Host-based backup of Microsoft Hyper-V VMs.
Post Reply
pesos
Expert
Posts: 205
Liked: 17 times
Joined: Nov 12, 2014 9:40 am
Full Name: John Johnson
Contact:

designing an airgapped-ish solution

Post by pesos »

Hi all,

We have a handful of veeam b&r installations doing replication and backups at various sites. Probably 12TB or so of data being backed up all told. Different AD domains.

I'd like to set up another location that aggregates this data in one place in order to push it all to an airgapped-ish solution for extra protection against ransomware and the like.

I was thinking:
1) set up a physical hyper-v server that has no internet connectivity - physical host's nic would be connected to a local layer2 switch that is not internet-connected
2) virtualize a guest on this box that does some sort of pull/copy routine to aggregate new backup files locally (need to flesh out this part) - networking would be provided via a guest-access-only separate nic on the box that is run through an independent firewall with no external management enabled

So at this point I have a physical host that is console-access-only, and a firewall that is only manageable from the inside (barring external vulnerabilities/compromise of course).

3) set up a nas of some sort that sits on the local non-internet-connected switch with the physical host - the physical host itself would run b&r community edition and backup the guest server to the nas. Could also do a periodic true airgapped backup to usb drive now and again manually (monthly or so)


Any thoughts on flaws/concerns? One I see is that at all the sites we currently do synthetic fulls every weekend which convert older rps to reverse rollbacks. I don't think there's any way to "pull" this without having to basically recopy the entire thing as the pulling server would see the veeam files as being all new.

Thanks for any suggestions!
PetrM
Veeam Software
Posts: 3229
Liked: 520 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: designing an airgapped-ish solution

Post by PetrM »

Hello!
virtualize a guest on this box that does some sort of pull/copy
Would you be so kind to clarify how exactly are you going to use this virtualized guest to pull data?
If you install Veeam B&R on this VM to use backup copy it won't be necessary to back up the whole VM, you can use configuration backup instead.

I don't think there's any way to "pull" this without having to basically recopy the entire thing
Backup copy transfers actual state of an object in backup file and not backup file itself so you will have incremental runs regardless of source backup chain type.

By the way, I'd suggest to take a look at security considerations in this article on our help center, might be helpful.

Thanks!
pesos
Expert
Posts: 205
Liked: 17 times
Joined: Nov 12, 2014 9:40 am
Full Name: John Johnson
Contact:

Re: designing an airgapped-ish solution

Post by pesos »

Thank you!

If I were to run b&r on the guest, is there a way it can do backup copy jobs in a *pull* operation from the other b&r environments? Ideally I would not want to allow traffic *from* these other environments to reach out to this guest at all...

The idea behind using b&r on the hyper-v host is to provide yet another level of backups (backing up the virtualized b&r server in its entirety) - one that is never exposed to the internet. Ostensibly the only way this machine and its backups could be compromised would be through a sophisticated attack that took advantage of an unknown/unpatched vulnerability that somehow allowed transfer from the guest machine to the host machine through the hypervisor itself (barring an actual physical compromise of the console of course)...
PetrM
Veeam Software
Posts: 3229
Liked: 520 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: designing an airgapped-ish solution

Post by PetrM »

I don't think it's possible to completely restrict any traffic from other B&R environments if you use backup copy.

If this requirement is mandatory due to your security requirements you will need to transfer the whole chain after transform happens
because there will be "new" files as you correctly said in your first message.

If you want to avoid full copy over slow network and to run increments only:
You may setup a repository in DMZ (if exists), to run backup copy to this repository and then to pull data from this repository using the same method as you described above.
I'm not sure that this workaround is reliable enough considering your security requirements, just an idea.

Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 26 guests