Veeam server and hardened repository

[adam900331]

Hy!

I am new in hardened repository. I would like to plan an immutable backup solution, but I am confise a little. So If I want an immutable repo, de I need a separate phisycal server next to the backup server? So do I need one phisycal server for Veeam B&R without disk where to store backup, and another server with data disks to store immutable backup? If Yes, can I connect with 2x10gbit/s connection directly to the backup and repo server?

Thanks.

[d.artzen]

Hi,

Immutability can only be used with linux systems or compatible block storage, since this is a feature of the underlying file system. Since currently with V12 Veeam needs a Windows Server you would have to have at least two servers. One with Windows for B&R and one with linux as a hardened repo.

[Mildur]

Hi Adam,

Two machines are required.

You will need one machine with Windows OS to install Veeam Backup & Replication.
Then, you will require a second machine that runs a supported Linux OS, preferably with locally attached disks. This second machine will serve as your Hardened Repository.

It is recommended that the machine with the Hardened Repository be physical. I suggest using our Hardened Repository ISO to deploy this machine, as it will deploy Rocky Linux and apply all necessary security hardening to ensure a truly secure repository solution.
For our Hardened Repository ISO, this machine must have two storage volumes:
- one volume for the operating system (with a minimum of 100GB)
- at least one volume for backup data. All data volumes must be larger than the operating system volume.

For complete requirements, please refer to our help center.


Best,
Fabian

[adam900331]

Hy Fabian!

Thanks. Are there any step by step what you suggest to implement my first hardened repo from hardened repository ISO? I found only Ubuntu installation step by step guide.

[Mildur]

Necessary steps are documented in our help center. Please let me know if something is unclear.

1. Make yourself familiar with the Requirements and Limitations page: Requirements and Limitations
2. Get your physical machine ready
3. Start the installation and configuration of the operating system by booting from our ISO: Installing from Veeam Hardened Repository ISO
4. Configure and Connect the deployed machine as a Hardened Repository to the backup server: Configuring Server as Hardened Repository

Best,
Fabian

[adam900331]

Thanks, Fabian!

I will try it.

[adam900331]

And what is the practical experience? Which server is the firstly backup repository? The Windows server where the Veeam installed or only the hardened repo? Thats why I ask, because do i have to plan local data disk in the windows server for backup data or not (only system disks)?

But do i have to plan data disks for bacups in both server?

[Origin 2000]

You have a misunderstanding.

The Veeam BR Server is just for Management and there is no need to store any of your backups there. In most of our setups this VBR Server runs as a virtual maschine. The VHR of course is a phys. one with large disk capacity.

Regards,
Joerg

[jcalvetm]

As said above, best option to me is a second physical server as hardened repo. Depending on the size of the backups, even an old recycled one with enough storage capacity (no need to be top speed).

Thing with local block storage (e.g. NAS) or virtual appliances is that, even tough the immutable storage is safe, there is a layer above that can be attacked.

If the repo is hosted in a NAS block storage, data itself is immutable... but if the attacker accedes to the appliance management interface, nothing stops him from erasing/formatting the disks and erasing all your backups. Same thing with VMs. If the attacker gains access to the host, he can destroy everything.

In a physical Linux hardened repo, attacker should gain access as superuser. Communication between Veeam B&R and the hardened report uses a non privileged user, so in the hypotetical case an attacker would gain access to the hardened repo with the available info in the system, he could have access to the backups, but "read-only". In order to destroy them he should have superuser capabilities. In a linux hardened repo superuser is "out of the ecosystem" and only logs in through console by a human person (is safe... unless somebody leaks the credentials to the attacker... but that's another matter).

My point of view.

[flomp]

From a security point of view, would it be reasonable to run the Windows B&R part in a VM if the Hypervisor is not member of the domain?

Of course, two physical servers would be optimal, but for small installations this might not be affordable.

[mrmccoy007]

Yes, you can run your Veeam backup server on a VM. Keeping it off of the production domain is highly recommended. You should use a workgroup or for larger environments, you can create a separate domain with a one way trust. Please take a look at this topic in our best practice guide. It also has some great information about the Linux hardened repo, and other security considerations. Thanks.
https://bp.veeam.com/security/Design-an ... omain.html

[adam900331]

Hy!

What do you think? Is the Veeam Hardened Repository ISO compatible with the HPE DL380 Gen12 server? I only see in the compatibility list the Gen11.

Thanks.