Solved

Mailserver back up to NAS

Posted on 2013-11-22
3
224 Views
Last Modified: 2013-11-27
I have a mailserver in the DMZ.  It has two NICs, only one is active.
I want to back this up to the NAS on my LAN.
I'd like to turn on the 2nd NIC, add it to my LAN, but prevent any traffic from the outside "real Ip" interface from reaching the LAN.


Windows Firewall?  What rule?
0
Comment
Question by:dougp23
  • 2
3 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39670939
Do not connect the second NIC to the LAN as that will become the bridge should the system in the DMZ get compromised.

Another option depending on the switch, create a LAG group on the switch  using the two interfaces as a team.
This way you can "double" the bandwidth available and create a rule to allow the traffic from The DMZ system to the nas, though not sure who you would isolate the issue.

If you have a backup client/server setup (bacula, zmanda, etc.) you would be able to set the parameters of access. with the direction to the NAS the DMZ server has to have access rights to share which is a much wider opening of the firewall.
0
 
LVL 1

Author Comment

by:dougp23
ID: 39671635
So if my Eth1 on the server has a "real IP" of (making it up) 78.111.209.155
And my Eth2 on the server has a "Non-routable" IP of 192.168.10.109

There is no way to isolate that Eth2 so I can say "only traffic to the NAS is allowed for this interface"?
0
 
LVL 77

Accepted Solution

by:
arnold earned 295 total points
ID: 39671648
By default no traffic from the outside will directly pass through to the internal lan, but should your system be compromised, the DMZ configuration will not help protect your LAN from the intruder as they have the path over eth2.

Depending on your mailserver configuration, you could make the DMZ host as a head unit only such that the user homedirs reside on the NAS which is NFS mounted on the mail server without root rights..

Configuring the firewall Never mind, your are on a windows platform.

What is your setup?

A windows firewall can be overriden by the person who compromised your system to gain access.

To restrict the DMZed host when they have a second dedicated feed into the LAN means you have to reconfigure the firewalls on all LAN systems to deny the DMz'ed host's second internal IP access to resources on each system ...........


if you have internet <=> router/FW <=> dmz host
                                                        <=> LAN
You could configure the FW to allow DMZ host specific traffic to the a LAN HOST
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question