Re: DMZ, Tape Backup and Security

["Anders Reed Mohn" <anders_rm () utepils com>]

Erik,

here's how I would reason if I were to set this up.

> Scenario 1: Put a tape unit/software in the DMZ and another one on the
> LAN to have everything separate.
>
> Plus side: No hole in DMZ Firewall
> Down Side: Cost (2 unit/software), 2 sofware to manage

Using identical software, management should not be too difficult.
After all, backup software tends to have a pretty static configuration
(compared to firewalls, for instance, which demand constant attention)

At least, that is my experience.


> Senario 2: Change firewall rules to give acces from DMZ to LAN.
> Plus side: Cost less and easyer management

That isn't entirely correct. In your own words:

> it is using RPC so it is a realy hard to set Firewall rules)

Complexity is one of your worst enemies when it comes to
security. More complex FW-management is a threat to your security,
and it costs more to maintain.

> Scenario 3: Have one server with 2 NIC. On on LAN and on on DMZ.

Absolutely out of the question. This solution completely destroys the point
of having a DMZ in the first place.

If FW-setup (scenario 2) is non-trivial, I would definetly go with scenario
#1.

Cheers,
Anders :)


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------