Host-based backup of Microsoft Hyper-V VMs.
Post Reply
neilmurphy65
Enthusiast
Posts: 94
Liked: 16 times
Joined: Nov 25, 2010 4:26 pm
Full Name: Neil Murphy
Contact:

Design for anti-malware solution

Post by neilmurphy65 »

Hi all.

I have a partner who wants to propose a solution that totally isolates the backup infrastructure from the production network. The existing environment is Hyper-V connecting to a NetApp FAS over Fiber Channel. Is there any published design that shows how this might be done?

Thanks,
Neil.
csydas
Expert
Posts: 193
Liked: 47 times
Joined: Jan 16, 2018 5:14 pm
Full Name: Harvey Carel
Contact:

Re: Design for anti-malware solution

Post by csydas »

Hey Neil,

Maybe I'm way off here since I'm more of a VMware guy, but isn't this basically what the Hyper-V off-host proxy is for? You wire it up for SAN access, give it access to the repo, shove it in Veeam Server's network and call it a day. I mean, there's a bit more with the SAN access obviously, but still, it's the general idea :) https://helpcenter.veeam.com/docs/backu ... tml?ver=95
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Design for anti-malware solution

Post by nmdange »

It is not possible for it to be completely isolated, Veeam needs to be able to coordinate backups with your hypervisor hosts. You can do it through a firewall, but there must be some ports open https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Honestly, if they are concerned about protecting the environment, they should think about a lot more than just isolating the backup servers. Just a few things off-hand that would go a lot farther:
- Set up a separate domain for the Hyper-V hosts, and keep the Hyper-V hosts isolated from the VMs and all other user-facing systems on different networks. Veeam could be placed in this network as well.
- Use Shielded VMs to protect the VMs from compromise of the hosts, with TPM-based attestation. This requires another isolated set of servers to run the host guardian service
- Separate admin/user credentials for people with admin access to Hyper-V, Active Directory, Veeam, etc.
- Use Privileged Access Workstations to ensure a careless admin does not get malware on the computer used to access the infrastructure. Jump servers are not the answer!
neilmurphy65
Enthusiast
Posts: 94
Liked: 16 times
Joined: Nov 25, 2010 4:26 pm
Full Name: Neil Murphy
Contact:

Re: Design for anti-malware solution

Post by neilmurphy65 »

Thanks guys. Yep, I knew about the off-host proxy and have spoken to them about that, but it's not really designed for isolating traffic (although it will use a separate SAN connection), it just offloads the processing of the backup from the production Hyper-V hosts. What I was really getting at is how to make sure that the backup infrastructure can be isolated from the production infrastructure so that a bad actor infecting production can't get at the backup components. @nmdange, I agree that it won't be completely possible as there always has to be a control/management connection between VBR server and the hosts. I was kind of hoping that Veeam might have already created some kind of whitepaper showing exactly how this could be done without having to lab it. I've already spoken to the customer about things like storage snapshots, air-gapped backup copies, NetApp AltaVault, use of specialised backup appliances (Data Domain, StoreOnce) as part of their anti-malware policy.
Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests