10-14-2016 01:42 PM
What I need is to turn an internet facing DMZ media server into nothing more than a simple data mover without the ability to run commands that could be a security risk if the master server is on the internal network. If possible I want only apply security on that media server. The internal network media servers should remain as per normal i.e. relying upon the security services of the server and the internal environment they live in.
From what I can see MSEO focuses on data encryption only - correct?
NBAC looks it may be a possibility but does it have the granularity to turn a media server into a simple data mover?
I don't need backup data encryption. I see a regular media server in DMZ as real security risk becasue from there you can run many of the commands for information, change configurations, etc without having to be located in the internal netowork. If the DMZ media server is compromised the last thing you want is giving somebody the ability to remotely get all the client information from vCenters (nbdiscover), expire backup images etc.
10-14-2016 07:32 PM
10-16-2016 11:45 PM
An alternative could be to make the internet server a master/media server, so if it is compromised it is only the internet/DMZ backups that are access to.
10-17-2016 05:07 AM - edited 10-17-2016 05:09 AM
It used to be a master-media server until the DMZ VM machines were moved from a DMZ vCenter to an internal vCenter.
I agree with an appliance is the best option but it involves $$$