Regarding the backing up of a DMZ environment

Posted on 2007-08-05
Medium Priority
Last Modified: 2013-12-04
Regarding the backing up of a DMZ environment consisting of 4 2003 enterprise servers hosting external web servers.  Besides making sure the server doing the backups has a firewall and antivirus any other ideas.  I do not think using FTP from and to the DMZ is a good idea.
Question by:handymanaly

Expert Comment

ID: 19634901
The point is what are you going to do with the backups exactly. If you only want to backup the data in the DMZ, then the solution I am using is a lightweight server running bacula on the DMZ. The backup will be stored on removable storage, and the server is running ONLY bacula. As a general rule (doesn't matter if you will use bacula or other means) you can safely put the backup server on the DMZ as far as it is ONLY running as a backup server AND the data will not be stored there forever and ever.

Author Comment

ID: 19635663
What about using FTP?

Author Comment

ID: 19635694
Forgot to mention the backup server cannot communicate with the DMZ no ports are open...The only way to contact that network is VIA RDP using the public address.
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

LVL 18

Accepted Solution

PowerIT earned 1000 total points
ID: 19637038
If no ports are open except RDP then you can not use FTP.
FTP is indeed not a good idea. SFTP (or FTPS) is a better alternative.
Also, you mention that those are webservers, but only the RDP port is open. How can this be? Or do you mean from your internal network to the DMZ? That would make sence, as you can then manage the servers easily.
If you can not open additional ports for this - so the DMZ can access an internal server - then you'll have to setup your backup in the DMZ. Possibilities:
- a dedicated backup machine like paradoxenginge proposed. I'm not convinced that bacula is suited for backing up windows servers, as it can not backup the whole system configuration and can not backup open files. You'll have to look at the commercial backup products for this (CA Brightstor, Veritas, ...). Also consider the 'disaster recovery agent' options.
- using imaging software like Acronis True Image Server: this can backup the whole system while it is running and makes it possible to recover easily using a boot CD. The images can be stored on an external disk attached to the server or you can use a dedicated machine (NAS, Linux file server, windows file server) to store the images.
BTW, it's best practice to limit the open ports from your DMZ to the internal network. Because if one of your webservers gets cracked, then it's an easy stepstone to your internal network.
This makes it hard to recommend anything else. Basically you could do exactly the same but have the backups stored in you internal network. But if you have easy access to your DMZ then this is useless and just increases security risks.

LVL 12

Expert Comment

ID: 19637041
FTP is bad - I would say SFTP would be better.
To install a server check out: http://digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows
Although having RDP open through the public ip if not needed for remote access is bad too.
I would try having access from the lan only to the FTP and RDP.

Expert Comment

ID: 19637069
Your last message was not entirely clear: what do you mean with "cannot communicate"? How are you going to do backup without any open port? And what kind of DMZ is one which can be contacted only via RDP?  Maybe I'm missing something.
Anyway, FTP is NOT a good mean of backup via public network, since it's unencrypted, poorly authenticated and has a low reliability (has a whole, not as a single process). I'd go for a "local" solution with the backup server INSIDE the DMZ, if the backup server is not the "main" backup server of the enterprise.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question