Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Backup of system outside of restrictive firewall?

2016-08-05 10:18:53
Subject: Re: [Bacula-users] Backup of system outside of restrictive firewall?
From: Josh Fisher <jfisher AT pvct DOT com>
To: bacula-users AT lists.sourceforge DOT net
Date: Fri, 5 Aug 2016 10:18:12 -0400 
On 8/5/2016 8:50 AM, Andreas Koch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> while we have been extremely happy over the years using Bacula to handle our
> internal systems, we are a bit stumped now on how to backup a machine
> outside of a rather restrictive firewall.
>
> Said firewall is basically configured to deny all incoming connections (but
> allows connections initiated from the inside).
>
> With the default approach Bacula uses
>
> 1. Director (inside of firewall) tells File Daemon (outside of firewall) on
>       remote machine to begin backup -- OK
>       
> 2. File Daemon (outside of firewall) attempts to connect to Storage Daemon
> (inside of firewall) -- FAILS
>
> we are getting nowhere. Is there a possibility to configure the Storage
> Daemon to use something like a ``pull'' mode, resulting in
>
> 1. Director (inside of firewall) tells File Daemon (outside of firewall) on
>       remote machine to begin backup
>
> 2. Director (inside of firewall) tells Storage Daemon (inside of firewall) to
>       connect to File Daemon (outside of firewall)
>       
> 3. File Daemon (outside of firewall) can now stream data to Storage Daemon
> (inside of firewall)
>
> I'd also be interested to know how other users have tackled such a setup!
>

I don't know if any version of Bacula implements the "pull" mode you 
mention, but I am not a fan of this approach. It puts all of the 
emphasis for security on the clients. An attack vector would be to spoof 
the Storage Daemon and convince the client to send its backup to the 
attacker.

I use OpenVPN to tunnel into the protected network. The client side of 
the VPN is given an address inside the firewall. This also ensures that 
all comms are encrypted on the wire (outside of the firewall, anyway) 
without having to configure encryption in Bacula.


------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] Backup of system outside of restrictive firewall?, Andreas Koch
Next by Date:  Re: [Bacula-users] Backup of system outside of restrictive firewall?, Roberts, Ben
Previous by Thread:  [Bacula-users] Backup of system outside of restrictive firewall?, Andreas Koch
Next by Thread:  Re: [Bacula-users] Backup of system outside of restrictive firewall?, Roberts, Ben
Indexes:  [Date] [Thread] [Top] [All Lists]