Design for anti-malware solution

Discussions specific to Microsoft Hyper-V hypervisor

Design for anti-malware solution

Veeam Logoby neilmurphy65 » Mon Mar 05, 2018 5:29 pm

Hi all.

I have a partner who wants to propose a solution that totally isolates the backup infrastructure from the production network. The existing environment is Hyper-V connecting to a NetApp FAS over Fiber Channel. Is there any published design that shows how this might be done?

Thanks,
Neil.
neilmurphy65
Enthusiast
 
Posts: 53
Liked: 2 times
Joined: Thu Nov 25, 2010 4:26 pm
Full Name: Neil Murphy

Re: Design for anti-malware solution

Veeam Logoby csydas » Mon Mar 05, 2018 6:02 pm

Hey Neil,

Maybe I'm way off here since I'm more of a VMware guy, but isn't this basically what the Hyper-V off-host proxy is for? You wire it up for SAN access, give it access to the repo, shove it in Veeam Server's network and call it a day. I mean, there's a bit more with the SAN access obviously, but still, it's the general idea :) https://helpcenter.veeam.com/docs/backu ... tml?ver=95
csydas
Enthusiast
 
Posts: 79
Liked: 16 times
Joined: Tue Jan 16, 2018 5:14 pm
Full Name: Harvey Carel

Re: Design for anti-malware solution

Veeam Logoby nmdange » Mon Mar 05, 2018 8:21 pm

It is not possible for it to be completely isolated, Veeam needs to be able to coordinate backups with your hypervisor hosts. You can do it through a firewall, but there must be some ports open https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Honestly, if they are concerned about protecting the environment, they should think about a lot more than just isolating the backup servers. Just a few things off-hand that would go a lot farther:
- Set up a separate domain for the Hyper-V hosts, and keep the Hyper-V hosts isolated from the VMs and all other user-facing systems on different networks. Veeam could be placed in this network as well.
- Use Shielded VMs to protect the VMs from compromise of the hosts, with TPM-based attestation. This requires another isolated set of servers to run the host guardian service
- Separate admin/user credentials for people with admin access to Hyper-V, Active Directory, Veeam, etc.
- Use Privileged Access Workstations to ensure a careless admin does not get malware on the computer used to access the infrastructure. Jump servers are not the answer!
nmdange
Expert
 
Posts: 303
Liked: 73 times
Joined: Thu Aug 20, 2015 9:30 pm

Re: Design for anti-malware solution

Veeam Logoby neilmurphy65 » Tue Mar 06, 2018 9:27 am

Thanks guys. Yep, I knew about the off-host proxy and have spoken to them about that, but it's not really designed for isolating traffic (although it will use a separate SAN connection), it just offloads the processing of the backup from the production Hyper-V hosts. What I was really getting at is how to make sure that the backup infrastructure can be isolated from the production infrastructure so that a bad actor infecting production can't get at the backup components. @nmdange, I agree that it won't be completely possible as there always has to be a control/management connection between VBR server and the hosts. I was kind of hoping that Veeam might have already created some kind of whitepaper showing exactly how this could be done without having to lab it. I've already spoken to the customer about things like storage snapshots, air-gapped backup copies, NetApp AltaVault, use of specialised backup appliances (Data Domain, StoreOnce) as part of their anti-malware policy.
neilmurphy65
Enthusiast
 
Posts: 53
Liked: 2 times
Joined: Thu Nov 25, 2010 4:26 pm
Full Name: Neil Murphy


Return to Microsoft Hyper-V



Who is online

Users browsing this forum: No registered users and 6 guests