Firewall Wizards mailing list archives
RE: Backup exec agent in dmz
From: "Ahmed, Balal" <balal.ahmed () cgey com>
Date: Wed, 11 Jun 2003 17:25:45 +0100
I wasnt going to post this to the list but seeing these other responses I see what I have done in the past isnt that bad. DNS on Linux - Probably BIND. If so just setup a cron job to FTP the named.conf file and the zonefiles off the the NT box in the DMZ. Do the same on the Apache server, assuming its a static site. If its dynamic just dump the database before the FTP script kicks in. Your code files will probably be backed up somewhere else (developers machine ?) One option is using VLANS. The PIX 515E supports up to 6 interfaces depending on your liscence. You cold setup a new 'backup DMZ' put your backup tape library in this DMZ and backup all your servers to the new DMZ. You would have to set the Security level higher that the internet DMZ but at least if the internet dmz is compromised the only box they can destroy is your backup box not your internal mail server. -----Original Message----- From: Sloane, David [mailto:DSloane () vfa com] Sent: 11 June 2003 15:45 To: 'yehuda'; 'firewall-wizards () honor icsalabs com' Subject: RE: [fw-wiz] Backup exec agent in dmz Samba comes to mind... (going far afield now) That said, what do you really need to back up on the DNS and web servers? Web sites are often mirrored internally - either in source control or just a flat-file system. The dns server records should be tiny text files. You can update two sets of DNS files, right? Or just pull down the zone file(s) after making changes... If you really want to minimize potential down-time, make a Ghost (or similar) image of each Red Hat box. If you need the logs, pull them out with ftp or samba or (insert file transfer protocol here). Your disaster-recovery model is pretty straightforward - ghost image to replacement disk, then drop in the most recent DNS and web-site files. No muss, no fuss, no *nix agents with open access to your AD/Exchange/BackupExec/eggs-in-one-basket box (sorry, couldn't resist any longer). Cheers, David -----Original Message----- From: yehuda [mailto:yehuda () essutton com] Sent: Tuesday, June 10, 2003 11:45 AM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] Backup exec agent in dmz Hi, I was wondering if anyone has ideas or a solution for this problem: I'm trying to set up reliable backup of 3 servers in a dmz network: a mail/antivirus server, a dns server, and a web server. The mail server is running windows NT and the other two are Redhat linux. I have a windows 2000 server running backup exec version 9 on the primary network connected to a ten thousand dollar tape loader, and I'd rather not have to set up a separate backup system for the dmz computers. The networks are segmented by a pix 515 with three interfaces, one for the inside, one for the outside, and one for the dmz. The primary network has unrestricted access to the dmz, but computers on the dmz network need specific permission - by ip and port - to connect to servers in the primary network. I installed the backup exec unix agent on the two linux machines in the dmz. According to veritas's website, (http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101 and 1024-65535 both ways, because the unix agent uses rpc. I don't have a problem giving dmz machines access to port 6101 on the backup server, but I'd rather not give the dmz machines access to 1024-65535 on the backup server. The backup server is a domain controller for our active directory, as well as an internal ms-exchange mail server. I could filter off the listening ports over 1024, but then if I don't keep watching it, someone might install an app that listens above 1024, which would then be available to the dmz. They have a workaround for windows, by reconfiguring dcom and rpc to only use specific ports, but it seems from the above-referenced document that such an option isn't available for the unix agent. Any ideas? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ******************************************************************************************** " This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message ". ******************************************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Backup exec agent in dmz yehuda (Jun 10)
- Re: Backup exec agent in dmz Volker Tanger (Jun 11)
- <Possible follow-ups>
- RE: Backup exec agent in dmz TSimons (Jun 11)
- RE: Backup exec agent in dmz Sloane, David (Jun 11)
- RE: Backup exec agent in dmz Ahmed, Balal (Jun 13)