Good morning,
We have just upgraded one of our SANS and have a perfectly serviceable Nimble box to utilize for backups. We also have 2 EXS hosts connected to the SAN.
Question, what would be the best ransomware proof setup using Veeam to backup to the SAN such that we can rapidly restore the backups?
Thanks
-
jscottbarate
- Lurker
- Posts: 2
- Liked: never
- Joined: Nov 11, 2010 2:34 pm
- Full Name: Justin Scott-Barate
- Contact:
-
HannesK
- Product Manager
- Posts: 15134
- Liked: 3234 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Backup to SAN ideas
Hello,
and welcome to the forums.
Just to be clear: are you planning to back up to your production storage? If yes, I would like to highlight that this is a bad idea from a performance / safety perspective as you put all eggs into one basket.
In general: having a storage (directly) connected to a physical Linux server with hardened repository would be the best thing possible. That storage box must be fully independent from production and not connected to the Veeam software. It must just work in the background as "dumb storage". Additionally to hardened repository, you could also enable snapshots on the storage. But that sounds like overkill to me.
http://vee.am/hardened has some more details on the Hardened Repository and general attack vectors.
Best regards,
Hannes
and welcome to the forums.
Just to be clear: are you planning to back up to your production storage? If yes, I would like to highlight that this is a bad idea from a performance / safety perspective as you put all eggs into one basket.
In general: having a storage (directly) connected to a physical Linux server with hardened repository would be the best thing possible. That storage box must be fully independent from production and not connected to the Veeam software. It must just work in the background as "dumb storage". Additionally to hardened repository, you could also enable snapshots on the storage. But that sounds like overkill to me.
http://vee.am/hardened has some more details on the Hardened Repository and general attack vectors.
Best regards,
Hannes
-
Andreas Neufert
- VP, Product Management
- Posts: 7202
- Liked: 1547 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Backup to SAN ideas
I would maybe do the following:
1) ESXi host with some local capacity runnint the Veeam Server and maybe the Proxy (maybe as Windows OS without the VMware stack if you want to use FibreChannel Integrations. Maybe as well add it to the Source VMware Cluster for HotAdd processing?
2) Update the Nimble array with latest firmware and drive updates. Direct connect it without Switches for iSCSI/FC processing + Management to your Second Server. Make sure that the Nimble is not reachable over your regular network.
Setup the second server as hardened repository. Disable SSH. Do NOT connect it to the KVM Switch. Do not connect it to other network or management tools. Add a local Monitor and Keyboard and administer/update the server only there. Do not reuse passwords and do not document them electronically. Basically isolate it completely.
Implement a secondary copy at another place. Maybe AWS S3/Wasabi/... with Immutability in the Cloud or use a Tape Library and export tapes... Another hardened Repository with additional storage capacity would be as well a good idea.
1) ESXi host with some local capacity runnint the Veeam Server and maybe the Proxy (maybe as Windows OS without the VMware stack if you want to use FibreChannel Integrations. Maybe as well add it to the Source VMware Cluster for HotAdd processing?
2) Update the Nimble array with latest firmware and drive updates. Direct connect it without Switches for iSCSI/FC processing + Management to your Second Server. Make sure that the Nimble is not reachable over your regular network.
Setup the second server as hardened repository. Disable SSH. Do NOT connect it to the KVM Switch. Do not connect it to other network or management tools. Add a local Monitor and Keyboard and administer/update the server only there. Do not reuse passwords and do not document them electronically. Basically isolate it completely.
Implement a secondary copy at another place. Maybe AWS S3/Wasabi/... with Immutability in the Cloud or use a Tape Library and export tapes... Another hardened Repository with additional storage capacity would be as well a good idea.
-
jscottbarate
- Lurker
- Posts: 2
- Liked: never
- Joined: Nov 11, 2010 2:34 pm
- Full Name: Justin Scott-Barate
- Contact:
Re: Backup to SAN ideas
Definitely not planning to backup to production!
We currently backup around 20TB of VM’s to NAS offsite repository – we also backup to NAS on-site and then we take backup copies to NAS and remove network connectivity to make offline.
This SAN and Hosts have just been pulled from production so just looking for the best way to repurpose it for rapid safe recoveries.
We currently backup around 20TB of VM’s to NAS offsite repository – we also backup to NAS on-site and then we take backup copies to NAS and remove network connectivity to make offline.
This SAN and Hosts have just been pulled from production so just looking for the best way to repurpose it for rapid safe recoveries.
Who is online
Users browsing this forum: Baidu [Spider], Google [Bot] and 108 guests