Immutable Backups - Planning

[maoham2021]

I was happy to hear about the Immutable Backups in V11 and looking forward to implement this. Hopefully this is the right section , could not see anything that is dedicated fr my question.

Obviously out of respect for the support engineers and allow other users to bother them with real issues, will start here and if need will open support case.

We are in the process of decommissioning our old VM infrastructure but would hate to toss it or resell it.
Therefore i was thinking as one of the purpose to use it, to store the backups as immutable backups.
I have 4 host with a dedicated SAN attached running VMware 6.5 U3.
I can install the necessary Linux flavor and all that is need it, storage capacity will not be a problem at all.

The question and concerns that I have, are more related with the protection of that environment since it will be part of the same network.
In case the network becomes the target of an ransomware attack:

Will that server be also compromised but not the actual backups ?,
Will that entire VMware be compromised ?
I am trying to decide if I should stick with the backup tapes plan or consider the immutable backups.
Immutable backups will make the job easier since is disk based and will not need to worry about tapes, overwrites... etc..

Thank you

[veremin]

I have 4 host with a dedicated SAN attached running VMware 6.5 U3. I can install the necessary Linux flavor and all that is need it, storage capacity will not be a problem at all.

To clarify - are you planning to configure SAN storage as VMFS datastore, attach it to Linux-based VM and use it later as immutable repository? If so, then, there are certain flaws in this configuration: for instance, as soon as an insider has an access to virtual infrastructure, it's just a matter of removing datastore or the given VM along with the backups stored inside it.

That's why it's recommended to have a separate physical box configured as immutable repository. In this case it will not be different from WORM tape.

Thanks!

[maoham2021]

Veremin that is why I was going after but I guess I wanted someone to put in front of me
Once in the network, is like any other OS in the network.
I will most likely use a dedeicated server just for this with direct attached storage. Linux and all the required stuff...
Question is now, since this server will be on same subnet, will I need to take any special precautions to protect the Linux server ?

[wishr]

Hi Marius,

Absolutely. You may take any detailed guide for hardening a typical Linux server as a baseline. NIST has a few good examples - just make sure they are up to date. There are also lots of articles and free courses available on the internet. It's a long topic so all possible recommendations cannot be provided in a tiny forum post.

Thanks

[veremin]

Also, you can find pretty good suggestions about additional protection measures here and here. Thanks!