Re: Fast DMZ backups

From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
Date: Wed, 3 Aug 2005 19:41:34 +0000 (UTC)

In article <1123053307.142923.52660@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<yamahasw40@xxxxxxxxxxxxx> wrote:
:I'm looking at bringing a backup server from the DMZ into the LAN. I
:need something to put between the DMZ clients and the server to protect
:it while giving me the best throughput possible. I'd be happy with
:extended access-lists, and so have been looking at an L3 switch.

:Is it possible to configure extended access-lists that would allow the
:backup server to communicate with the clients in the DMZ, which
:protecting the internal network in case the backup server is
:compromised?

Not really, but 'reflexive' access-lists come much much closer.

:I am still exploring whether the client attempts to
:initiate a session on a random port (a la ftp) or whether its a pure
:pull.

What throughput do you need? "best possible" could get pretty expensive
by the time you get into the petabit per second range.

:What are my alternatives?

PIX 506E and up are rated at 100 Mbit/s cleartext or better.

The x8xx routers have line-rate packet inspection, but the 'line'
is only small multiples of T1 speed in the lower end of the line.

There is a new line of security appliances that I haven't had a look at.

The 3600 series -above- the 3640 can handle 100 Mbit/s; if your traffic
occurs in long streams, then there might not be much traffic inspection
needed, so any slowdowns from CBAC might not be of importance.

The Cat 3560 and Cat 3750 multilayer switch can do gigabit on multiple
ports, but I don't recall that they support reflexive ACLs, just
extended ACLs. They weren't designed as security devices per se.
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
.

References:
- Fast DMZ backups
  - From: yamahasw40

Prev by Date: Cisco IOS 12.4 =<> 3000 VPN concentrator?
Next by Date: Re: icmp type 11 cause pix to deny traffic
Previous by thread: Fast DMZ backups
Next by thread: Cisco Call manager express & IAX ? with IAX help please
Index(es):
- Date
- Thread

Relevant Pages

Fast DMZ backups
... I'm looking at bringing a backup server from the DMZ into the LAN. ... need something to put between the DMZ clients and the server to protect ...
(comp.dcom.sys.cisco)
Re: Access denied on network share in an other domain
... Are the clients transferring files straight into the live service on the DMZ; or are they transferring them to you to do something with? ... I don't see any reason for your internal network to trust the DMZ ...
(microsoft.public.windows.server.security)
Re: frontend/backend question
... I have this exact configuration....your outlook clients on ... I have a frontEnd server ... in its own dmz for my owa users and it also routes all ...
(microsoft.public.exchange.admin)
Re: Access denied on network share in an other domain
... My clients will transfer live on the DMZ. ... My programmers will access them through FTP. ... files back in the Internal network by either FTP or HTTPS. ...
(microsoft.public.windows.server.security)
Re: DMZ backup strategies
... > What sort of methods are most people using to backup servers on a DMZ? ... > most cost effective solution would employ an internal backup server to hit ... cd-rom along with a copy of the Ghost executable for quick rebuilds. ...
(comp.security.firewalls)