RE: Backup Agents

[Scott Harrington <sharrington () chancery com>]

More architecture based than software but...

We implemented a complete backup backplane to which everything is connected
- web servers, database boxes, etc.  The switch all the boxes are connected
to, including the backup server, is VLANed in a rather unique way (well,
unique to me).

Port one, which is the backup server, has a primary VLAN of VLAN1, and is a
member of all the other VLAN's.  All the other ports on the switch are
configured with the individual port having a primary VLAN of VLAN<x> and a
member of VLAN1.  Basically what this gives is the ability for every box on
the backplane to communicate with the backup server, but one box cannot
communicate to another box (data is only be sent out via the primary VLAN of
a port, but is received on all VLANs that port is a member of).

The backup server itself is not connected to the internal network - it is
only connected to the backup backplane.  Since our corporate email server is
one of the servers on the backplane, email notifications and job reports can
still be sent from the backup server.

Backup agents are all configured to only run on the backup backplane
interface.

All in all, I'm mostly happy with the security of this.


-----Original Message-----
From: Geo. [mailto:georger () NLS NET]
Sent: Thursday, March 20, 2003 3:54 PM
To: vuln-dev () securityfocus com
Subject: Backup Agents


Has anyone ever studied how secure backup agents are in the context of using
them on web servers? Seems to me a backup agent is designed to get
information (all information) out of a system, so I was wondering if anyone
had ever researched how secure the connection between a backup server and a
machine running a backup agent is. How hard it would be to exploit the
backup agent and that sort of thing.

Geo.