Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1699
  • Last Modified:

Dedicated backup LAN setup for windows servers

I want to setup a dedicated backup network to isolate backup traffic on its own network. The plan is to dedicate a 2nd NIC on each server for backup. IP config for these NIC's will be on a separate network subnet from production systems and will have no default gateway assigned. All the backup NIC's on the servers from the DMZ and internal network will connect to a dedicated unmanaged GB switch. The backup server will exist in a workgroup and be connected to the backup switch as well.

WHat are the security implications of doing this? I know I can configure the backup NIC's to only allow backup traffic but my concern is bridging the DMZ and internal networks via the backup network NIC's. Just looking for some advice on how to effectively secure a backup network in the windows environment.
0
emsed
Asked:
emsed
  • 3
  • 3
1 Solution
 
Dave HoweSoftware and Hardware EngineerCommented:
basically, if you do that your security is toast - a hacker can 'sploit a webserver in the dmz, then attack any lan server over the dedicated link.

you need to divide it into two networks - either a separate backup regime/server for each, or join them with a firewall and have the backup agents connectible to only from the backup server; this may mean you can't use (for example) file shares for the task, but must serve the storage in use by some other method.

if you can spare the disk space, then one solution would be to have a separate storage area on the backup server itself for each dmz host, and rsync the storage area to the real server each night before the backup takes place.
0
 
emsedAuthor Commented:
Thank you for your proposed solutions. I'm not really sure those will be doable in our environment, however.

I have read numerous documents about a dedicated backup LAN and there must be a way to secure the backup network. If I am wrong, someone please confirm this? If the backup NIC's are all connected to a separate dedicated switch and a unique subnet, without default gateways. COuldn't I then enable TCP/IP filtering on those network connections to only allow needed protocols and ports. Further enabling the windows firewall to only allow communication to the backup server. Or is that just too flimsy on security if the servers are patched currently, etc.... I was just thinking there must be a way to secure this backup network and offload all that traffic from our internal LAN. Thanks again.....
0
 
Dave HoweSoftware and Hardware EngineerCommented:
the problem is that "needed protocols and ports" for backup are usually full microsoft smb - at which point, you have no security between the boxes. how are you currently running backups for these hosts?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
emsedAuthor Commented:
Currently we are using the production NIC's and connections from the DMZ servers, which has a ton of data, then through the firewall and to a backup exec server. We need to backup somewhere around 1/2 TB of data and I cannot currently meet our backup time window. Internal systems are always effected with this scenario and the network is almost unusable during backup. Part of the problem is that the firewall ports are only 10/100 mb/s. My hope was to somehow use a dedicated GB switch and dedicated GB NIC's, to offload the backup traffic and avoid the network bottleneck caused by the firewall.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Well, there *is* a solution there, which would be no less secure than what you have.

Create two new lans, either by vlanning or by buying two separate cheap gig switches.
place *two* new network cards in your backup server, run firewalling software on the backup server (ideally, run linux or something on there to make it less hackable) and treat the dmz and lan "backup" paths separately.

the linux version of backup exec is near identical to the windows version and will back up windows machines without problems :)

if you really, really must stick with windows as the backup host, then be aware that you will almost certainly have to expose bits of microsoft networking to the dmz servers (assuming THEY are windows) in order for it to work.
0
 
emsedAuthor Commented:
DaveHowe, I will award points to you. I'm not familiar enough with Linux to do what was proposed but adding (2) nic's to the backup server will help.

However, I am hoping someone very familiar with securing Windows servers with Backup Exec would have additional comments? I will wait for these comments and then close the issue.

Thanks again.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now