP,
unless they are bound to a fixed IP and configured in the DNS.
Be aware of the limitations in order to correctly assess the degree of safety that can
be achieved with the strict hostname checking.
Hostname resolution
The hostname that Application Recovery Manager uses for validation may differ
between the default user validation and strict hostname checking in the following
situations:
• Reverse DNS lookup returns a different hostname. This can be either intentional
or can indicate misconfiguration of either the client or the reverse DNS table.
• The client is multihomed (has multiple network adapters and/or multiple IP
addresses). Whether this consideration applies to a specific multihomed client,
depends on its role in the network and on the way it is configured in the DNS.
• The client is a cluster.
The nature of checks that are enabled with this setting may require reconfiguration
of Application Recovery Manager users. Existing specifications of Application
Recovery Manager users must be checked to see if they could be affected by any of
the above reasons. Depending on the situation, existing specifications may need to
be changed or new specifications added to account for all the possible IPs from
which the connections can come.
Note that users have to be reconfigured also when reverting back to the default user
validation, if you had to modify user specifications when you enabled the strict
hostname checking. It is therefore recommended to decide which user validation you
would like to use and keep using it.
Installation and licensing guide 107