Fw: DMZ, Tape Backup and Security

[<holger.reichert () holysword de>]

Hello Erik,

as always in security, the level of security increases with the costs.
Your third method you disqualified by the down side you mentioned. To
get this soluten secure you even have to invest extra money, so your
plus side isn't that high. Never bypass your firewall!!

The second solution isn't my favorite either, but when you choose it,
make sure that your Backup-Server makes the connection to your
DMZ-Server. Never let a DMZ-Server open a connection to your LAN.
Mandatory use a 3 interface Firewall with seperate rulesets for each
interface and communication direction. Use at least stateful packet
inspection. As a security rule, when you are piercing holes in your
Firewall you should use additionally Security-Software on your
DMZ-Servers to protect these holes, means, use at least some kind of
integrity checking as Tripwire on your DMZ-Servers. Another point is,
that with this solution you mix to types of data on your backup tape,
confidential data with public data. This brakes also some "unwriten"
security rules. Refer to your information security policy, if you have
one?

Ok you see, the first solution you mentioned is always the best ;-)
(double meaning)
Well it's the cleanest and in my opinion the only way to go. You even
can add security through using 2 Nics on all your DMZ-Servers to divide
your backup-data from your public Network.

Hope this helps

Holger Reichert
Owner Manager
Holysword GbR
IT-Security Consulting and Reseller
www.holysword.de

Weitergeleitete Nachricht von Erik Vincent <evincent () ndexsystems com>
vom 18.06.2003, 15:04:01:
> Hello to all,
>
> I would like to have comment on how to setup a backup strategie 
> regarding a DMZ.
>
> Scenario 1: Put a tape unit/software in the DMZ and another one on the 
> LAN to have everything separate.
>
> Plus side: No hole in DMZ Firewall
> Down Side: Cost (2 unit/software), 2 sofware to manage
>
>
> Senario 2: Change firewall rules to give acces from DMZ to LAN.
>
> Plus side: Cost less and easyer management
> Down side: Hole in Firewall
>             (I did some test with Veritas Backup exec and it is
>              using RPC so it is a realy hard to set Firewall rules)
>       
> Scenario 3: Have one server with 2 NIC. On on LAN and on on DMZ.
>
> Plus side: Cost, management
> Down Side: Need to have high security on server.
>          Bypass Firewall. (High security Risk)
>
>
> What do you Think?
> Thank you all for your time and effort.
>
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------