I finally have my backup installation working the way I want it--I have VeeamBox1 and a Server 2012 R2 E box at the office, backing up my computers locally, and then I have VeeamBox2 at my home, as the remote repository.
The two sites are connected by an IPSec hardware tunnel implemented in two pfsense 2.4.4 appliances. One side is 192.168.0.0/24, and the other side is 192.168.1.0/24:
I use the VPN daily for WFH activities that require access to the fileserver, etc., and now I have my backup copy jobs running over it as well.
But I'd like to guard further against a malware attack at the office by making my remote repo harder to get to.
Would it help if I assigned a 2nd IP address on the 2nd LAN port of VeeamBox1, say 172.16.0.2, and then used something like 172.16.1.2 on VeeamBox2, with a separate tunnel defined for them, so that the only path to the backup repo is through the VeeamBox1, and so that nothing else on either network "knows" about the remote repo, other than VeeamBox1 and the pfsense routers?* Both of the Veeam boxes have 2 Ethernet ports.
I'll shortly have all 3 of the backup boxes out of the work domain, as well, so that they can't be compromised by the domain admin password.
*(VeeamBox1 manages the job that backs up the S12R2E box to VeeamBox2, so the S12R2E doesn't talk to VeeamBox2 directly. Or at least I don't think it does. Would the data from the S12R2E box pass through VeeamBox1 on its way to VeeamBox2? Or would VeeamBox1 attempt to get S12R2E connected directly to VeeamBox2 and then get out of the way? If they do talk directly, then I suppose I could assign a 2nd 172.16.0.x address to the S12R2E box, as it also has 2 Ethernet ports. )
Does pfsense support two tunnels like this? The Netgate APU appliance on one side has 3 Ethernet ports, WAN, LAN, and OPT, the latter of which I'm not using for anything. The Netgate MBT-2220 on the other side has only WAN and LAN.
-
- Enthusiast
- Posts: 37
- Liked: 4 times
- Joined: Dec 06, 2019 7:29 pm
- Full Name: Steven Kan
- Contact:
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Reducing attack surface on remote repo?
Hello,
I would keep it like it is. The network itself has only very small attack surface. So adding more tunnels only adds complexity.
I would probably replace the backup copy target with a Linux machine with Hardened Repository. Hardened Repository is also covered in the Forum FAQ
Best regards,
Hannes
I would keep it like it is. The network itself has only very small attack surface. So adding more tunnels only adds complexity.
I would probably replace the backup copy target with a Linux machine with Hardened Repository. Hardened Repository is also covered in the Forum FAQ
Best regards,
Hannes
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 330 guests