repository in v11 through hardened appliance

[Kazz]

Hi,

Just upgraded to v11 mainly to get backup immutability. Using Ubuntu 20 as hardened appliance.
Our current backup repository is on Synology presented to veeam via NFS.

Do we need to mount Synology NFS inside the hardened appliance and select the mount when creating a new repository ?

Thank you

[Gostev]

Hi,

Unfortunately you cannot use that, as NFS does not support immutable files.

Our hardened repository requires a general-purpose server with an internal or direct-attached storage.

While in theory you could use iSCSI to provision a Synology LUN directly to the server instead, this approach is not compliant or recommended because it provides multiple attack vectors to hackers.

Thanks!

[Kazz]

So the general-purpose server has to be created on NFS Synology datastore and space reserved for backups would have to be allocated to that VM to be presented as internal storage ?

Since we already have 2FA enabled on Synology we would have to disable SMB protocol to minimize the attract vector
If we are gonna purchase direct attached storage it would have to be presented to the general-purpose VM and formatted as xfs ?

[tsightler]

If you did want to use iSCSI with the Synology you could do it securely, but you'd need to set it up in a way that would mitigate the attack vectors against the Synology device itself. For example, you could potentially connect the Synology to the Linux system directly with a crossover cable or via a completely isolated network switch and then either manually plug a cable in when you want to manage it or manage it via the Linux host itself.

If you decide to manage it via the Linux host this still might open some risk since even a non-root user on the Linux system might be able to gain access to the Synology, but this could be mitigated using Linux user based firewall rules as you could restrict network access to the Synology only from processes running as UID 0 (root).

With the Synology completely isolated on it's own network and firewall rules so it's only accessible to a user that is root on the Linux machine, I think using it for iSCSI in that setup would be as secure as any direct attached storage, but it depends on your Linux skills if this is something your are comfortable setting up and managing. Certainly some direct attached SAS storage is the ideal scenario for a hardened repo.

[Gostev]

presented to the general-purpose VM

We recommend using a physical server for hardened repository. Using a VM adds even more attack vectors (through the hypervisor).

[Kazz]

Got it, so placing a GP VM on an NFS DS isn't a good idea since all of my backups will be inside a single VMDK with many attack vectors. What about a USB drive passes through the host to a GP VM?

This is not gonna replace our existing backup strategy, we will continue backing up to Synology and offload to SOBR, but a second backup job that backs up all of our VMs to an XFS formatted USB drive presented to a GP VM sounds like a good idea until we have a new physical box to replace it with. Wondering if USB drive can be rotated?

Thank you!

[Gostev]

You don't want to be using a VM in any shape or form. Taking over a USB drive attached to the hypervisor host is just as easy as deleting a VMDK, so you'd have to rotate those USB drives indeed. But as soon as you rotate them, your backups will be offline and thus fully protected even without using a hardened repository moreover, for simplicity you can simply attach those USB drives directly to your backup server. And with that, we ended up with the most classic Veeam deployment that our SMB customers have been using for over 10 years now! v11 does not really bring anything new to the table here.