There are many ways of looking at this. However, I think it can be best left to a
quote from "Building Internet Firewalls" from OR&A. (Good book if you don't
already have it)
Don't have your internal systems trust one of your firewall machines just so you
can do backups. Instead, make the firewall machine trust the internal system, or,
better yet, put a local tape drive on the firewall machine so that it can do its
You can have your firewall back to other machines if you trust it. However, why?
You can better use the firewall machine itself to do backups, and unless physical
security is an issue, probably is the most secure when worrying about either side
of the wall. This way you don't expose the system and configurations to other
machines. If the firewall is compromised.. they already HAVE the files and
configurations.. so the tape is useless to them. Mirroring your backup data on
other machines only duplicates the access points to the configurations.
Peter Morissey wrote:
> Does anyone have any suggestions on a backup strategy for
> a firewall? Is an internal backup highly recommended?
> One approach we have would be to have an internal
> host back up the firewall. The bad part about this is that
> you then give a host direct access to the firewall. The fact
> that it is on an internal network helps, but it still seems to
> open up a risk. This would probably involve a Checkpoint
> Pete M.
Dana M. Epp
NetMaster Networking Solutions, Inc.
" Connecting networks to the Internet..."