We have VBR running on Windows Server 2016 as AD member server. Backup repository is iSCSI volume(s) on NAS (QNAP). We were told that we are exposed to ransomware risk. Ransomware attack if successful could encrypt our backup volume(s). We were asked to hide this volume(s) so that they are not exposed thru OS. Basically they should be invisible to OS, and VBR should attach this volume(s) directly from application. What are our options? If we decide for another type of repository, I believe we would loose all the previous backups?
Thanks in advance,
DuskoS
-
DuskoS
- Lurker
- Posts: 2
- Liked: never
- Joined: Jan 04, 2022 2:54 pm
- Full Name: Dusko Savatovic
- Contact:
-
Mildur
- Product Manager
- Posts: 8735
- Liked: 2296 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Hiding iSCSI volume(s)
Hi Dusko
Veeam cannot connect to iscsi luns itself.
They need to be connected and visible for the windows OS in the windows disk manager to use them with veeam. If windows cannot see them, veeam can not use them.
If you want to have a ransomware protected backup environment, you should have a look at the linux hardened repo or SOBR with capacity tier.
Tape or airgapped usb drives are another solution to protect against windows attacks.
A SOBR with capacity tier can be used with your existing solution. Same for tape or copy jobs to usb disk.
A linux hardened repo should lot be using a qnap nas. It should be a general purpose server with locally attached disk.
Veeam cannot connect to iscsi luns itself.
They need to be connected and visible for the windows OS in the windows disk manager to use them with veeam. If windows cannot see them, veeam can not use them.
If you want to have a ransomware protected backup environment, you should have a look at the linux hardened repo or SOBR with capacity tier.
Tape or airgapped usb drives are another solution to protect against windows attacks.
A SOBR with capacity tier can be used with your existing solution. Same for tape or copy jobs to usb disk.
A linux hardened repo should lot be using a qnap nas. It should be a general purpose server with locally attached disk.
Product Management Analyst @ Veeam Software
-
DuskoS
- Lurker
- Posts: 2
- Liked: never
- Joined: Jan 04, 2022 2:54 pm
- Full Name: Dusko Savatovic
- Contact:
Re: Hiding iSCSI volume(s)
Thanks Mildur,
"A linux hardened repo should not be using a qnap nas." Why not? I believe we can configure iSCSI target from linux to QNAP volume just the same as we did on Windows. It will just be a linux volume instead of NTFS/ReFS.
"A linux hardened repo should not be using a qnap nas." Why not? I believe we can configure iSCSI target from linux to QNAP volume just the same as we did on Windows. It will just be a linux volume instead of NTFS/ReFS.
-
Mildur
- Product Manager
- Posts: 8735
- Liked: 2296 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Hiding iSCSI volume(s)
Your welcome.
Linux hardened repo uses the immutable flag from the linux filesystem to set the backup files immutable.
If a hacker has access to the qnap admin center, he can delete the iscsi LUN. QNAP does not check the Filesystem on the iSCSI LUN.
And if you use a VM for this linux repository, a hacker can get root access to this vm and simply remove the immutable flag and all backup files.
As root, you can always remove the veeam backup files which are immutable or format the partition with the backup filesystem on it.
A linux hardened repo needs special care/hardening, if you want to use it securely. QNAP and Linux server must not be reachable over any remote control feature. SSH, ILO, HTTP GUI, other remote management tools.
So it's better to use a hardware server. A VM and a NAS cannot be really good protected. A hardware server is much easier to protect.
Put it in a separate network, protected by a firewall. Disable SSH and Remote Management Services.
Linux hardened repo uses the immutable flag from the linux filesystem to set the backup files immutable.
If a hacker has access to the qnap admin center, he can delete the iscsi LUN. QNAP does not check the Filesystem on the iSCSI LUN.
And if you use a VM for this linux repository, a hacker can get root access to this vm and simply remove the immutable flag and all backup files.
As root, you can always remove the veeam backup files which are immutable or format the partition with the backup filesystem on it.
A linux hardened repo needs special care/hardening, if you want to use it securely. QNAP and Linux server must not be reachable over any remote control feature. SSH, ILO, HTTP GUI, other remote management tools.
So it's better to use a hardware server. A VM and a NAS cannot be really good protected. A hardware server is much easier to protect.
Put it in a separate network, protected by a firewall. Disable SSH and Remote Management Services.
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Google [Bot] and 120 guests