Solved

Mailserver back up to NAS

Posted on 2013-11-22
3
228 Views
Last Modified: 2013-11-27
I have a mailserver in the DMZ.  It has two NICs, only one is active.
I want to back this up to the NAS on my LAN.
I'd like to turn on the 2nd NIC, add it to my LAN, but prevent any traffic from the outside "real Ip" interface from reaching the LAN.


Windows Firewall?  What rule?
0
Comment
Question by:dougp23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39670939
Do not connect the second NIC to the LAN as that will become the bridge should the system in the DMZ get compromised.

Another option depending on the switch, create a LAG group on the switch  using the two interfaces as a team.
This way you can "double" the bandwidth available and create a rule to allow the traffic from The DMZ system to the nas, though not sure who you would isolate the issue.

If you have a backup client/server setup (bacula, zmanda, etc.) you would be able to set the parameters of access. with the direction to the NAS the DMZ server has to have access rights to share which is a much wider opening of the firewall.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39671635
So if my Eth1 on the server has a "real IP" of (making it up) 78.111.209.155
And my Eth2 on the server has a "Non-routable" IP of 192.168.10.109

There is no way to isolate that Eth2 so I can say "only traffic to the NAS is allowed for this interface"?
0
 
LVL 78

Accepted Solution

by:
arnold earned 295 total points
ID: 39671648
By default no traffic from the outside will directly pass through to the internal lan, but should your system be compromised, the DMZ configuration will not help protect your LAN from the intruder as they have the path over eth2.

Depending on your mailserver configuration, you could make the DMZ host as a head unit only such that the user homedirs reside on the NAS which is NFS mounted on the mail server without root rights..

Configuring the firewall Never mind, your are on a windows platform.

What is your setup?

A windows firewall can be overriden by the person who compromised your system to gain access.

To restrict the DMZed host when they have a second dedicated feed into the LAN means you have to reconfigure the firewalls on all LAN systems to deny the DMz'ed host's second internal IP access to resources on each system ...........


if you have internet <=> router/FW <=> dmz host
                                                        <=> LAN
You could configure the FW to allow DMZ host specific traffic to the a LAN HOST
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question