Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to Backup a server in a public DMZ from a internal Backup Server securely?

Posted on 2008-06-17
4
Medium Priority
?
2,966 Views
Last Modified: 2013-12-01
Greetings,

I have a web server sitting in our public DMZ that I want to backup with a server sitting in our private domain. How can I do this securely? If I open a port to allow access through the firewall then if the webserver becomes compromised that means the backup server(internal) can become compromised as well since there is an open port to get through. If the backup server becomes compromised then all the computers in the domain can also be affected.

How can I  backup the web server in the public DMZ that will not require manual labor everytime I want to backup the webserver?

Attached is an example diagram.

Thank you !
problemdia.jpg
0
Comment
Question by:junglecom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 2

Accepted Solution

by:
Taurus042 earned 2000 total points
ID: 21810853
If you open a port (10000 for Backup Exec) from the backup server to the web server the risk should be minimal. No ports need to be opened from DMZ to Internal network as the backups are initiated from the backup server.

As far as I know all that the Backup Exec server does is copying files via the agent. No files should be executed this way which means the backup server is reasonably safe.

The alternative is to run the backups within your DMZ. This requires another backup server and additional labor handling the backups on two servers.
0
 
LVL 2

Author Comment

by:junglecom
ID: 21827835
If the DMZ computer was infected with something could it take over the backup server using the port I would open (10000) ?
0
 
LVL 2

Expert Comment

by:Taurus042
ID: 21830114
No, not in an easy way since you only open the port for access from Internal net to DMZ. Connections are initiated from BE Server to BE Agent.
The only possibility would be for an attacker to replace the BE Agent with his own code and somehow affect your BE Server. This would be very hard imo as the BE Server is only doing file copying.
0
 
LVL 2

Author Closing Comment

by:junglecom
ID: 31468119
Thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question