Solved

How to Backup a server in a public DMZ from a internal Backup Server securely?

Posted on 2008-06-17
4
2,899 Views
Last Modified: 2013-12-01
Greetings,

I have a web server sitting in our public DMZ that I want to backup with a server sitting in our private domain. How can I do this securely? If I open a port to allow access through the firewall then if the webserver becomes compromised that means the backup server(internal) can become compromised as well since there is an open port to get through. If the backup server becomes compromised then all the computers in the domain can also be affected.

How can I  backup the web server in the public DMZ that will not require manual labor everytime I want to backup the webserver?

Attached is an example diagram.

Thank you !
problemdia.jpg
0
Comment
Question by:junglecom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 2

Accepted Solution

by:
Taurus042 earned 500 total points
ID: 21810853
If you open a port (10000 for Backup Exec) from the backup server to the web server the risk should be minimal. No ports need to be opened from DMZ to Internal network as the backups are initiated from the backup server.

As far as I know all that the Backup Exec server does is copying files via the agent. No files should be executed this way which means the backup server is reasonably safe.

The alternative is to run the backups within your DMZ. This requires another backup server and additional labor handling the backups on two servers.
0
 
LVL 2

Author Comment

by:junglecom
ID: 21827835
If the DMZ computer was infected with something could it take over the backup server using the port I would open (10000) ?
0
 
LVL 2

Expert Comment

by:Taurus042
ID: 21830114
No, not in an easy way since you only open the port for access from Internal net to DMZ. Connections are initiated from BE Server to BE Agent.
The only possibility would be for an attacker to replace the BE Agent with his own code and somehow affect your BE Server. This would be very hard imo as the BE Server is only doing file copying.
0
 
LVL 2

Author Closing Comment

by:junglecom
ID: 31468119
Thanks!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Life is full of imperfections – we all know it. Sometimes bad things happen to people for no particular reason. As they say: “it happens”. All we can do is to find a way to make some unavoidable situations… avoidable. Every kind of hardware has i…
Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question