Dedicated backup LAN setup for windows servers
I want to setup a dedicated backup network to isolate backup traffic on its own network. The plan is to dedicate a 2nd NIC on each server for backup. IP config for these NIC's will be on a separate network subnet from production systems and will have no default gateway assigned. All the backup NIC's on the servers from the DMZ and internal network will connect to a dedicated unmanaged GB switch. The backup server will exist in a workgroup and be connected to the backup switch as well.
WHat are the security implications of doing this? I know I can configure the backup NIC's to only allow backup traffic but my concern is bridging the DMZ and internal networks via the backup network NIC's. Just looking for some advice on how to effectively secure a backup network in the windows environment.
WHat are the security implications of doing this? I know I can configure the backup NIC's to only allow backup traffic but my concern is bridging the DMZ and internal networks via the backup network NIC's. Just looking for some advice on how to effectively secure a backup network in the windows environment.
ASKER
Thank you for your proposed solutions. I'm not really sure those will be doable in our environment, however.
I have read numerous documents about a dedicated backup LAN and there must be a way to secure the backup network. If I am wrong, someone please confirm this? If the backup NIC's are all connected to a separate dedicated switch and a unique subnet, without default gateways. COuldn't I then enable TCP/IP filtering on those network connections to only allow needed protocols and ports. Further enabling the windows firewall to only allow communication to the backup server. Or is that just too flimsy on security if the servers are patched currently, etc.... I was just thinking there must be a way to secure this backup network and offload all that traffic from our internal LAN. Thanks again.....
I have read numerous documents about a dedicated backup LAN and there must be a way to secure the backup network. If I am wrong, someone please confirm this? If the backup NIC's are all connected to a separate dedicated switch and a unique subnet, without default gateways. COuldn't I then enable TCP/IP filtering on those network connections to only allow needed protocols and ports. Further enabling the windows firewall to only allow communication to the backup server. Or is that just too flimsy on security if the servers are patched currently, etc.... I was just thinking there must be a way to secure this backup network and offload all that traffic from our internal LAN. Thanks again.....
the problem is that "needed protocols and ports" for backup are usually full microsoft smb - at which point, you have no security between the boxes. how are you currently running backups for these hosts?
ASKER
Currently we are using the production NIC's and connections from the DMZ servers, which has a ton of data, then through the firewall and to a backup exec server. We need to backup somewhere around 1/2 TB of data and I cannot currently meet our backup time window. Internal systems are always effected with this scenario and the network is almost unusable during backup. Part of the problem is that the firewall ports are only 10/100 mb/s. My hope was to somehow use a dedicated GB switch and dedicated GB NIC's, to offload the backup traffic and avoid the network bottleneck caused by the firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DaveHowe, I will award points to you. I'm not familiar enough with Linux to do what was proposed but adding (2) nic's to the backup server will help.
However, I am hoping someone very familiar with securing Windows servers with Backup Exec would have additional comments? I will wait for these comments and then close the issue.
Thanks again.
However, I am hoping someone very familiar with securing Windows servers with Backup Exec would have additional comments? I will wait for these comments and then close the issue.
Thanks again.
you need to divide it into two networks - either a separate backup regime/server for each, or join them with a firewall and have the backup agents connectible to only from the backup server; this may mean you can't use (for example) file shares for the task, but must serve the storage in use by some other method.
if you can spare the disk space, then one solution would be to have a separate storage area on the backup server itself for each dmz host, and rsync the storage area to the real server each night before the backup takes place.