[TCLUG] security question

Wed Mar 21 11:57:49 CST 2001

On Tue, Mar 20, 2001 at 05:48:27PM -0600, Timothy Wilson wrote:
>Our new Web server sits in a DMZ outside our school's main firewall and 
>has a regular IP address. The rest of the district is NAT'd behind the
>firewall using a 10.*.*.* block. We have a tape library set up inside to
>back up all the file servers.
>
>Since we have a BackupExec setup, I'd like to install the Unix agent and
>backup the Web server files to the internal tape library. The firewall makes
>that more complicated.
>
>Here's the question: How 'bout putting a 2nd NIC in the Webserver and
>putting that NIC on the internal network? The 2nd one would get a 10.* IP
>address and shouldn't have any trouble accessing the tape library.
GAH!!! NOOOOOO!!!! If you need to make the webserver look like it's inside,
tunnel (IP-IP) it to the internal side of the firewall, so it's seen as just another
IP inside your network, the firewall takes care of the routing, and your
external webserver is now seen internally by your backup software. If it
dosn't do multi-honing, setup the tunnel, and use rsync to sync your data to a
machine inside that is being backed up, or do some super fancy port-forwarding
to get the backup requests to and from the webserver and initiate the data
transfer through the firewall itself. I am not familiar with BackupExec but I
assume it's got the capability to do client/server backup, with that said, a
tunnel should be all that's needed.
>
>It's certainly possible to prevent cross-traffic between the NICs, but I'm
>not sure if this setup is really "securable." How much trouble am I asking
>for? :-)
A lot, now there's 2 points of entry to your internal lan, and 1 isn't secured
(unless you have a no-nonsense firewall explicitly rejecting/denying all traffic from
nic1-ext to nic2-int.) and routing is done properly.
>Anybody have any advice?
Use amanda, don't do drugs, and always use a condom. 
:-)
Good luck,
-- 
Thomas J. Hudak
Systems Administrator
Sistina Software Inc. - www.sistina.com
Phone: 612.379.3951 Page: 612.318.1967
Fax: 612.379.3952
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010321/2899d9fb/attachment.pgp