Regarding the backing up of a DMZ environment

Regarding the backing up of a DMZ environment consisting of 4 2003 enterprise servers hosting external web servers.  Besides making sure the server doing the backups has a firewall and antivirus any other ideas.  I do not think using FTP from and to the DMZ is a good idea.
Who is Participating?
PowerITConnect With a Mentor Commented:
If no ports are open except RDP then you can not use FTP.
FTP is indeed not a good idea. SFTP (or FTPS) is a better alternative.
Also, you mention that those are webservers, but only the RDP port is open. How can this be? Or do you mean from your internal network to the DMZ? That would make sence, as you can then manage the servers easily.
If you can not open additional ports for this - so the DMZ can access an internal server - then you'll have to setup your backup in the DMZ. Possibilities:
- a dedicated backup machine like paradoxenginge proposed. I'm not convinced that bacula is suited for backing up windows servers, as it can not backup the whole system configuration and can not backup open files. You'll have to look at the commercial backup products for this (CA Brightstor, Veritas, ...). Also consider the 'disaster recovery agent' options.
- using imaging software like Acronis True Image Server: this can backup the whole system while it is running and makes it possible to recover easily using a boot CD. The images can be stored on an external disk attached to the server or you can use a dedicated machine (NAS, Linux file server, windows file server) to store the images.
BTW, it's best practice to limit the open ports from your DMZ to the internal network. Because if one of your webservers gets cracked, then it's an easy stepstone to your internal network.
This makes it hard to recommend anything else. Basically you could do exactly the same but have the backups stored in you internal network. But if you have easy access to your DMZ then this is useless and just increases security risks.

The point is what are you going to do with the backups exactly. If you only want to backup the data in the DMZ, then the solution I am using is a lightweight server running bacula on the DMZ. The backup will be stored on removable storage, and the server is running ONLY bacula. As a general rule (doesn't matter if you will use bacula or other means) you can safely put the backup server on the DMZ as far as it is ONLY running as a backup server AND the data will not be stored there forever and ever.
handymanalyAuthor Commented:
What about using FTP?
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

handymanalyAuthor Commented:
Forgot to mention the backup server cannot communicate with the DMZ no ports are open...The only way to contact that network is VIA RDP using the public address.
FTP is bad - I would say SFTP would be better.
To install a server check out:
Although having RDP open through the public ip if not needed for remote access is bad too.
I would try having access from the lan only to the FTP and RDP.
Your last message was not entirely clear: what do you mean with "cannot communicate"? How are you going to do backup without any open port? And what kind of DMZ is one which can be contacted only via RDP?  Maybe I'm missing something.
Anyway, FTP is NOT a good mean of backup via public network, since it's unencrypted, poorly authenticated and has a low reliability (has a whole, not as a single process). I'd go for a "local" solution with the backup server INSIDE the DMZ, if the backup server is not the "main" backup server of the enterprise.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.