RE: [fw-wiz] Backup exec agent in dmz

From: Ahmed, Balal (balal.ahmed_at_cgey.com)
Date: 06/11/03

  • Next message: Ahmed, Balal: "RE: [fw-wiz] Automatic ACL update on Cisco boxes"
    To: "'Sloane, David'" <DSloane@vfa.com>, "'yehuda'" <yehuda@essutton.com>, "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 11 Jun 2003 17:25:45 +0100
    
    

    I wasnt going to post this to the list but seeing these other responses I
    see what I have done in the past isnt that bad.

    DNS on Linux - Probably BIND. If so just setup a cron job to FTP the
    named.conf file and the zonefiles off the the NT box in the DMZ. Do the same
    on the Apache server, assuming its a static site. If its dynamic just dump
    the database before the FTP script kicks in. Your code files will probably
    be backed up somewhere else (developers machine ?)

    One option is using VLANS. The PIX 515E supports up to 6 interfaces
    depending on your liscence. You cold setup a new 'backup DMZ' put your
    backup tape library in this DMZ and backup all your servers to the new DMZ.
    You would have to set the Security level higher that the internet DMZ but at
    least if the internet dmz is compromised the only box they can destroy is
    your backup box not your internal mail server.

     
    -----Original Message-----
    From: Sloane, David [mailto:DSloane@vfa.com]
    Sent: 11 June 2003 15:45
    To: 'yehuda'; 'firewall-wizards@honor.icsalabs.com'
    Subject: RE: [fw-wiz] Backup exec agent in dmz

    Samba comes to mind...

    (going far afield now)

    That said, what do you really need to back up on the DNS and web servers?

    Web sites are often mirrored internally - either in source control or just a
    flat-file system.

    The dns server records should be tiny text files. You can update two sets
    of DNS files, right? Or just pull down the zone file(s) after making
    changes...

    If you really want to minimize potential down-time, make a Ghost (or
    similar) image of each Red Hat box. If you need the logs, pull them out
    with ftp or samba or (insert file transfer protocol here).

    Your disaster-recovery model is pretty straightforward - ghost image to
    replacement disk, then drop in the most recent DNS and web-site files.

    No muss, no fuss, no *nix agents with open access to your
    AD/Exchange/BackupExec/eggs-in-one-basket box (sorry, couldn't resist any
    longer).

    Cheers,

    David

    -----Original Message-----
    From: yehuda [mailto:yehuda@essutton.com]
    Sent: Tuesday, June 10, 2003 11:45 AM
    To: 'firewall-wizards@honor.icsalabs.com'
    Subject: [fw-wiz] Backup exec agent in dmz

    Hi, I was wondering if anyone has ideas or a solution for this problem:

    I'm trying to set up reliable backup of 3 servers in a dmz network: a
    mail/antivirus server, a dns server, and a web server.
    The mail server is running windows NT and the other two are Redhat linux.

    I have a windows 2000 server running backup exec version 9 on the primary
    network connected to a ten thousand dollar tape loader, and I'd rather not
    have to set up a separate backup system for the dmz computers.

    The networks are segmented by a pix 515 with three interfaces, one for the
    inside, one for the outside, and one for the dmz.

    The primary network has unrestricted access to the dmz, but computers on the
    dmz network need specific permission - by ip and port - to connect to
    servers in the primary network.

    I installed the backup exec unix agent on the two linux machines in the dmz.
    According to veritas's website,
    (http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101
    and 1024-65535 both ways, because the unix agent uses rpc.

    I don't have a problem giving dmz machines access to port 6101 on the backup
    server, but I'd rather not give the dmz machines access to 1024-65535 on the
    backup server. The backup server is a domain controller for our active
    directory, as well as an internal ms-exchange mail server. I could filter
    off the listening ports over 1024, but then if I don't keep watching it,
    someone might install an app that listens above 1024, which would then be
    available to the dmz.

    They have a workaround for windows, by reconfiguring dcom and rpc to only
    use specific ports, but it seems from the above-referenced document that
    such an option isn't available for the unix agent.

    Any ideas?
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    ********************************************************************************************
    " This message contains information that may be privileged or confidential and
    is the property of the Cap Gemini Ernst & Young Group. It is intended only for
    the person to whom it is addressed. If you are not the intended recipient, you
    are not authorized to read, print, retain, copy, disseminate, distribute, or use
    this message or any part thereof. If you receive this message in error, please
    notify the sender immediately and delete all copies of this message ".
    ********************************************************************************************

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ahmed, Balal: "RE: [fw-wiz] Automatic ACL update on Cisco boxes"

    Relevant Pages

    • Re: DependOnService to DNS does not work 2003R2
      ... So its a backup dc. ... I forgot to write that the primary is allready configured as secondary DNS ... but the other DNS server is my primary domain ... I checked my settings with sc and dns was listed as dependend ...
      (microsoft.public.windows.server.dns)
    • Re: Move from POP3 Connector to Exchange SMTP
      ... Your record for the SBS needs to be lowest number, ... The 'Use DNS to route email' is only used outgoing, ... Exchange' and 'email is delivered directly to my server' while continuing to ... Using the POP connector and mailboxes at the ISP as a backup is a kludge. ...
      (microsoft.public.windows.server.sbs)
    • Re: How to restore a GC from backup using VERITAS?
      ... Our PDC Emulator experienced a failed upgrade to Windows Server ... restore it using a backup taken before the attempted upgrade. ... question is also a DNS server that points to itself for name resolution. ... Load Windows Server 2003 SP1 on replacement server. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Member Server Login Slow DMZ-Internal Subnet
      ... But did I mention that the firewall log showed a successful port 53 ... connection to each DC from the DMZ machine? ... the DMZ machine is the closest AD DC DNS. ... Member Server which was originally installed in the internal subnet ...
      (microsoft.public.win2000.security)
    • Re: DNS ausgehend mit verweigerten Paketen.
      ... Es wird von Extern Port 53 auf intern Port z.B. 4017 verweigert. ... der DMZ nicht stimmt, z.B. falsche Subnetzmaske usw.. ... MVP ISA Server ... Leider funktioniert schon der einfache nslookup bzw. dns request nicht. ...
      (microsoft.public.de.german.isaserver)