Roy, My personal preference is to keep the backup process inside the DMZ. Any path from the DMZ to an internal system that does not pass through a control device (firewall) has the potential to be abused if the DMZ system is compromised. Your idea of creating a backup network is a workable one provided no routing capabilities are present on the DMZ or Backup servers but I would consider adding firewall functionality to the backup server as well to ensure that ONLY the backup daemon and its required ports and protocols can operate on the interface. If you really lock this down you may need to manually enter the DMZ host addresses into the DNS and ARP tables. I would also consider monitoring the backup network to ensure that only backup activities are taking place. If other traffic shows up, like ICMP, Telnet, FTP, etc. someone should get an alert immediately. Also watch your default gateway settings on the servers as well as what broadcast "stuff" is output to the backup interface.
-- Bill Stackpole, CISSP ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 05, 2002 5:22 PM Subject: Strategy for backing up servers in DMZ? > We have a need to backup servers in the DMZ. We're using Veritas BackupExec > 8.6 for NT/2000. However, I'm a bit concerned about running the backups > through the firewall (Sonicwall Pro), just because it's a lot of data that > possibly could instead go through a separate physical Ethernet network - if > you all bless it!? > > Backup Exec does have the ability to utilize a separate physical Ethernet > network/sub-net. So long as none of the servers (LAN Backup Server and DMZ > Web Servers) have TCP/IP forwarding enabled, would it really represent a > security risk/vulnerability to stick another NIC in the DMZ servers and the > Backup Server and simply back them up through the separate Ethernet network > rather than bogging down the firewall with all packets??? > > Thanks very much! > > Roy. > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
