Showing results for 
Search instead for 
Did you mean: 

Security of DMZ media server - hardening and limiting capabilities

Level 3

What I need is to turn an internet facing DMZ media server into nothing more than a simple data mover without the ability to run commands that could be a security risk if the master server is on the internal network. If possible I want only apply security on that media server. The internal network media servers should remain as per normal i.e. relying upon the security services of the server and the internal environment they live in.

From what I can see MSEO focuses on data encryption only - correct?

NBAC looks it may be a possibility but does it have the granularity to turn a media server into a simple data mover?

I don't need backup data encryption. I see a regular media server in DMZ as real security risk becasue from there you can run many of the commands for information, change configurations, etc without having to be located in the internal netowork. If the DMZ media server is compromised the last thing you want is giving somebody the ability to remotely get all the client information from vCenters (nbdiscover), expire backup images etc.


Level 6
Partner    VIP    Accredited Certified
Consider NBU Appliance as DMZ media server.
It comes with built-in security and hardening.

Level 6

An alternative could be to make the internet server a master/media server, so if it is compromised it is only the internet/DMZ backups that are access to.

The standard questions: Have you checked: 1) What has changed. 2) The manual 3) If there are any tech notes or VOX posts regarding the issue

It used to be a master-media server until the DMZ VM machines were moved from a DMZ vCenter to an internal vCenter.

I agree with an appliance is the best option but it involves $$$