Hi all,
With regards to the recommendations from Veeam around network segmentation of Veeam... https://bp.veeam.com/vbr/Security/Hardening_Zones.html ...I'm trying to figure out what to do for the high throughput data flows between the proxies/data-mover in the trusted zone, and the repository in the restricted zone? I don't feel that putting a firewall between those two entities is a good idea due to the high data volumes for backup. But what are people doing out there to achieve segmentation between proxy <> repo whilst still accommodating throughput? Any insights appreciated?
-
gingerdazza
- Expert
- Posts: 191
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
-
Andreas Neufert
- VP, Product Management
- Posts: 6749
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Segmentation of Veeam
I don´t know if I would agree to this best practices.
It would work fine to go through a firewall in smaller environments. But traffic between Proxy and Repository is massive and you do not want to have a firewall in between that cause delays or all of a sudden decides that what you do is an attack to shut it down.
How I would built it is in the following way:
1) Workload Zone with production VMs in it (normal network)
Firewall between 1) and 2)
2) Something like a DMZ that holds systems in it that need to interact with the Workload Zone and backup zone.
- Guest Interaction Proxy (Interacts with VMs on a consistency base)
- Enterprise Manager (Self Service for Zone 1) )
- Log Shipping Server
- Veeam Console (needed for some Application Restores)
- Mount Server (needed for File and Application Restore)
Firewall between 2) and 3)
3) vCenter, ESXi VMkernel interfaces, Veeam Proxy, Veeam Repository (Immutable Storage but Management of it in separate Zone)
Firewall between 2) and 4)
4) second site Veeam Repository (Immutable Storage but Management of it in separate Zone) or Cloud Storage.
Maybe a separate Zone for the Backup Server (central management) and get it access to 2) 3) and 4).
When I worked as SA in the field I even had my demo environment configured in that way to discuss this with the security teams on a practical example.
If you want to have a firewall between VMware + Proxy and first Veeam Repository I would look for a switch based routing and define on the access port level rules like PACLs or VACLs. It depends a bit on what your Switch vendor can do for you there. I know this is not a full package inspection security, but again you do not want to have those in between VMware, Proxy and Repository as it causes a lot of headaches when operating this at high throughput and scale.
It would work fine to go through a firewall in smaller environments. But traffic between Proxy and Repository is massive and you do not want to have a firewall in between that cause delays or all of a sudden decides that what you do is an attack to shut it down.
How I would built it is in the following way:
1) Workload Zone with production VMs in it (normal network)
Firewall between 1) and 2)
2) Something like a DMZ that holds systems in it that need to interact with the Workload Zone and backup zone.
- Guest Interaction Proxy (Interacts with VMs on a consistency base)
- Enterprise Manager (Self Service for Zone 1) )
- Log Shipping Server
- Veeam Console (needed for some Application Restores)
- Mount Server (needed for File and Application Restore)
Firewall between 2) and 3)
3) vCenter, ESXi VMkernel interfaces, Veeam Proxy, Veeam Repository (Immutable Storage but Management of it in separate Zone)
Firewall between 2) and 4)
4) second site Veeam Repository (Immutable Storage but Management of it in separate Zone) or Cloud Storage.
Maybe a separate Zone for the Backup Server (central management) and get it access to 2) 3) and 4).
When I worked as SA in the field I even had my demo environment configured in that way to discuss this with the security teams on a practical example.
If you want to have a firewall between VMware + Proxy and first Veeam Repository I would look for a switch based routing and define on the access port level rules like PACLs or VACLs. It depends a bit on what your Switch vendor can do for you there. I know this is not a full package inspection security, but again you do not want to have those in between VMware, Proxy and Repository as it causes a lot of headaches when operating this at high throughput and scale.
-
gingerdazza
- Expert
- Posts: 191
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Re: Segmentation of Veeam
Thanks. We do have some reasonably hefty firewalls, capable of 18Gbps when non-inspection FW is configured. But yes, I get what you're saying here and whilst a little messy, ACLs could be the way to go. Appreciate the info
-
Andreas Neufert
- VP, Product Management
- Posts: 6749
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Segmentation of Veeam
18Gbps in total means you will not get more than 2GB/s at full speed. That means backup would run only at that speed in total and you would block your firewall completely just for backup.
I checked with the team that has written the bp guide. They told me that they are working on a newer version that reflect latest v12 capabilities as well. The plan is to release it in the next 3-4 weeks (on URL).
I checked with the team that has written the bp guide. They told me that they are working on a newer version that reflect latest v12 capabilities as well. The plan is to release it in the next 3-4 weeks (on URL).
-
gingerdazza
- Expert
- Posts: 191
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Re: Segmentation of Veeam
Is this correct?
Please see image on this link
https://1drv.ms/i/s!AjM2M54C9qOFhKgvVXx ... Q?e=JyPq7f
Please see image on this link
https://1drv.ms/i/s!AjM2M54C9qOFhKgvVXx ... Q?e=JyPq7f
Who is online
Users browsing this forum: Google [Bot] and 48 guests