Air gapped solution using iSCSI - opinions

[driley]

Hello,
I am wondering if this solution seems workable? Any issues presented by this setup ?
2 NAS repositories connected via iSCSI to Veeam server and a manual ethernet A/B switch device. The "online" backup copies would be switched periodically using the A/B switch.
D.

[Gostev]

Hello, to be honest it's unclear how are you going to leverage this setup. For example, are you going to set up 2 backup repositories, one for each NAS? And create two jobs with the same source, each pointing to a different repository? Need more info

[driley]

Gostev,
2 Repos, jobs for Repo1 enabled for Tuesdays, jobs for Repo2 enabled on Saturdays. We thought we could use an A/B manual switch box in an IT admins office to keep one repository off the network at all times. The NAS boxes would be in a data closet near the office. We are considering this over rotated USB drives, having someone go to the datacenter to unplug/plug in the USBs. Thoughts?
D.

[Gostev]

OK, then you designed a solid solution that provides for true air gap.

Note that while your design is certainly easier to manage than rotated USB drives, the latter do have an added benefit as normally, those drives are also taken off-site by someone. In fact, our CTO personally did that for the first few years of Veeam (while we were still small), carrying those rotated hard drives home every Friday night because this adds protection against natural disasters, as well as malicious insiders having physical access to data closet.

But as far as protection against ransomware and hackers who got inside your network perimeter, your solution is solid.

[davehlady]

Would this work as close to an air gab without being a true air gap:
- 2 repositories on a single NAS using iSCSI and stored off physical site of servers but on same WAN of business (we have own fibre ran to other sites)
- 2 backup copy jobs, one to each repo
- disable volume connections on the NAS to the repo volume not in use or not having copies run to it on that day
- alternate between the repos, always having one offline.

[Gostev]

It will work, but as you mentioned it's not a true air-gap. So it will help against regular ransomware, but not against a malicious insider, or a hacker inside your network perimeter (as they usually monitor the environment for some time before executing the attack). So, the only question here is whether your business is juicy enough target to justify such a comprehensive attack.

For example, we know we (Veeam) ARE juicy enough, so we like to have true air-gap and we use offline tapes. And not just one but two copies on tapes, done and stored on the opposite sides of the planet.