Solved

Mailserver back up to NAS

Posted on 2013-11-22
3
215 Views
Last Modified: 2013-11-27
I have a mailserver in the DMZ.  It has two NICs, only one is active.
I want to back this up to the NAS on my LAN.
I'd like to turn on the 2nd NIC, add it to my LAN, but prevent any traffic from the outside "real Ip" interface from reaching the LAN.


Windows Firewall?  What rule?
0
Comment
Question by:dougp23
  • 2
3 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do not connect the second NIC to the LAN as that will become the bridge should the system in the DMZ get compromised.

Another option depending on the switch, create a LAG group on the switch  using the two interfaces as a team.
This way you can "double" the bandwidth available and create a rule to allow the traffic from The DMZ system to the nas, though not sure who you would isolate the issue.

If you have a backup client/server setup (bacula, zmanda, etc.) you would be able to set the parameters of access. with the direction to the NAS the DMZ server has to have access rights to share which is a much wider opening of the firewall.
0
 
LVL 1

Author Comment

by:dougp23
Comment Utility
So if my Eth1 on the server has a "real IP" of (making it up) 78.111.209.155
And my Eth2 on the server has a "Non-routable" IP of 192.168.10.109

There is no way to isolate that Eth2 so I can say "only traffic to the NAS is allowed for this interface"?
0
 
LVL 76

Accepted Solution

by:
arnold earned 295 total points
Comment Utility
By default no traffic from the outside will directly pass through to the internal lan, but should your system be compromised, the DMZ configuration will not help protect your LAN from the intruder as they have the path over eth2.

Depending on your mailserver configuration, you could make the DMZ host as a head unit only such that the user homedirs reside on the NAS which is NFS mounted on the mail server without root rights..

Configuring the firewall Never mind, your are on a windows platform.

What is your setup?

A windows firewall can be overriden by the person who compromised your system to gain access.

To restrict the DMZed host when they have a second dedicated feed into the LAN means you have to reconfigure the firewalls on all LAN systems to deny the DMz'ed host's second internal IP access to resources on each system ...........


if you have internet <=> router/FW <=> dmz host
                                                        <=> LAN
You could configure the FW to allow DMZ host specific traffic to the a LAN HOST
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Lets look at the default installation and configuration of FreeProxy 4.10 REQUIREMENTS 1. FreeProxy 4.10 Application - Can be downloaded here (http://www.handcraftedsoftware.org/index.php?page=download) 2. Ensure that you disable the windows fi…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now