Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 2, 2011 12:05 AM
As with all businesses, storage is becoming an issue so we're trying to consolidate our current storage situation. Rather than have it spread across multiple appliances, we're considering purchasing 2 NAS units setup with DFS-R and two server nodes above that to serve as fail-over clusters to provide high availability. At the moment we basically have two separate data stores, one is a file store within the DMZ that primarily serves up web content, the other is a file store that absolutely cannot be in the DMZ. So on the new NAS units the storage would look similar to below:
\fileserver\WebMedia (DMZ)
\fileserver\InternalFiles (Not in DMZ)
How would I ensure that users would be able to access the Web Media without having to connect to a VPN however require VPN access to the Internal Files and still store all the data on the NAS unit?
All replies (2)
Tuesday, August 2, 2011 2:16 AM âś…Answered
we're considering purchasing 2 NAS units setup with DFS-R
Unless you are purchasing servers running Windows Storage Server as the OS, this just isn't possible. If you can prove me wrong, please provide a link to the technical information of the NAS devices for review, i would love to see it. To the best of my knowledge DFS-R is a microsoft technology and no third party NAS device provides this, but they may implement similar technology. Windows storage server is not a NAS, although many people describe it as one.
How would I ensure that users would be able to access the Web Media without having to connect to a VPN however require VPN access to the Internal Files and still store all the data on the NAS unit?
i'm lost with this queston, you have two NAS units, so why are you talking as if there is one? Why would you mix your DMZ data with your internal data when you clearly state some data can't reside in the DMZ? This just doesn't make sense. Of course you want users to VPN into the internal network to gain access to internal files.
My only advice at this point is to maintain your current configuration using the new NAS devices. It seem like it is the only via solution.
Tuesday, August 2, 2011 2:44 PM
As with all businesses, storage is becoming an issue so we're trying to consolidate our current storage situation. Rather than have it spread across multiple appliances, we're considering purchasing 2 NAS units setup with DFS-R and two server nodes above that to serve as fail-over clusters to provide high availability. At the moment we basically have two separate data stores, one is a file store within the DMZ that primarily serves up web content, the other is a file store that absolutely cannot be in the DMZ. So on the new NAS units the storage would look similar to below:
\fileserver\WebMedia (DMZ)
\fileserver\InternalFiles (Not in DMZ)How would I ensure that users would be able to access the Web Media without having to connect to a VPN however require VPN access to the Internal Files and still store all the data on the NAS unit?
I'd reconsider the whole approach from a different point of view; let's start by saying that, whatever sits onto a DMZ shouldn't (usually) be able to see anything sitting inside the private LAN; this means that any kind of data exchange taking place between the LAN and the DMZ will be a "push" (let's call it so) one; that is, a given host, sitting inside the (protected) LAN will carry out a connection toward a given DMZ host and proceed exchanging data as desired (e.g. pushing and pulling them)
In such a spite, you may have some storage sitting inside the DMZ and used by the DMZ hosts to backup/store data; such storage may then be accessed (at the desired intervals) from an internal (LAN) host which will proceed copying the storage contents to whatever LAN storage for backup purposes (or update the storage data using whatever data you'll need to send it)
As an additional measure, you may configure the DMZ storage so that each host (and/or process) will use a given set of credentials, different from any other, and only see the storage area it has access to; this way, in case a given DMZ host/account gets compromised, you'll be able to limit the damage and quickly recover from the issue
A last note; any host which is directly exposed to the internet, should never store any kind of sensitive data (user informations, passwords, credit-card numbers...); at a maximum, it may store some salted-hashes of user credentials which may be used to authenticate logons, but no "sensitive" information should be stored there, encrypted or not; keep in mind that encrypting data means using some key to decrypt it (and a hash isn't reversible) and that you'll need to configure whatever application running on your DMZ to decrypt the data to make use of it, this also means that, if someone gains access to your DMZ box, the attacker may then be able to retrieve the key and decrypt the data so, making the whole encryption totally useless