I agree with everyone... don't dual nic the box.  If you do, you might as
well throw away the dmz and just stick the webserver inside on your 10.x
network.

After some poking on Veritas' site, I found
http://seer.support.veritas.com/docs/234123.htm

BackupExec is an evil evil RPC based program, so you have to open a bunch of
stuff.  <rant>Why can't developers think about how their products are going
to work through a firewall??!?!?!?!?</rant>

rsync is another option, however, with rsync if someone does compromise your
webserver, they are going to have a better chance of getting a shell on your
tape server if you have rsync set up to do it's thing automatically, because
the .known_hosts file for sshd on the tape server will allow the webserver
to login with no password.  Even if you use an account that has a shell of
/bin/false, it's not the most comforting thought in the world.

Jay

ps--  Another excellent example of stupid developers are the ones that
microsoft had develop the Active Directory replication code.  It uses like
10 or 15 different ports and RPC.  MS's solution to do active directory
replication through a firewall is to set up a PPTP VPN connection between
the two domain controllers on the different networks and use that to pipe
the AD replication across.  Problem is, if someone compromises one of your
domain controllers, they have full access to the other one on your other
network and can use it as a jumping point to more fun and interesting stuff.
Read here for their sweet suggestion:
http://www.microsoft.com/ISN/columnists/p63623.asp   (check out the cool
picture of the guy who wrote it :)



> -----Original Message-----
> From: ^chewie [mailto:chewie at wookimus.net]
> Sent: Tuesday, March 20, 2001 6:16 PM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] security question
> 
> 
> Timothy Wilson wrote:
> > Our new Web server sits in a DMZ outside our school's main firewall
> > and has a regular IP address. The rest of the district is NAT'd
> > behind the firewall using a 10.*.*.* block. We have a tape library
> > set up inside to back up all the file servers.
> > 
> > Since we have a BackupExec setup, I'd like to install the Unix agent
> > and backup the Web server files to the internal tape library. The
> > firewall makes that more complicated.
> > 
> > Here's the question: How 'bout putting a 2nd NIC in the Webserver
> > and putting that NIC on the internal network? The 2nd one would get
> > a 10.* IP address and shouldn't have any trouble accessing the tape
> > library.
> 
> Generally a bad idea.  Plus, you compromise the whole idea of a DMZ
> that way.  However, I think the solution you desire is found in mere
> routing tables and standard IPChains (assuming that you're running a
> 2.2.x kernel).  Masquerading is only as important as the outside
> world.  Your web server, however, is another matter.  You control that
> network, those IP's.  You know who the source is and what the
> destination is.  You probably know which ports are needed under which
> protocols.
> 
> Remember this: you do not have to masquerade to the DMZ...
> 
> #!/bin/sh
> IPCN=/usr/sbin/ipchains
> WEBSVR=AAA.BBB.CCC.DDD
> TAPESVR=10.0.0.2
> PROTO=udp
> SPORT=555
> DPORT=555
> 
> # Allow udp traffic to/from the tapeserver and webserver.
> $IPCN -${1:='D'} forward -j ACCEPT -p $PROTO -b -s $TAPESVR $SPORT \
>         -d $WEBSVR $DPORT
> 
> If you want even tighter control on when this rule is allowed, place a
> crontab entry for this script.  Use a parameter variable to specify an
> add ('A') or delete ('D').
> 
> # m h dom m dow  command
> 00 05 * * *      tape-rule A
> 15 05 * * *      tape-rule D
> 
> -- 
> ^chewie
> 
> Sorry about not signing my email...I can't get access to my
> home workstation today. CCW-20010320
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>