Veeam Azure backup appliance - operating system security

[sumeet]

Hello Team,

May I request to get some details on how the Ubuntu OS in the backup appliance is hardened against potential security exploitation?
I have checked the documentation - https://helpcenter.veeam.com/docs/vbazu ... ml?ver=8.1
And do not find any details on how the OS modified or updated to ensure it is not easily exploited.
Example, are the default FW within the OS configured, etc etc

Also does the same apply to the workers?

[nielsengelen]

Hi Sumeet,

There is no official hardening implemented however the firewall can be managed via Azure security. We have a list of our required ports and required Azure Services.

Security updates are handled via the built-in updater so you can keep the system up to date that way.

[sumeet]

Hi Niel,

I checked the firewall status on the Azure backup appliance and it is not even turned on.

When I deploy a windows/linux server, in our on prem environment, which is in private network and within multiple firewalls - I still ensure to keep default windows FW on, also install a end-point security software, while setting up a vulnerability scanning agent.
Just because the server is within our secure private network, does not mean I do not perform the rest of the steps to ensure it is also as secure as possible, if for any reason it gets exposed/attacked.

12 years ago, when I used to work at Veritas/Symantec, we built an appliance using CentOS mini – with a stripped down version of OS and only shipping the OS + libraries that are required for product functionality.
Back then, we also enabled default OS firewall, and few other security features were enabled.
I managed to find the documentation that I got the Doc team to write

https://sort.veritas.com/doc_viewer/#/c ... -167206474
https://sort.veritas.com/doc_viewer/#/c ... -167206474
https://sort.veritas.com/doc_viewer/#/c ... -167206474

I do see a lot of similarity of the appliance, with a major difference being security ignored in Veeam.
I understand that there are list of ports and azure services that are required to be opened. We ensure to deploy the appliance within a private network managed within firewalls, but still there are certain basic hardening feature and FW that needs to be enabled.
Specially considering the level of access the appliance has across production subscriptions for backup and restore.

With great powers comes great responsility - the appliance has powers (access to backup and restore data, which requires delete access), but lacks responsility to ensure basic security guidelines

The way I look at this is very disappointing. Not sure how I can answer my clients questions about the appliances and its hardening.
Also cannot allow him to install their end-point software or vulnerabiltiy scanner on the appliance or the workers that get created on the fly

[nielsengelen]

Hi,

We do allow customers to apply specific security rules they have as long as it doesn't impact our ports and communication with related public cloud services.

Veeam also performs security checks within all the appliances to ensure it's safety. Can you clarify which hardening method you want to align with so we can look into potential future enhancements?

[sumeet]

Hi Niel,

Thanks.

https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13
This link above has the security guidelines that VBR server does - even if the VBR server is in private network and within firewalls.

Same needs to be done for the Veeam backup for Azure appliance and the workers that are configured. Have atleast the FW turned on and only open the ports (in the appliance OS) required for product funtionality. Same should apply for the worker.

[nielsengelen]

There are no short term plans for a similar tool. As mentioned, you can implement your own hardening but on firewalls, the Azure network config will overtake the OS one for example.

We have other customers who implemented their own hardening as well without issues.

[sumeet]

Dont need such a tool, it was just to call out what your tool is doing to check within the OS for hardening.

If the appliance built script can perform operations like turning on the unbuntu firewall and ensuring only the ports required by the Veeam backup for Azure app are opened, then this should be good enough to start with.