Mailserver back up to NAS

I have a mailserver in the DMZ.  It has two NICs, only one is active.
I want to back this up to the NAS on my LAN.
I'd like to turn on the 2nd NIC, add it to my LAN, but prevent any traffic from the outside "real Ip" interface from reaching the LAN.


Windows Firewall?  What rule?
LVL 1
dougp23Asked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
By default no traffic from the outside will directly pass through to the internal lan, but should your system be compromised, the DMZ configuration will not help protect your LAN from the intruder as they have the path over eth2.

Depending on your mailserver configuration, you could make the DMZ host as a head unit only such that the user homedirs reside on the NAS which is NFS mounted on the mail server without root rights..

Configuring the firewall Never mind, your are on a windows platform.

What is your setup?

A windows firewall can be overriden by the person who compromised your system to gain access.

To restrict the DMZed host when they have a second dedicated feed into the LAN means you have to reconfigure the firewalls on all LAN systems to deny the DMz'ed host's second internal IP access to resources on each system ...........


if you have internet <=> router/FW <=> dmz host
                                                        <=> LAN
You could configure the FW to allow DMZ host specific traffic to the a LAN HOST
0
 
arnoldCommented:
Do not connect the second NIC to the LAN as that will become the bridge should the system in the DMZ get compromised.

Another option depending on the switch, create a LAG group on the switch  using the two interfaces as a team.
This way you can "double" the bandwidth available and create a rule to allow the traffic from The DMZ system to the nas, though not sure who you would isolate the issue.

If you have a backup client/server setup (bacula, zmanda, etc.) you would be able to set the parameters of access. with the direction to the NAS the DMZ server has to have access rights to share which is a much wider opening of the firewall.
0
 
dougp23Author Commented:
So if my Eth1 on the server has a "real IP" of (making it up) 78.111.209.155
And my Eth2 on the server has a "Non-routable" IP of 192.168.10.109

There is no way to isolate that Eth2 so I can say "only traffic to the NAS is allowed for this interface"?
0
All Courses

From novice to tech pro — start learning today.