Can the extra network card be configured to access software on the internal network for server back-
I have three Windows 2000 servers, each residing on separate DMZs, and I want to back them up using software running on a server within our internal network. Instead of opening ports on the firewall, can I make use of the extra network card by configuring it to access our internal network? This would be for backups only. If this is possible, do I have to disable the other network card?
Assuming that the servers have multiple network cards, you could connect them to your internal network. However, that then bypasses your firewall completely, and effectively makes your servers a route to your internal network without going through the firewall. I don't think that's an approach you really want to take, even if
you disabled the other NIC while connected to the internal network. What if your server was compromised and had a Trojan on it that was trying to randomly spread to other machines? When the new interface appears, it then gets the chance to spread to your internal network. Again, this defeats the purpose of having the firewall in the first place.
Is your firewall flexible enough to only open the ports you need open for those MAC addresses that you specify? If so, that provides you a way to limit which machines can use those ports (yes, I'm aware that MAC addresses can be spoofed, but someone would need to be able to find out what the correct MAC addresses are first.)
Another option might be to create a secure tunnel from your servers in the DMZs to the backup server. SSL with mutual authentication would work nicely with that, as long as each machine knows where it's supposed to be communicating.
This was first published in October 2004