On Tue, Mar 20, 2001 at 05:48:27PM -0600, Timothy Wilson (wilson at visi.com) wrote: > Hey everyone, > > Here's a little security question for you related to DMZs, firewalls, and > backups. > > Our new Web server sits in a DMZ outside our school's main firewall and > has a regular IP address. The rest of the district is NAT'd behind the > firewall using a 10.*.*.* block. We have a tape library set up inside to > back up all the file servers. > > Since we have a BackupExec setup, I'd like to install the Unix agent and > backup the Web server files to the internal tape library. The firewall makes > that more complicated. > > Here's the question: How 'bout putting a 2nd NIC in the Webserver and > putting that NIC on the internal network? The 2nd one would get a 10.* IP > address and shouldn't have any trouble accessing the tape library. If you do this, you defeat the purpose of the DMZ network since now you're allowing a path from your DMZ to your internal network. If this box is compromised, your internal network is at risk. You should, however, be able to setup your firewall to allow the traffic from your internal tape library (on internal network) to your webserver on your DMZ. Unless the backup agent requires some sort of proxy. -- Amy Tanner Voice: 952.943.8700 Real Time Enterprises, Inc. Fax: 952.943.8500 amy at real-time.com http://www.real-time.com GPG Fingerprint: DAC7 E1B2 80D9 3099 1A20 0817 2DFE 5086 81B3 5466