Prevent man-in-the-middle attack for unencrypted restores

[StephanB]

Hello all,

We use Veeam 10 to backup/restore vSphere VMs in a special secure zone consisting of several vlans isolated via DC firewalls. Everything is supposed to be encrypted from transit to at rest. Works fine and all. However, due to our segmented network we have to use the NBD protocol for restores. This achieves a max throughput of 10MB/sec, which is too slow for a real world scenario in which you have to restore a 1TB production machine within a reasonable time. I would like to internally propose the use of un-encrypted restores to achieve better throughput and be able to meet our RTO objectives.

Our Audit department are asking for proof/explanation of how Veeam ensures target data integrity to prevent man-in-the-middle attacks. They are worried that if an attacker was aware of the use of un-encrypted restores and has enough access to inject/replace data in the restore stream they could drop malicious code in the secure zone. I know, I know, purely theoretical in nature and not very realistic (if you have that type of access why would you bother with such an exotic and unlikely to success attack vector?) but that's not the point - you know how audit can be

I have read the admin guide and knowledge base and forums and the only useful reference to this topic I could find was wan_CRC - Data Block Verification (https://helpcenter.veeam.com/docs/backu ... ml?ver=110). However, this kb article is very explicit in that this mechanism is used by WAN acceleration. It does not mention at all if this is also performed for normal restores without WAN acceleration.

Now comes the question: Does Veeam B&R always make a checksum verification at the end of a full VM or disk restore? Or in other words, does Veeam guarantee that the restored VM is always identical to the VM in the backup repository? Is this documented somewhere I have overlooked?

Thanks a lot for taking the time folks!

[Andreas Neufert]

Why not rollout Proxy Server for HotAdd processing. You can encrypt the whole network traffic with our traffic encryption.

[Gostev]

If I understood correctly, the concern here is "bad guys" tapping into the source data mover to the target data mover connection (or in human language, the connection from a backup repository to a [hot add] backup proxy).

I suppose the easiest answer is to enable network traffic encryption between Veeam components in the product settings. With that, it would be impossible to manipulate the network traffic without failing a restore process. Network traffic encryption feature was added specifically for untrusted networks, which sounds like the situation you have (at least in auditors' head).

Thanks!

[StephanB]

Thanks for your reply.

We currently have traffic encryption enabled. This does protect against such attacks and is a great feature but I would like to disable it for better performance. Due to our complex security environment we cannot use direct storage access or appliance mode, which leaves us with NBD. With transit encryption enabled we only achieve 10MB/sec throughput with this protocol and we cannot meet our RTO. My assumption is that if I disable transit encryption for restores by using a dedicated proxy with that option turned off and only used for restores I should be able to achieve much better performance. But audit won't let me do that unless I can prove that injection of malicious data at any point between source (backup storage system) and target (ESX datastore) is prevented through some mechanism such as CRC.

[Gostev]

Sorry, I totally forgot that we have forced network traffic verification in the product... this was added many years ago, after we caught some networking hardware vendors not following TCP/IP RFC. This is always enabled and cannot be disabled. You should see "Network traffic verification detected no corrupted blocks" at the end of each job session as an indication.

I actually had to provide quite elaborate answer about this capability on Reddit recently, in case you want more details.

Thanks!

[StephanB]

Thank you very much for your great answer Gostev. I verified the most recent backup logs and could find the entry "Network traffic verification detected no corrupted blocks". Unfortunately, the same entry does not exist in the restore job logs but I assume that this should satisfy audit.

[Gostev]

Let me check on that, as this might be restore sessions simply not displaying the line... I was always under impression that this functionality is an integral part of our data movement protocol (at least there are certainly no UI controls for it).

[StephanB]

That would be highly appreciated, thanks