Regarding the backing up of a DMZ environment

Posted on 2007-08-05
Last Modified: 2013-12-04
Regarding the backing up of a DMZ environment consisting of 4 2003 enterprise servers hosting external web servers.  Besides making sure the server doing the backups has a firewall and antivirus any other ideas.  I do not think using FTP from and to the DMZ is a good idea.
Question by:handymanaly
    LVL 9

    Expert Comment

    The point is what are you going to do with the backups exactly. If you only want to backup the data in the DMZ, then the solution I am using is a lightweight server running bacula on the DMZ. The backup will be stored on removable storage, and the server is running ONLY bacula. As a general rule (doesn't matter if you will use bacula or other means) you can safely put the backup server on the DMZ as far as it is ONLY running as a backup server AND the data will not be stored there forever and ever.

    Author Comment

    What about using FTP?

    Author Comment

    Forgot to mention the backup server cannot communicate with the DMZ no ports are open...The only way to contact that network is VIA RDP using the public address.
    LVL 18

    Accepted Solution

    If no ports are open except RDP then you can not use FTP.
    FTP is indeed not a good idea. SFTP (or FTPS) is a better alternative.
    Also, you mention that those are webservers, but only the RDP port is open. How can this be? Or do you mean from your internal network to the DMZ? That would make sence, as you can then manage the servers easily.
    If you can not open additional ports for this - so the DMZ can access an internal server - then you'll have to setup your backup in the DMZ. Possibilities:
    - a dedicated backup machine like paradoxenginge proposed. I'm not convinced that bacula is suited for backing up windows servers, as it can not backup the whole system configuration and can not backup open files. You'll have to look at the commercial backup products for this (CA Brightstor, Veritas, ...). Also consider the 'disaster recovery agent' options.
    - using imaging software like Acronis True Image Server: this can backup the whole system while it is running and makes it possible to recover easily using a boot CD. The images can be stored on an external disk attached to the server or you can use a dedicated machine (NAS, Linux file server, windows file server) to store the images.
    BTW, it's best practice to limit the open ports from your DMZ to the internal network. Because if one of your webservers gets cracked, then it's an easy stepstone to your internal network.
    This makes it hard to recommend anything else. Basically you could do exactly the same but have the backups stored in you internal network. But if you have easy access to your DMZ then this is useless and just increases security risks.

    LVL 12

    Expert Comment

    FTP is bad - I would say SFTP would be better.
    To install a server check out:
    Although having RDP open through the public ip if not needed for remote access is bad too.
    I would try having access from the lan only to the FTP and RDP.
    LVL 9

    Expert Comment

    Your last message was not entirely clear: what do you mean with "cannot communicate"? How are you going to do backup without any open port? And what kind of DMZ is one which can be contacted only via RDP?  Maybe I'm missing something.
    Anyway, FTP is NOT a good mean of backup via public network, since it's unencrypted, poorly authenticated and has a low reliability (has a whole, not as a single process). I'd go for a "local" solution with the backup server INSIDE the DMZ, if the backup server is not the "main" backup server of the enterprise.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now