Hello Erik, as always in security, the level of security increases with the costs. Your third method you disqualified by the down side you mentioned. To get this soluten secure you even have to invest extra money, so your plus side isn't that high. Never bypass your firewall!!
The second solution isn't my favorite either, but when you choose it, make sure that your Backup-Server makes the connection to your DMZ-Server. Never let a DMZ-Server open a connection to your LAN. Mandatory use a 3 interface Firewall with seperate rulesets for each interface and communication direction. Use at least stateful packet inspection. As a security rule, when you are piercing holes in your Firewall you should use additionally Security-Software on your DMZ-Servers to protect these holes, means, use at least some kind of integrity checking as Tripwire on your DMZ-Servers. Another point is, that with this solution you mix to types of data on your backup tape, confidential data with public data. This brakes also some "unwriten" security rules. Refer to your information security policy, if you have one? Ok you see, the first solution you mentioned is always the best ;-) (double meaning) Well it's the cleanest and in my opinion the only way to go. You even can add security through using 2 Nics on all your DMZ-Servers to divide your backup-data from your public Network. Hope this helps Holger Reichert Owner Manager Holysword GbR IT-Security Consulting and Reseller www.holysword.de Weitergeleitete Nachricht von Erik Vincent <[EMAIL PROTECTED]> vom 18.06.2003, 15:04:01: > Hello to all, > > I would like to have comment on how to setup a backup strategie > regarding a DMZ. > > Scenario 1: Put a tape unit/software in the DMZ and another one on the > LAN to have everything separate. > > Plus side: No hole in DMZ Firewall > Down Side: Cost (2 unit/software), 2 sofware to manage > > > Senario 2: Change firewall rules to give acces from DMZ to LAN. > > Plus side: Cost less and easyer management > Down side: Hole in Firewall > (I did some test with Veritas Backup exec and it is > using RPC so it is a realy hard to set Firewall rules) > > Scenario 3: Have one server with 2 NIC. On on LAN and on on DMZ. > > Plus side: Cost, management > Down Side: Need to have high security on server. > Bypass Firewall. (High security Risk) > > > What do you Think? > Thank you all for your time and effort. > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------