Discussions specific to managed agent-based backups
Post Reply
controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Manage agent without SMB or RPC

Post by controlfreak » Mar 01, 2019 7:20 pm

I'm trying to manage an agent in a high security network zone. We do not allow SMB or RPC access into this zone. Is it possible for a veeam server in another zone to manage this agent without using RPC 135 or SMB 445? I don't need remote agent install or upgrade features, only pushing server type backup configuration jobs to the agent.


Thanks,

Control

Dima P.
Product Manager
Posts: 10536
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Manage agent without SMB or RPC

Post by Dima P. » Mar 01, 2019 7:38 pm

controlfreak,

I am afraid this wont work. Maybe standalone agent deployment to a local smb repository will work instead? Thanks!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Manage agent without SMB or RPC

Post by controlfreak » Mar 12, 2019 9:57 pm

Hey Dima P,

Can we make this a feature request?

We have a high security zone with NERC CIP classified assets that must remain compliant to federal cyber security standards. One of the requirements is enforcing 2-factor authentication for interactive remote access. Allowing RPC and SMB to be initiated from the veeam server in the less secure zone to the high security zone creates a "compliance trap", because the veeam RPC/SMB traffic is exempt (not interactive) but a user could mistakenly browse to a protected asset in the secure zone (e.g. \\super-secure-system\c$) from the veeam server due to RPC/SMB being allowed for agent management. This user interactive remote access would be a compliance violation with the potential for extreme monetary penalties. Adding a veeam server into the high security zone adds a new classified asset with additional compliance overhead, so that's not our first choice. With regards to choice of protocols, SMB is often exploited, so we want to limit it's footprint on our network.

In our environment, other software agents in the high security zone always initiate the traffic outbound. We consider this to be more secure since the traffic initiates from within the secure zone. Maybe the veeam agent could check in with the veeam server at certain intervals and pull it's policy? We don't want to install or update directly from the veeam server, so we wouldn't need RPC/SMB inbound for this (and if we did, we would create a temporary firewall rule to enable only during install or upgrade work).

Other agents use encrypted and proprietary ports and protocols. Allowing these protocols to make inbound connections is preferred due to the reduced attack surface (no RCP/SMB vulnerabilities).

These agent systems in the secure zone already have outbound SMB access to our veeam repository servers, so transferring their backups to the repository is not an additional security concern.

We have user ID capabilities on our firewalls, but these features from our firewall vendor have not been reliable enough to use for production backup traffic.

This would be a great selling point for future NERC CIP customers too!

Thanks,

Control

ctg49
Enthusiast
Posts: 54
Liked: 38 times
Joined: Feb 14, 2018 1:47 pm
Full Name: Chris Garlington
Contact:

Re: Manage agent without SMB or RPC

Post by ctg49 » Mar 13, 2019 12:38 pm

"Allowing RPC and SMB to be initiated from the veeam server in the less secure zone to the high security zone creates a "compliance trap", because the veeam RPC/SMB traffic is exempt (not interactive) but a user could mistakenly browse to a protected asset in the secure zone (e.g. \\super-secure-system\c$) from the veeam server due to RPC/SMB being allowed for agent management."

If you have an application-layer firewall (I assume you're referencing this above), or if the super-secure-system is Windows, could you build a firewall rule on the target machine which only permits the user account (done via an ipsec-based FW rule) of the VEEAM service account? Also, within Windows firewall at least, you can configure a rule at the program/service-level, only permitting SMB/RPC access to the agent, rather than explorer/the rest of the system.

Not sure if this is acceptable to an audit, though. If not, it should be!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Manage agent without SMB or RPC

Post by controlfreak » Mar 20, 2019 5:35 pm

Thanks for the suggestions, especially regarding the host firewall on the agent system. We have application and user aware network firewalls also, but the user agent ID is not always 100% perfect. Out plan is to use technical controls where we can make them work efficiently and user education to help mitigate the risk. For ultimate simplicity from the system admin perspective, having the agent initiate the connection outbound would be better, even if it still used RCP and SMB.

Using technical controls and user education will be acceptable in an audit as long as they work, but when it comes to Energy sector regulations, there are no warnings. Cases of non-compliance almost always result in significant monetary penalties for each day of non-compliance, even if the entity finds and resolves the non-compliance on its own.

Thanks again for the ideas ctg49!

Dima P.
Product Manager
Posts: 10536
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Manage agent without SMB or RPC

Post by Dima P. » Mar 20, 2019 8:18 pm

Hi folks,

Sorry for keeping silence and thank you for updating the thread!

Control, Will it work if all the connections between agent and Veeam B&R are wrapped up in a single proprietary protocol (something similar to direct backup to cloud connect)? Cheers!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Manage agent without SMB or RPC

Post by controlfreak » Mar 27, 2019 4:44 pm

Hey Dima P,

Yes, that would completely resolve our concern with the current use of agent/server protocols.

Thanks,

Control

Dima P.
Product Manager
Posts: 10536
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Manage agent without SMB or RPC

Post by Dima P. » Mar 27, 2019 7:39 pm

Thank you, consider you vote being added to this feature request. Cheers!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Manage agent without SMB or RPC

Post by controlfreak » Mar 28, 2019 1:00 am

Thanks, Cheers to you!

jmmarton
Veeam Software
Posts: 1654
Liked: 224 times
Joined: Nov 17, 2015 2:38 am
Full Name: Joe Marton
Location: Chicago, IL
Contact:

Re: Manage agent without SMB or RPC

Post by jmmarton » Apr 01, 2019 11:16 pm

controlfreak wrote:
Mar 12, 2019 9:57 pm
Allowing RPC and SMB to be initiated from the veeam server in the less secure zone to the high security zone creates a "compliance trap", because the veeam RPC/SMB traffic is exempt (not interactive) but a user could mistakenly browse to a protected asset in the secure zone (e.g. \\super-secure-system\c$) from the veeam server due to RPC/SMB being allowed for agent management.
This can be mitigated by only allowing the Veeam service account specified in the protection group properties access to the machines in question for deployment. That way if a user logs in interactively to the Veeam server, his/her credentials would not allow access to the devices in the high security zone. That may address things for now until some sort of future enhancement addresses this.

Joe

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Manage agent without SMB or RPC

Post by controlfreak » Apr 01, 2019 11:24 pm

Thanks Joe, that is how we are mitigating the risk currently.

michaelsbak
Lurker
Posts: 2
Liked: 2 times
Joined: Apr 17, 2019 11:31 pm
Full Name: Michael Martin
Contact:

Re: Manage agent without SMB or RPC

Post by michaelsbak » Apr 17, 2019 11:37 pm 1 person likes this post

I'd like this too!

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest