Re: Backup and Restore in a DMZ

Sorry, but I would like to continue the thread about not putting oracle inside the DMZ.

Can anyone say why you would not want it there. To me it sounds like a good idea unless
I am confused about the purpose of a DMZ.

Thanks
Scott.

"Holger Marzen" <holger_at_marzen.de> wrote in message news:a5n8ia$igh$1_at_bluebell.marzen.de...
> * On 28 Feb 2002 14:36:48 -0800, Relational DBA wrote:
>
> >> No big problem, but the machine is located in a DMZ - I cannot have
> >> connections to other db servers or fancy clicky flashy enterprisy
tools.
> >
> > I do not claim to be the biggest Information Security consultant of
> > all times, but IMHO Oracle does not belong in the DMZ. I strongly
> > recommend that you reconsider.
>
> That DMZ is not connected to the Internet. These zones are just to
> separate one customer from another.
>
> >> Controlfiles and the rest of the operation system is backed up daily. I
> >> use rman without a repository and save the whole db (backup database),
> >> switch log and archive the logs (db is in log archive mode).
> > Construct your backup/recovery strategy so that you eventually end up
> > with a bunch of files. Just ftp them files to the place from where you
> > can put 'em on tape/backup media. However, I suggest opening FTP
> > access right before copying them files and closing it immediately
> > after that.
>
> I never transfer files fith ftp because of security reasons. Scp is much
> better.
>
> >> As I have read I cannot do a timestamp recovery with that data. Is that
> >> true? Can I do a complete recovery including the last database backup
> >> and roll forward with all the available logs?
> > The control file is where the information about last SCN is stored,
> > along with a bunch'a other crap. If you overwrite it with an old one
> > you won't be able to do point-in-time recovery with re-applying redo
> > logs.
>
> Can I do a backup of the current controlfile? I could save this
> together with the archived logs.
>
> >> Another question:
> >> Would it be possible to mirror the online logs via NFS on another
> >> machine, so I'd even could roll forward the data with the remaining log
> >> if the db machine completely blows up and has to be replaced and
> >> reinstalled?
> > NFS is by far not the most secure network service. There's a lengthy
>
> The NFS-server would be in the same DMZ.
>
> > list of known vulnerabilities. Allowing NFS is asking for some serious
> > trouble. Besides, NFS is not a speed demon, so your performance will
> > be sluggish. Try OS-level mirroring instead, and move them Oracle
> > outt'a DMZ.
>
> I already do OS mirroring. But what if the machine melts down. Unlikely,
> but I want to find out the best backup stragey (no data loss at all).
> Saving archive logs to tape (or a safe place) is the out-of-the-box
> stragegy and the amount of lost data is too high for that
> application/customer. That's why I considered using NFS.
>
> But we have an external disk array. I think I should instruct Oracle to
> have 2 logs in a set and have one copy on the local RAID and another on
> the remote RAID.
>
>
> --
> Schluss mit dem Fluglärmterror der US-Luftwaffe im Naturpark
> Saar-Hunsrück! 25 Jahre Triebwerksgedröhne, Tiefflüge, Luftkämpfe und
> laute Transportflüge von früh bis nachts sind genug. Lernt *endlich*
> euch zu benehmen. Zuviel verlangt?
Received on Fri Mar 01 2002 - 17:48:06 CST