Veeam Agent and isolated networks

[remko.de.koning]

Hi, we have been using the Free Veeam Backup Agent for a long time. Needless to say to our satisfaction.
In the past years the amount of machines that we backup has increased to a point that it is cumbersome to touch every single machine to maintain it. All the configuration/updates need to be done on the client itself.
The free version has always been a push technology to the backup server. You push the backup to the Backup Server, so only outgoing ports on the firewall needed to be opened.
Many of our systems, that we have Veeam Agent installed on, are situated in isolated networks.

Now we have licenced the Veeam Agent. I am currently reorganizing our backups so that all clients can be maintained from the B&R console.
I works very well and Agents get nicely updated in case they have an outdated version.
What I am worried about is security. I noticed a whole bunch of TCP ports need to be opened from our BackupServer to the Isolated networks to push out the software. (The other way around)
I wonder if my Backup Server could be a stepping stone to all my isolated networks. So if one would compromise my Backup Server, the firewall rules allow the hacker to use these open firewall ports to gain access to the isolated systems.

Lets say if we would be in the situation prior to the "Eternal Blue" leak. Could a hacker jump to all these PC's from the Backup Server with these ports open?
Is there any advise that can be given to secure this the "right" way?

Any thoughts you might have are more than welcome.

Remko

[wishr]

Hi Remko,

Is there any specific reason for deploying B&R server outside of the isolated environment? Just trying to get a full picture.

Regards,
Fedor

[remko.de.koning]

Hi Fedor,

That is absolutely a legitimate question.
We are currently in the process of segmentating our various parts of the LAN.
Unfortunately we have learned that our current Firewall is not strong enough for this job.
It was once bought for North --> South traffic but as we want to filter East-->West traffic now as well we see a huge performance hit.
Hence we cannot isolate our Backup Unit yet.
We did take some alternative measures to prevent the server from going onto the internet, disjoining it from the domain, implementing file server resource manager to only allow Veeam files on certain folders, etc.
I agree, the design could be better but is currently limited by what we have.

But now with the change on how we use Veeam Agent (centralized), the topic lights up again. There need to be a lot of holes from our backup server to the isolated systems to get this to work. Or is this a one time event? Once everything is installed, can I shutdown some ports?

Remko

[Dima P.]

Remko,

Since you a have a distributed architecture, mind me asking, if you ever considered using Veeam Cloud Connect (and Cloud repository) for you backups? The overall idea is that it eliminates the comicality of backup over WAN/complicated networks and allows you to connect to the repository over a single port/IP address? Thanks!

[remko.de.koning]

Hi, we are a production facility with three different networks.

• Office Network

• Plant Network 1

• Plant Network 2

These networks are segregated with a firewall and only limted traffic is allowed. Mostly outgoing traffic. So from Plant Network to the Office Network.
The only system that may go the other direction is a certified security appliance to allow remote access to these isolated systems.
As the plant network is also located in the plant itself, it is not recommended to keep our backups there.
Most of the machines in the plant network are physical, hence the need for Veeam Agent Backup.
So I installed Veeam Agent Backup on every machine and openend up a port on the firewall to our backup server just for this traffic. Used a local account to only give access to a particular repository.

So far this worked well but with the downside that everything is client based. So if I needed to change anything, I had to touch the computer and made the change. This was cumbersome and time consuming. Especially when you want to update the Veeam Agent.

Now with the licensed version, we have a centralized solution. I have the ability to use application aware processing on servers, etc.
We try to keep as much of our data at site. So nothing yet to the cloud with Veeam connect. Especially the Plant Systems. As said, outgoing traffic is very limited.

The problem I have now with the centralized approach is that there are multiple ports needed to stay in touch with my remote systems. tcp/139,l tcp/445, dynamic ports in the 50k range, ports in the 60k range, etc.
That is.. that's the traffic I see on my firewall pass by.
Traffic that flows from the backup server to my isolated systems.
Essentially, this is not really something I want.

So this made me wonder.. I am doing wisely taking this route? Was the previous setup perhaps better security wise.
I used to have only one or two tcp ports going to the backup server.
I am looking for advise on how to manage this.
Also keep in mind that I currently do not have the means to isolate my backup server as mentioned earlier due to performance problems.

Perhaps I am looking at the issue not the right way. If so, I appoligize but I have yet limited experience using the Veeam Agent this way.

[wishr]

Once everything is installed, can I shutdown some ports?

That won't work, unfortunately. During each operation, to name a few: discovery, rescan, job start, etc. B&R server should be able to communicate with Agents and vice-versa. I think it may be a good idea to install B&R server locally with the Agents (in the same network the Agents are) and also install a B&R Console remotely - it will require to open just a single port between the remote console and the rest B&R components. Also, could you please let me know where your target Repository is located? If it's in the same network where the Agents are then the aforementioned suggestion looks even more reasonable.

Could this work? Thanks.

Btw, thank you for the last post adding additional clarification. The traffic between the server and remote console is minimal, so should not impact your firewall performance theoretically...

[remko.de.koning]

I guess this solution would work. Unfortunately, this solution would be times 2 as we have two plant networks.
The two plant networks are fully seperated from each other.

What would I need to accomplish this? I guess I need a server/workstation with storage, perhaps licenses, and a backup copy job from the remote B&R console to our B&R server. I doubt if this is something I can implement quickly.
Also, the vendor of the Plant systems is not really keen of having additional equipment in their network design and us not using their recommended backup solution (Acronis)

[wishr]

Hi Remko,

Just to clarify, Backup Console is a component talking to the B&R server and allowing centralized management of the server(s). In your case, you require one remote console installed in your office network, two backup servers (one at each plant) or a single server if the communication between plant networks is possible, and depending on where you'd like to store your backups, two repository servers, one at each plant similar to B&R servers, for example.

If it's quite challenging to deploy additional components at the Plant sites, I would think twice about the design. Maybe it's easier to open ports between the agents and a B&R server installed in your office network. To be honest, there are not so many ports to be opened, but I doubt about firewall performance since you mentioned it. On the other hand, due to security concerns, I would prefer having the whole backup infrastructure on the plant sites.

Also, I would recommend taking a look at our Veeam Best Practices portal for additional information.

Hope this helps. Thanks.

[remko.de.koning]

I would like to thank all of you for your thoughts and advice. This is definitely something I can work with.

Just one quick explanation about fire-walling the Backup Server in our infrastructure.
We have noticed that the throughput drops significantly when traffic flows trough the firewall. This is not a problem with traffic to and from the internet.
The internet connection is much slower than the capped throughput of the firewall.
However, with LAN traffic (1000 Mbps) the backup speeds drops very noticeably on our current appliance.

[wishr]

Hi Remko,

Makes sense. In this case, I would prefer a remote console option with the rest components located in the Plant networks.

Thanks,
Fedor