
In the past years the amount of machines that we backup has increased to a point that it is cumbersome to touch every single machine to maintain it. All the configuration/updates need to be done on the client itself.
The free version has always been a push technology to the backup server. You push the backup to the Backup Server, so only outgoing ports on the firewall needed to be opened.
Many of our systems, that we have Veeam Agent installed on, are situated in isolated networks.
Now we have licenced the Veeam Agent. I am currently reorganizing our backups so that all clients can be maintained from the B&R console.
I works very well and Agents get nicely updated in case they have an outdated version.
What I am worried about is security. I noticed a whole bunch of TCP ports need to be opened from our BackupServer to the Isolated networks to push out the software. (The other way around)
I wonder if my Backup Server could be a stepping stone to all my isolated networks. So if one would compromise my Backup Server, the firewall rules allow the hacker to use these open firewall ports to gain access to the isolated systems.
Lets say if we would be in the situation prior to the "Eternal Blue" leak. Could a hacker jump to all these PC's from the Backup Server with these ports open?
Is there any advise that can be given to secure this the "right" way?
Any thoughts you might have are more than welcome.
Remko