Comprehensive data protection for all workloads
Matts N
Enthusiast
Posts: 69
Liked: 15 times
Joined: Dec 27, 2010 10:41 am
Full Name: Matts Nilsson
Contact:

Re: A poor man's air gap

Post by Matts N »

robg wrote: Jun 22, 2021 4:41 am It's still "air gapped" in the sense that the rest of the network cannot access the files, only the backup server.
I know you have gotten more answers than maybe asked for already, but... If you have backup server local account information, you technically can connect any computer over network to access files on the backup server it that account has access rights on shares. Unless you have removed all the system shares for all volumes as well, then it will be tricky. ;)
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

molan wrote: Jun 28, 2021 3:30 pm I hate to say this as I am sure you will react badly, but have seem to be extremely arrogant in your thinking there is no way someone could ever get in to your server without your password. Its like you want to call out all the trolls and hackers and put a big target on yourself.
Ok, let's break this down. Target on myself? First they have to find me, and they have to know what companies I provide IT services for. Good luck.
Also your replica's are 100% vulnerable. because of how a replica needs to function to be useful. The bad actor doesn't have to get access to the replica storage location to corrupt them. All they need to do is subtlety corrupt the source before you know there is a problem. The replica process itself will do the rest.
The only way they are reaching a replica is by exploiting ESXi (already patched). Good luck.
This means the second you are attacked and a server is encrypted then your replica's are also encrypted and useless. Now I know you will say, but I can go back X number of days with my replica's, but it isn't good enough. Ransomware often lays dormant for this exact reason and will very probably be in those older images and will re-activate once restored encrypting your data gain. This problem exists for backups too.
We could stop at "the second you are attacked" -- Given everything I have explained, how is that possible?
But to answer your question here is what I would suggest.

1. Immutable Backups. Both for on premise and your cloud copies ( you are storing copies off site correct?)
2. MFA on your backup server. Use a service like DUO mobile to add an MFA layer onto the RDP and console access of your backup server gives you an extra layer of protection beyond your password. and its free to use DUO for up to 10 users.
3. close all inbound firewall ports on your server except RDP. this a good step, but something you will have to constantly review as both windows and Veeam love to fill the windows firewall with holes every time they update.
4. better yet put a physical firewall in front of the backup server if you can.
Sound suggestions, but unneeded complexity. You only have to REALLY do the simple things I've outlined. Control your access well, don't make dumb mistakes.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

Matts N wrote: Jun 29, 2021 7:06 am If you have backup server local account information
That's the thing, the backup server admin password is unique. They're not getting into those system shares without exploiting it.
hoFFy
Service Provider
Posts: 183
Liked: 40 times
Joined: Apr 27, 2012 1:10 pm
Full Name: Sebastian Hoffmann
Location: Germany / Lohne
Contact:

Re: A poor man's air gap

Post by hoFFy » 8 people like this post

Hi Rob,
I don't know how to tell you exsctly what I think, maybe because I'm no native speaker, but let's try.
I'm working for an IT service provider with very small customers up to up to customers with about 1000 employees. Over the last years I've seen and heard a lot. It starts from "why do I have to by anti-virus licenses for my servers? Only the clients are receiving emails and surfing the web" to "I only want to by 2 USB drives, they are so expensive. Two backups are enough".
At the moment I'm working with a new customer who called us in is darkes hours: Hafnium hit him hard. He patched his Exchange 2016 Server on March, 13th. But only with the CU19 from december and without installing any further security patches. Within days webshells have been deployd but nothing more happened (from the customers PoV). In mid-June he was wondering about slow server performance and called his old IT service provider who found out that he has been infected, but he couldn't help him "because lack of time"..... So the customer has a cyber security ensurance, which called a IT forensic company whose experts imediatly told him to shut down all systems. Thats where we joined the game. Whe had been called to extract all data for a deeper analysis and be some kind of remote hands for the forensic company. Together we found out that the customer was under attack since early April. Anti-Virus software has beend continuously deleeting web shells on the Exchange Server("why should I install AV on my servers?" you remember?). But one day the got through, were able to delete anti-virus software, extract admin credentials, walk through the servers and install crypto-mining software on every server. In my opinion the attackers had all aces in their hand and all they did was installing crypto miners, which worked with 100% CPU usage... only a matter of time until somebody wonders why servers are so slow.... Having a good backup might be enough by just doing a full system recovery and be happy. But we found out that the typical 14 days retention policy wasn't enough. Attackers where in the system even before the oldest restore point and at that time the domain controller already has fallen. EVERY serious security expert will tell you that its not enough to recover your data which was already infected, do a full system scan with one or two anti-vrus scanners and go online again. At the moment we are rebuilding his whole environment from scratch.....
I know this isn't exactly what you asked, but it's an example on how things can go, if you don't have a high retention policy. And even then: Only a few companies are able to recover from restores with month-old-data. Not only the loose of reputation by their customers when calling ("hello sir, yes we had an attack and lost all our data of the last 4 month. No, we also lost all construction data for our $$$-project. Yes we have to start fom scratch. Are we still friends?..") but also the loose of data, value and so on over the last month... all will be lost. Only a few can really think of what that will mean to their business.

Second example, which I only heard of: Backup server, not on the domain. Backup copy to a seperate place, in case of fire. Backup to cloud, because of... its better and the evil hackers.... All kind of security soft- and hardware. Small company, 30 employees, working 100% digital and relying completly on their IT. The firewall / router hasn't been patched agains a new vulnerability in its VPN-stack, attackers had been able to enter through the VPN login of the manager. By the use of software like Mimikatz they were able to extract cached login data and made their way through the servers with high privileges. It took them several weeks, but in the end thei made their way to the backup server (RDP from one of the domain joined servers which had been use by the IT service provider), changed the retention policy in the jobs to be sure that there will be no valid data, then deleted every backup they could find and had direct access to. Then they started to encrypt every data on every server. When finished they asked for Bitcoins worth 250.000$. They were so professional, one had to open a page in the dark net, start a chat with the attackers (which by the way hat their own opening hours for their chat so you had to wait for them) and then you had to talk to them. They told you very directly how they were able to get into your environment and what they found out about this company over the last weeks just do demonstrate that they have you by the balls.
This all ended up in paying the attackers (much lower than the original 250.000$), because no one was able to help them. They got an encryption key and got their data decrypted.

These stories should tell you something, may be you should try reading between the lines. Don't be so arrogant as you have been in this complete thread! There will ALWAYS be a zero day vulnerabiltiy in Windows, ESXi, your NAS box, firewall / router, all you can think of. Air gapped should mean there is no open port to nowhere. If you are running physical backup servers at all your small business companies, then this one should not be able to connect to by RDP, VNC, other software or even BMC. And if there is a NAS-box as abackup target: Only connect it to the backup server. To nothing else. Even not to a network switch. Or do you think a network switch is safe? They also have vulnerabilities or standard credentials like admin : admin allowing the attacker to use port mirroring to catch network packets which allow him to extract login data (when no encryption is being used). Your backup servers should also not make use of remote managemt software. Have you heard of SolarWinds...? In the case of having to get in touch whith the serves you should need to walk to them, connect a keyboard and mouse. There should be NO other option. And your retention policy.... long enough, but not that long... I already mentioned above. Customers always have to ake use of every possible security option, starting from anti-virus software, over MFA, strict security policies, etc. etc. . And in the end attackers will always be one step in front of us. The only thing you can do is to make live for them very hard, because they are trying to cath the low hanging fruits and make the most money out of them. Secure environments, where they have to circumvenct several lines of security, might be of lower interest of them passing by and attacking the next one.
But again: Never be so arrogant to think you are safe just because the server is not domain joined and your ESXi has been patched. There will be one day where the systems are not patched the same day, or patches are not already released. And then there is the real chance that you'll be hit. Have you heard of Microsofts printer nightmare? There's no patch at the moment, but one can create an privleged account an run malicious code.
VMCE 7 / 8 / 9, VCP-DC 5 / 5.5 / 6, MCITP:SA
Blog: machinewithoutbrain.de
soncscy
Veteran
Posts: 643
Liked: 312 times
Joined: Aug 04, 2019 2:57 pm
Full Name: Harvey
Contact:

Re: A poor man's air gap

Post by soncscy » 1 person likes this post

Great stories Sebastian, thank you :) I'm glad this thread sort of blew up and other users echoed the concerns I had in response to the TC's commentaries. I 100% agree with your position, as it's impossible to claim it's not possible to be attacked if your machine is in any way connected. Just a few days after the original post, I came across this Hacker News Discussion:

https://news.ycombinator.com/item?id=27640553
https://msrc-blog.microsoft.com/2021/06 ... s-drivers/
https://www.bleepingcomputer.com/news/s ... in-fiasco/

With Microsoft itself admitting that it doesn't validate all of the code it signs the way it should, I'm not sure how we can even look at a connected machine and assume it's safe. Patching of course is still important as we don't just want to open the door for anyone, but in my experience and opinion, this just isn't enough.

Hence, I stand by my original recommendation; don't call Security Zones by the name "Air Gap", call them what they are -- Security Zones. Let real air gaps be air gaps, and let's not create confusion and possibly misdirect already overly stressed IT teams into a false sense of security.

It is better to assume your primary server __will be compromised__. Looking at it as a "when" forces you into safer practices by design. It can't help on your production machines getting infected (that is a different attack surface than what air gapping tries to protect against), but if the goal is to protect backups, it is a rock solid low-tech solution, and the only cost typically is discipline and maybe a bit of $$$.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

hoFFy wrote: Jul 05, 2021 6:38 am Hi Rob,
I don't know how to tell you exsctly what I think, maybe because I'm no native speaker, but let's try.
I'm working for an IT service provider with very small customers up to up to customers with about 1000 employees. Over the last years I've seen and heard a lot. It starts from "why do I have to by anti-virus licenses for my servers? Only the clients are receiving emails and surfing the web" to "I only want to by 2 USB drives, they are so expensive. Two backups are enough".
At the moment I'm working with a new customer who called us in is darkes hours: Hafnium hit him hard. He patched his Exchange 2016 Server on March, 13th. But only with the CU19 from december and without installing any further security patches. Within days webshells have been deployd but nothing more happened (from the customers PoV). In mid-June he was wondering about slow server performance and called his old IT service provider who found out that he has been infected, but he couldn't help him "because lack of time"..... So the customer has a cyber security ensurance, which called a IT forensic company whose experts imediatly told him to shut down all systems. Thats where we joined the game. Whe had been called to extract all data for a deeper analysis and be some kind of remote hands for the forensic company. Together we found out that the customer was under attack since early April. Anti-Virus software has beend continuously deleeting web shells on the Exchange Server("why should I install AV on my servers?" you remember?). But one day the got through, were able to delete anti-virus software, extract admin credentials, walk through the servers and install crypto-mining software on every server. In my opinion the attackers had all aces in their hand and all they did was installing crypto miners, which worked with 100% CPU usage... only a matter of time until somebody wonders why servers are so slow.... Having a good backup might be enough by just doing a full system recovery and be happy. But we found out that the typical 14 days retention policy wasn't enough. Attackers where in the system even before the oldest restore point and at that time the domain controller already has fallen. EVERY serious security expert will tell you that its not enough to recover your data which was already infected, do a full system scan with one or two anti-vrus scanners and go online again. At the moment we are rebuilding his whole environment from scratch.....
I know this isn't exactly what you asked, but it's an example on how things can go, if you don't have a high retention policy. And even then: Only a few companies are able to recover from restores with month-old-data. Not only the loose of reputation by their customers when calling ("hello sir, yes we had an attack and lost all our data of the last 4 month. No, we also lost all construction data for our $$$-project. Yes we have to start fom scratch. Are we still friends?..") but also the loose of data, value and so on over the last month... all will be lost. Only a few can really think of what that will mean to their business.

Second example, which I only heard of: Backup server, not on the domain. Backup copy to a seperate place, in case of fire. Backup to cloud, because of... its better and the evil hackers.... All kind of security soft- and hardware. Small company, 30 employees, working 100% digital and relying completly on their IT. The firewall / router hasn't been patched agains a new vulnerability in its VPN-stack, attackers had been able to enter through the VPN login of the manager. By the use of software like Mimikatz they were able to extract cached login data and made their way through the servers with high privileges. It took them several weeks, but in the end thei made their way to the backup server (RDP from one of the domain joined servers which had been use by the IT service provider), changed the retention policy in the jobs to be sure that there will be no valid data, then deleted every backup they could find and had direct access to. Then they started to encrypt every data on every server. When finished they asked for Bitcoins worth 250.000$. They were so professional, one had to open a page in the dark net, start a chat with the attackers (which by the way hat their own opening hours for their chat so you had to wait for them) and then you had to talk to them. They told you very directly how they were able to get into your environment and what they found out about this company over the last weeks just do demonstrate that they have you by the balls.
This all ended up in paying the attackers (much lower than the original 250.000$), because no one was able to help them. They got an encryption key and got their data decrypted.

These stories should tell you something, may be you should try reading between the lines. Don't be so arrogant as you have been in this complete thread! There will ALWAYS be a zero day vulnerabiltiy in Windows, ESXi, your NAS box, firewall / router, all you can think of. Air gapped should mean there is no open port to nowhere. If you are running physical backup servers at all your small business companies, then this one should not be able to connect to by RDP, VNC, other software or even BMC. And if there is a NAS-box as abackup target: Only connect it to the backup server. To nothing else. Even not to a network switch. Or do you think a network switch is safe? They also have vulnerabilities or standard credentials like admin : admin allowing the attacker to use port mirroring to catch network packets which allow him to extract login data (when no encryption is being used). Your backup servers should also not make use of remote managemt software. Have you heard of SolarWinds...? In the case of having to get in touch whith the serves you should need to walk to them, connect a keyboard and mouse. There should be NO other option. And your retention policy.... long enough, but not that long... I already mentioned above. Customers always have to ake use of every possible security option, starting from anti-virus software, over MFA, strict security policies, etc. etc. . And in the end attackers will always be one step in front of us. The only thing you can do is to make live for them very hard, because they are trying to cath the low hanging fruits and make the most money out of them. Secure environments, where they have to circumvenct several lines of security, might be of lower interest of them passing by and attacking the next one.
But again: Never be so arrogant to think you are safe just because the server is not domain joined and your ESXi has been patched. There will be one day where the systems are not patched the same day, or patches are not already released. And then there is the real chance that you'll be hit. Have you heard of Microsofts printer nightmare? There's no patch at the moment, but one can create an privleged account an run malicious code.
With all due respect dude, you're coming at me like I'm some sort of novice. I've been doing this for over 20 years. I have the correct security posture. You know as well as I do that zero day vulnerabilities (from an external port) are rare, just because there was one recently with Exchange doesn't mean they come around often. Look at the big picture.

And you might say, what about internal vulnerabilities? Don't let them get in the first place, but of course patch them anyway. Everyone is freaking out about this.

And yeah, after this much experience I am entitled to some arrogance. None of the examples you brought up are things I haven't seen or read about before.

I'll even offer some new advice that hasn't been mentioned in this thread yet. Deploy a proper IDS, and if you don't do business with Russia and China, block them.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

hoFFy wrote: Jul 05, 2021 6:38 am He patched his Exchange 2016 Server on March, 13th. But only with the CU19 from december
One thing I'd like to point out about this, not to get too off topic.. Is that part of the blame for Hafnium is on Microsoft's shoulders. I bet LOTS of those Exchange admins weren't aware of the fact that Windows update does nothing for them if they aren't on the latest CU. It's a poor design in my opinion. Windows update is supposed to update all windows components and Microsoft software. That's what a lot of people believed, at least.

Then again, how much harm and misery has Microsoft indirectly caused since the 1990s with code that really wasn't ready to be released. Getting it out fast is all that matters..
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev » 1 person likes this post

As a PM, I would never want to work at such a company. We're so blessed to have the owners that let us ship new releases When It's Ready™ as opposed to at some required date. So in rare cases when we screw up, we have no one but ourselves (R&D) to blame. And I think this sense of ultimate responsibility only further increases attention to the quality for everyone.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

It's all Bill Gates man. As a child he was raised to be insanely competitive with his siblings. And in the early days of Microsoft this translated to crushing the competitors in any way possible. This leadership style permeated for decades - not only with immature code but the different product teams are competitive with each other at toxic levels. This is from documentaries I've seen and postings from insiders.

I think Gates has singlehandedly held back computer innovation by at least 10 years..
yakamoneye18
Enthusiast
Posts: 54
Liked: 7 times
Joined: May 03, 2018 6:20 am
Full Name: Tobias
Contact:

Re: A poor man's air gap

Post by yakamoneye18 »

robg wrote: Jun 22, 2021 7:57 am I'm aware of the ESXi vulnerability. That was from february, it was patched recently. So again, not without exploiting the ESXi server (good luck with that).
ESXi is not invulnerable - REvil RansomWare is now targeting ESXi.

And about my 2cents about "poor man's air gap": yes, your setup is hardened to a certain degree. But saying this is "air gapped" is like putting a hughe UPS on a desktop computer and calling it "laptop". Yes, it is more mobile than a desktop computer, but it is by definition not a laptop. Definition of air gapped is - by its name - that there is no physical access to the backup. I'm not saying that your solution is bad - it is better than just a domain member. But in my eyes it does not meet the definition of air gapped.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

And how does the REvil ransomware get itself onto the ESXi server in the first place.. Does a negligent admin need to allow it to get there?

There's a new linux variant of revil. What if I don't run linux anywhere?

Or are you talking about the SLP-based ESXi vulns that were patched in February?

I disagree with your UPS analogy. It's a matter of perspective. If you define airgap as no physical access to the backup, then from the perspective of the rest of the network on everything except the backup server itself, there is no physical access to the backup.
yakamoneye18
Enthusiast
Posts: 54
Liked: 7 times
Joined: May 03, 2018 6:20 am
Full Name: Tobias
Contact:

Re: A poor man's air gap

Post by yakamoneye18 » 1 person likes this post

robg wrote: Jul 06, 2021 7:05 am And how does the REvil ransomware get itself onto the ESXi server in the first place.. Does a negligent admin need to allow it to get there?

There's a new linux variant of revil. What if I don't run linux anywhere?

Or are you talking about the SLP-based ESXi vulns that were patched in February?
I do not know the exact technical implications here, I just wanted to show that it is not impossible to attack ESXi. I don't think that there must be another linux system in the network - like someone already stated, attackers will infiltrate the system and then first keep their heads down and watch, check what they have, gather information (like credentials). And if they are nested on a Windows machine and then see an ESXi server, I guess they do not need a Linux machine to start their ESXi exploit. And this exploit is not patched yet as far as I know, it just appeared in the end of june.
robg wrote: Jul 06, 2021 7:05 am I disagree with your UPS analogy. It's a matter of perspective. If you define airgap as no physical access to the backup, then from the perspective of the rest of the network on everything except the backup server itself, there is no physical access to the backup.
This is what I meant: you say it is a matter of perspective, I would say it is a matter of definition. You define air gap as "System that is very hard to access due to protected credentials". Most people in this thread define it as "System that is physically seperated from any network" - and the latter is the definition of "Air Gap" in RFC: "
air gap
(I) An interface between two systems at which (a) they are not
connected physically and (b) any logical connection is not
automated (i.e., data is transferred through the interface only
manually, under human control).
(see https://datatracker.ietf.org/doc/html/rfc4949)

In my understanding "not connected physically" means there is really no connection, no cable, no infrared interface - no connection that could be automated. I would say tapes that stay in the library are also not air gapped in this definition.

This is what I meant with the UPS - if I define "Laptop" as a portable computing device with monitor, keyboard and battery, then my setup would be a laptop. And I am very sure that any dictionary will say thats wrong, even if I say "but this is my definition of it". I meant to say that your setup is a more protected setup, but your definition of Air Gap is - i am not saying wrong - but another as the RFC, Wikipedia, and most of the people that responded in this thread.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

Yakamoney, you're just splitting hairs at this point. Why? I defined this as a way to segment access to it, the network can't get into the backup server, that means it's a type of gap. Dare I say, a poor man's air gap!

We can split hairs until we're blue in the face. I say that it's *impossible* to reach the backups from the network, unless A, B, C, D, and E occurs, most of those are IRL events, and even A is damn near impossible.

How can your literal air-gapped backups be compromised? Easy, break into your office and steal them. See? This is stupid.

As far as ESXi is concerned, how many zero day vulnerabilities have there been compared to Microsoft's products. Would you wager that there's another big ESXi discovery coming this year or is this going to be pretty much it for the next five years or possibly ever?

I would say they are more on top of things than Microsoft is in the realm of security.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

Also btw this forum is pretty weird. When I'm signed in, I can only "like" the last message posted, there is no button to quote it.. I'm not sure what's going on
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev »

This is by design and to prevent people from quoting the last post in its entirety. The Quote button is only missing from the last post in the thread.

Most people tend to use that as their default Reply button, and these forums were a mess with everything written twice in every thread :D

What I do is I post a reply first, then the last post I want to quote will become not-last and the Quote button would appear on it. So I click it, copy the segment I want to quote along with the quote tags, and edit my post to insert it there. A bit clumsy but lesser of two evils.
yakamoneye18
Enthusiast
Posts: 54
Liked: 7 times
Joined: May 03, 2018 6:20 am
Full Name: Tobias
Contact:

Re: A poor man's air gap

Post by yakamoneye18 » 1 person likes this post

robg wrote: Jul 06, 2021 2:37 pm I say that it's *impossible* to reach the backups from the network, unless A, B, C, D, and E occurs, most of those are IRL events, and even A is damn near impossible.
What I meant to say is that in my view your definition of Air Gap differs from my definition and - as I read it - form the RFC definition. You say it is impossible to access the backups from the network, "unless A, B, C, D, and E occurs". My Air Gap definition says it is impossible to acces the backups from the networs. Period. No "unless". Because it is not connected to the network. When I put the tapes back in the library, there is no air gap anymore - altough you could say that the hacker would have to take control over the library and the drive, which in my eyes is of course possible.

robg wrote: Jul 06, 2021 2:37 pm How can your literal air-gapped backups be compromised? Easy, break into your office and steal them. See? This is stupid.
I never said that air gapped backups cannot be compromised! The can be stored under water pipes, next to the copy paper storage in the smoking area, or next to the hughe company electromagnet... I very well know that air gapped backups can be compromised or get lost - this has to be prevented as far as possible by appropriate measures. But this was not the topic here - the topic is if your design is air gapped or not.

And again - I am not saying your design is bad! Your design is much better than what I had to deal with before, when no money for tapes was available. I am not criticising your setup - I am only disagreeing with your wording.
Matts N
Enthusiast
Posts: 69
Liked: 15 times
Joined: Dec 27, 2010 10:41 am
Full Name: Matts Nilsson
Contact:

Re: A poor man's air gap

Post by Matts N » 2 people like this post

robg wrote: Jul 05, 2021 3:44 am That's the thing, the backup server admin password is unique. They're not getting into those system shares without exploiting it.
I hear what you are saying. My point is still that those credentials can be exploited. With a true air-gap it doesn't matter if you have the keys to Fort Knox, you can't get to it over a network. :wink:
joey-taps
Lurker
Posts: 2
Liked: 3 times
Joined: Mar 24, 2015 5:13 pm
Full Name: GERALD
Contact:

Re: A poor man's air gap

Post by joey-taps » 3 people like this post

You Keep Using That Word (air gap) I Do Not Think It Means What You Think It Means
selva
Enthusiast
Posts: 73
Liked: 7 times
Joined: Apr 07, 2017 5:30 pm
Full Name: Selva Nair
Location: Canada
Contact:

Re: A poor man's air gap

Post by selva »

Gostev wrote: Jun 28, 2021 11:36 pm Except "properly deployed" hardened repository means disabling the SSH Server, which makes all your SSH key concerns irrelevant. With the only "way in" being the local server console, you can forget about any possibility of remote attacks, even if hackers have root credentials to your entire environment. They simply can't use them remotely, that's the whole idea!
The only legitimate "way in" would be via the console, but hackers don't take that route, do they..

The SSH server could be disabled, but the data mover is still listening on a port, though it doesn't run as root. Some bug lurking around in it could permit someone get a foot in the door, and then attempt privilege escalation. Not saying the "hardened repo" is not a great feature -- it sure is. In the past one had to do a number of tricks to get a similar level of hardening.

Protecting data is tough business and needs a multi-pronged approach as we all know (well, almost all :). V11's chattr +i feature provides us one such tool which is indeed nice. The next should be B&R for Linux :) Doesn't repeating make a wish come true?
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev »

Indeed, no software-based immutability is absolute due to a chance of bugs.

For 100% assurance you want your backups offline aka air-gapped.
And if you need an insider protection, then additionally in a safe.

Can't delete or destroy what's physically unreachable :D

However, I would also argue that if Linux is found to have bugs that allows escaping user processes (like data mover) into root, than those immutable Veeam backups is probably the last thing IT people will be worrying about :D so I would rather worry about bugs in that tiny immutability flags management process, which does run under root. However, it implement just 2-3 functions of a few lines of code each, which reduces a chance of vulnerabilities significantly... still without making them impossible, of course.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

joey-taps wrote: Jul 12, 2021 3:14 am You Keep Using That Word (air gap) I Do Not Think It Means What You Think It Means
I said "poor man's air gap" - not a literal one, but something that is almost as good in a pinch, if it's done correctly. I was pretty clear in how I defined it!

To recap: Remove your backup server from the domain, control access to it carefully, and the rest of the domain and network can't breach it. That's a poor man's air gap, because the backups are unreachable. Some would call this zoning, but this is what I call it.
robg
Expert
Posts: 176
Liked: 18 times
Joined: Aug 15, 2014 11:21 am
Full Name: Rob
Contact:

Re: A poor man's air gap

Post by robg »

yakamoneye18 wrote: Jul 07, 2021 7:39 am What I meant to say is that in my view your definition of Air Gap differs from my definition and - as I read it - form the RFC definition. You say it is impossible to access the backups from the network, "unless A, B, C, D, and E occurs". My Air Gap definition says it is impossible to acces the backups from the networs. Period. No "unless". Because it is not connected to the network. When I put the tapes back in the library, there is no air gap anymore - altough you could say that the hacker would have to take control over the library and the drive, which in my eyes is of course possible.




I never said that air gapped backups cannot be compromised! The can be stored under water pipes, next to the copy paper storage in the smoking area, or next to the hughe company electromagnet... I very well know that air gapped backups can be compromised or get lost - this has to be prevented as far as possible by appropriate measures. But this was not the topic here - the topic is if your design is air gapped or not.

And again - I am not saying your design is bad! Your design is much better than what I had to deal with before, when no money for tapes was available. I am not criticising your setup - I am only disagreeing with your wording.
Sure, we can disagree on the wording, and I understand how precise IT people prefer to be, but I am more loose with my language. If something is "damn near impossible" in my eyes, I'll take the leap and say it's impossible.

I deal with business owners directly, not layers of management, and a lot of them are like this. You only lose credibility if what you assure them of won't happen, happens anyway.
selva
Enthusiast
Posts: 73
Liked: 7 times
Joined: Apr 07, 2017 5:30 pm
Full Name: Selva Nair
Location: Canada
Contact:

Re: A poor man's air gap

Post by selva »

This thread has been beaten to death, but as we discussed blocking even ssh server, a quick question: is it still necessary to open tcp ports 2500 to 3000 on the backup repository server for connections from data sources like Agents and hyperV?
Mildur
Product Manager
Posts: 9848
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: A poor man's air gap

Post by Mildur »

If you have upgraded to V10 and higher, then for existing components, 2500-5000 is needed.
If you have a newly installed VBR V10 or higher, then only 2500-3300 is needed.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Product Management Analyst @ Veeam Software
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev » 1 person likes this post

Just keep in mind you the range should correspond to your concurrency levels. The port ranges indicated in the documentation allow for running hundreds of jobs in parallel, which is obviously an overkill for small environments with just a few jobs in total. For those, even something like 2500 to 2510 may be enough.
selva
Enthusiast
Posts: 73
Liked: 7 times
Joined: Apr 07, 2017 5:30 pm
Full Name: Selva Nair
Location: Canada
Contact:

Re: A poor man's air gap

Post by selva »

Thanks. I used to open about 100 though I was not sure it goes sequentially from 2500. Will reduce to 10 and test -- ours is a small setup.
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev » 2 people like this post

Yes, it does go sequentially from 2500 and takes the first unused port. Just keep in mind secondary processes in addition to your primary backup jobs, like offload to object storage for example, which also need ports. Keep an eye on them when testing with reduced number of ports. Thanks!
Giacomo_N
Enthusiast
Posts: 93
Liked: 16 times
Joined: Feb 15, 2013 1:56 pm
Full Name: Giacomo
Location: Italy
Contact:

Re: A poor man's air gap

Post by Giacomo_N »

NaplesDave wrote: Jun 28, 2021 1:24 am If you want a REAL AIR GAP device check out this https://www.techbyking.com/project-gallery-page. Scroll down for AIR GAP Device.
The device sits between your NAS or external backup drive and physically disconnects the ethernet from the device during your specified backup time.
Fantastic the air gap project! :))
crp0499
Influencer
Posts: 20
Liked: 4 times
Joined: Sep 06, 2018 1:36 am
Full Name: Cliff
Location: USA, Texas
Contact:

Re: A poor man's air gap

Post by crp0499 » 1 person likes this post

I know this is old, but I just did this for my Veeam sites (27 in all).

I purchased ISCSI devices from QNAP with 2 10gig NICs. I have 10 gig NICs in all of my Veeam servers (off domain with unique UN/PW). The UN/PW for Veeam is very unique and complex. There won't be any guessing on that one. The Veeam server doesn't have internet access.

I then wrote scripts to enable/disable opposing NICs so that on odd days everything is backed up to iSCSI1 and even days to iSCSI2. For at least half of the time, one of my two iSCSI devices is offline and therefore airgapped.

In addition, my iSCSI devices are on different subnets (I always use 10.10.10.x) so even if something get's on the network, the ONLY server that can see iSCSI is the Veeam server.

It works perfectly and has given me no issues. I do this for on-prem server and for the ones that live in datacenters.

Is this poor man's? Prolly not since the 10gig NICs etc cost a little more than gigabit NICs and two QNAP devices full of drives isn't cheap either. However, I feel I understand this setup down to the smallest detail and I have control over it.

I'm sorry if this was previously covered. I just wanted to offer my two cents.
Cliff Poe
VCDX-DCV, MCSM
President/CEO
On-Site Computer Solutions, Inc.
713-517-7344
cliff@onsiteus.com
www.onsiteus.com
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: A poor man's air gap

Post by Gostev »

@crp0499 thanks for sharing your approach with the community! Just remember that by posting it publicly, you have shared all these details about your environment with both good AND bad guys at the same time... so you might want to at least remove your forum signature, as it helps to map your thorough environment description into the actual data center. No need to make it easier for the attackers + you're almost challenging them with your post! :D

By the way, I feel that iterating every single day might be too often, because in this case both storage devices can be dealt with by hackers across Saturday and Sunday (or during public holidays), when you're much less likely to notice that your environment is under attack. It is actually true that hackers prefer to attack during "quiet" periods - for example, there's always a spike when a public holiday gets "attached" to a weekend.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 113 guests