Hello,

I'm dealing with a company that I've outsourced work to and now I
would like to get backups sent of my data on their machines, which are
contained in a trsted VPN, without compromising their security.  The
issue of bandwidth usage caused us to think of a VPN at the same host.

What I want is an easy with the least of headache means of getting my
data sent to my server at the same hosting company without them
worrying about our server compromising their security.

They have their VPN setup so that all servers within it trust each
other and if we connect to that, they require taking over our server
to assure it's trust worthy.  We don't want to give them control over
the server nor do we want to get access to their environment.  Merely
want to provide them with a method to backup our data on their servers
to our server at the same hosting comapny without drainig Internet
bandwidth which is expensive when backing up hundreds of gigs weekly.

They mentioned that they use a firewall as well.

Need a few recommendations in how to approach this.

---

Request for Question Clarification by duncan2-ga on 29 Dec 2002 13:34 PST

Hi lizardnation,

Having a machine on-site for backups to avoid bandwidth charges is a
good idea.  The method used to transfer the data from the main server
to the backup is open to debate, and may depend on several factors,
such as how much data you need backed up (really hundreds of gigs?),
how often a backup must be made (daily, weekly, monthly), and whether
or not an incremental backup is acceptable.

The security issue complicates things, but only a little; you could
certainly open up ports in the firewall for the backup processes.  
For a one-way solution, why not have the main server contact your
backup machine and perform the backup (that way the main server
doesn’t have to give any permissions at all to the backup server)?  A
simple cron job could automate such a process.

If you’re only transferring a moderate amount of data, but need the
transfer to be secure (above and beyond the VPN), consider SFTP or the
faster SCP, which are both available in many environments running
Secure Shell services (SSH).  For vast quantities of data, perhaps the
ISP could automate tape backups and send you tapes.  Or consider a
RAID solution on the primary server, with removable, mirrored drives. 
Then they could just rotate hard drives on a scheduled basis and ship
you the drive (or perhaps slap it into your backup server, if it has
similar removable drive capacity).

Are these the sorts of things you're considering, and/or are looking
for?

---

Clarification of Question by lizardnation-ga on 29 Dec 2002 17:46 PST

Hello Duncan2,

The production and backup servers are off site at the same hosting
company.

The we are a subsidiary which has certain data on the main company's
production server and would like to have it backed up to a machine we
can have control over.  The admin of the main company refuses to add
it to the VPN unless we're not given access to it as well as not
wanting to go through the trouble of reconfiguring their firewall to
accomodate it.

So, we're interested in having a copy of our data by leasing a machine
next to the production machine and creating a non-bandwidth draining
link, probably a VPN, to allow for a weekly backup of 5 gigs which
will rise to 75 gigs in six months from our estimates.

The admin is also concerned not only about bandwidth costs, which a
VPN would resolve, but the CPU overhead of the non-compressed vs.
compressed transfers.

So, the priorities are as follows:

1. As least as possible of change and effort on the firewall side to
push backups to a machine at the same hosting company.

2. Least CPU intensive method of transfering data between the two
machines without hardware additions or changes and without the use of
tape backups.

I was thinking that perhaps the data would be devided into seven
schedules, so a seventh of the data would be done on Monday, another
portion would be done on Tuesday and so on to at least have a one week
old backup of all data at a given point when the cycle goes through
for the first time.

As you've probably touched upon, it might be a good idea to open a one
way port on the firewall to open a secure FTP connection and receive
the data on the other server.  The whole thing would be controled as
you've stated by the first server.

/Lizardnation

You may want to use rsync http://www.rsync.org.  It is an incremental
file transfer protocol written by the guy who started the samba.  You
can tunnel it through ssh for security and it is by nature bandwidth
friendly.  It will chew on the cpu some, which you can control with
nice, but will allow you to pass through the customer's firewall
without making changes to it (in many cases).  I understand the
customer's sys admin wants his side to control the connection.  Using
rsync in a crontab will do this.  If a VPN is used, you don't have to
worry about tunneling through ssh or opening ports on your firewall.

Rsync + SSH is what I would suggest as well -- we use it at work for
backing up all the machines in our office to a single backup machine.

It is excellent at reducing bandwidth consumption when doing
incrimental backups.  If those gigs of data you speak of are not
starting from scratch each day/week/month, it makes all the difference
in the world.  It creates a checksum to determine if a given packet of
data has changed.  It makes it very plausible to maintain a mirror of
a large system over the Internet, so long as there is some CPU
available on both of the machines.

To automate it you just need to to generate the host key and put it on
the destination server so that a password is not needed at connection
time.

Good luck in your backup.