Forum Discussion

kraju's avatar
kraju
Level 2
9 years ago

DMZ server backup

Hello, I need to backup a good no of clients in the DMZ servers.The media server has been setup in same DMZ LAN, however the Storage is in internal network.So as to get a good throughput is there a way to Minimize / Avoid the traffic through FW during backup.

Thanks

 

  • In case you get challenged by your security team, you can point them to the fact that there are no public notifications of any known vulnerabilities in the latest versions of NetBackup Client:

    https://www.us-cert.gov/ncas/current-activity

    ...and search for NetBackup.

    .

    As an additional measure IF you use specific physical NICs to create what is in effect a "DMZ backup subnet", then...    whilst not a firewall, you should be able to get your network admins to place an ACL on the network ports, and/or possibly restrict specific LAN switch network physical ports to specific tcp port numbers e.g. tcp/1556 in each direction to tcp/any - ok, it's not a firewall, but it should still block all other traffic, except for NetBackup - without imparing performance.  Ok, so you won't have stateful inspection of packets, but you should be able to restrict the the source to a specific TCP port (tcp/1556), and or whitelist the source and/or target IP or MAC addresses.

  • could you let us know how you are connecting the Storage with media servers? does it though SAN( over FC) or though LAN ( using some OST plug in)? 

    what is the storage that you are using?

    if you are connecing the storage with media server using SAN.. there is no point of network/DMZ and firewall.. since SAN does not have all these..

    if you are connecting the storage with Media server using LAN, you need to make sure that the requied network ports are opened.. and have good speed in network configurations and connectivty.. could be 10 gig depends on your network design.

    you can look below T/N for port requirements

    https://www.veritas.com/support/en_US/article.TECH136090

  • Hi Ram, thank you for your reply. The media server is in the same LAN of DMZ servers and the Storage is connected throug 10g. but in that case will it affect the throughput? What would be the best way to bypass the backup traffic through Firewall ? Is that only SAN? 

  • Private network between DMZ media server and Storage Server that bypasses the Firewall can be deployed. The question about Firewall affect on backup throughput must be directed to your network and firewall team. Only proper understanding of type of Firewall, settings, etc, and network route will help to know affect on performance.
  • Thanks Marianne,  "Private network between DMZ media server and Storage Server that bypasses the Firewall can be deployed" sounds good to me. So I hope this would help to avoid traffic through Firewall and help to backup clients in DMZ and Internal network to the same storage.I hope the network rout should not be a problem if Media server and clients are in the same LAN.

    Thank you

  • In case you get challenged by your security team, you can point them to the fact that there are no public notifications of any known vulnerabilities in the latest versions of NetBackup Client:

    https://www.us-cert.gov/ncas/current-activity

    ...and search for NetBackup.

    .

    As an additional measure IF you use specific physical NICs to create what is in effect a "DMZ backup subnet", then...    whilst not a firewall, you should be able to get your network admins to place an ACL on the network ports, and/or possibly restrict specific LAN switch network physical ports to specific tcp port numbers e.g. tcp/1556 in each direction to tcp/any - ok, it's not a firewall, but it should still block all other traffic, except for NetBackup - without imparing performance.  Ok, so you won't have stateful inspection of packets, but you should be able to restrict the the source to a specific TCP port (tcp/1556), and or whitelist the source and/or target IP or MAC addresses.