• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1798
  • Last Modified:

Dedicated backup LAN setup for windows servers

I want to setup a dedicated backup network to isolate backup traffic on its own network. The plan is to dedicate a 2nd NIC on each server for backup. IP config for these NIC's will be on a separate network subnet from production systems and will have no default gateway assigned. All the backup NIC's on the servers from the DMZ and internal network will connect to a dedicated unmanaged GB switch. The backup server will exist in a workgroup and be connected to the backup switch as well.

WHat are the security implications of doing this? I know I can configure the backup NIC's to only allow backup traffic but my concern is bridging the DMZ and internal networks via the backup network NIC's. Just looking for some advice on how to effectively secure a backup network in the windows environment.
0
emsed
Asked:
emsed
  • 3
  • 3
1 Solution
 
Dave HoweSoftware and Hardware EngineerCommented:
basically, if you do that your security is toast - a hacker can 'sploit a webserver in the dmz, then attack any lan server over the dedicated link.

you need to divide it into two networks - either a separate backup regime/server for each, or join them with a firewall and have the backup agents connectible to only from the backup server; this may mean you can't use (for example) file shares for the task, but must serve the storage in use by some other method.

if you can spare the disk space, then one solution would be to have a separate storage area on the backup server itself for each dmz host, and rsync the storage area to the real server each night before the backup takes place.
0
 
emsedAuthor Commented:
Thank you for your proposed solutions. I'm not really sure those will be doable in our environment, however.

I have read numerous documents about a dedicated backup LAN and there must be a way to secure the backup network. If I am wrong, someone please confirm this? If the backup NIC's are all connected to a separate dedicated switch and a unique subnet, without default gateways. COuldn't I then enable TCP/IP filtering on those network connections to only allow needed protocols and ports. Further enabling the windows firewall to only allow communication to the backup server. Or is that just too flimsy on security if the servers are patched currently, etc.... I was just thinking there must be a way to secure this backup network and offload all that traffic from our internal LAN. Thanks again.....
0
 
Dave HoweSoftware and Hardware EngineerCommented:
the problem is that "needed protocols and ports" for backup are usually full microsoft smb - at which point, you have no security between the boxes. how are you currently running backups for these hosts?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
emsedAuthor Commented:
Currently we are using the production NIC's and connections from the DMZ servers, which has a ton of data, then through the firewall and to a backup exec server. We need to backup somewhere around 1/2 TB of data and I cannot currently meet our backup time window. Internal systems are always effected with this scenario and the network is almost unusable during backup. Part of the problem is that the firewall ports are only 10/100 mb/s. My hope was to somehow use a dedicated GB switch and dedicated GB NIC's, to offload the backup traffic and avoid the network bottleneck caused by the firewall.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Well, there *is* a solution there, which would be no less secure than what you have.

Create two new lans, either by vlanning or by buying two separate cheap gig switches.
place *two* new network cards in your backup server, run firewalling software on the backup server (ideally, run linux or something on there to make it less hackable) and treat the dmz and lan "backup" paths separately.

the linux version of backup exec is near identical to the windows version and will back up windows machines without problems :)

if you really, really must stick with windows as the backup host, then be aware that you will almost certainly have to expose bits of microsoft networking to the dmz servers (assuming THEY are windows) in order for it to work.
0
 
emsedAuthor Commented:
DaveHowe, I will award points to you. I'm not familiar enough with Linux to do what was proposed but adding (2) nic's to the backup server will help.

However, I am hoping someone very familiar with securing Windows servers with Backup Exec would have additional comments? I will wait for these comments and then close the issue.

Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now