-
- Expert
- Posts: 206
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Firewall Placement
Hi. I'm trying to ensure my new VBR environment is appropriately isolated from the main LAN. We have a hyperconverged compute platform and a Veeam Hardened Repo. I take it that whilst having the hyper-converged storage network and repo isolated from the general population LANs is necessary, that having a firewall in the path of the data backup flow to the repo is NOT a good idea? And of course I believe that the VBR Server should be in the "management zone" network. So,
looking at this article... https://bp.veeam.com/vbr/Security/Hardening_Zones.html
1. does this mean that there should be firewalls between all zones, or can the zones merely be different subnets not routable from user LANs? (i.e. what defines sufficient zone isolation/controls?)
2. should you have a firewall between management and restricted zones?
3. how best to get the data from hyperconverged infrastructure to repo (assuming without passing through a fw?) perhaps using proxies on the compute nodes?
trying to visualise and understand this all a bit more.
looking at this article... https://bp.veeam.com/vbr/Security/Hardening_Zones.html
1. does this mean that there should be firewalls between all zones, or can the zones merely be different subnets not routable from user LANs? (i.e. what defines sufficient zone isolation/controls?)
2. should you have a firewall between management and restricted zones?
3. how best to get the data from hyperconverged infrastructure to repo (assuming without passing through a fw?) perhaps using proxies on the compute nodes?
trying to visualise and understand this all a bit more.
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Firewall Placement
Hello,
yes, there should be a firewall between each zone. Due to bandwidth / performance requirements, proxy and repository are usually in the same network without firewall in between it. Management traffic can go through firewalls, because it's only a small amount of data
Best regares,
Hannes
yes, there should be a firewall between each zone. Due to bandwidth / performance requirements, proxy and repository are usually in the same network without firewall in between it. Management traffic can go through firewalls, because it's only a small amount of data
Best regares,
Hannes
-
- Expert
- Posts: 206
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Re: Firewall Placement
In the Veeam segmentation strategy, it says that Veeam proxies are "part of the trusted zone". And that the repository should be part of the restricted zone. So, that means a firewall would exist between the proxy/data movers and the repo, no? Unless the idea is to dual home the proxies/data movers? How can I get the throughput between the proxies and the repo if they are in different zones? Any help here appreciated.
It really would be useful for Veeam to have publicly available reference architectures around this. I know that might squeeze your partner ecosystem somewhat but transparency always helps.
It really would be useful for Veeam to have publicly available reference architectures around this. I know that might squeeze your partner ecosystem somewhat but transparency always helps.
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Firewall Placement
Hello,
Best regards,
Hannes
yes, correct. But many customers don't do that for performance / cost reasons.So, that means a firewall would exist between the proxy/data movers and the repo, no?
no, I never suggest dual-homing. Dual-homing means bypassing the firewall and except for storage networks (iSCSI / NFS) it's a bad design.Unless the idea is to dual home the proxies/data movers?
get a faster firewall?How can I get the throughput between the proxies and the repo if they are in different zones?
hmm, what's wrong with the document you found?It really would be useful for Veeam to have publicly available reference architectures around this.
Best regards,
Hannes
-
- Expert
- Posts: 206
- Liked: 14 times
- Joined: Jul 23, 2013 9:14 am
- Full Name: Dazza
- Contact:
Re: Firewall Placement
I think the document is fine as a concept, but following it through to a low level design with a reference architecture would be a massive help to your customers. I never understand the hesitancy in working with providers to produce LLD Reference Architectures. If you had these for Nutanix, vSAN, Pure, HPE, etc. your customers would be very much empowered and the quality of Veeam deployments would rise, only improving the Veeam brand reputation.
Who is online
Users browsing this forum: No registered users and 68 guests