Comprehensive data protection for all workloads
Post Reply
DuskoS
Lurker
Posts: 2
Liked: never
Joined: Jan 04, 2022 2:54 pm
Full Name: Dusko Savatovic
Contact:

Hiding iSCSI volume(s)

Post by DuskoS »

We have VBR running on Windows Server 2016 as AD member server. Backup repository is iSCSI volume(s) on NAS (QNAP). We were told that we are exposed to ransomware risk. Ransomware attack if successful could encrypt our backup volume(s). We were asked to hide this volume(s) so that they are not exposed thru OS. Basically they should be invisible to OS, and VBR should attach this volume(s) directly from application. What are our options? If we decide for another type of repository, I believe we would loose all the previous backups?
Thanks in advance,
DuskoS
Mildur
Product Manager
Posts: 9848
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Hiding iSCSI volume(s)

Post by Mildur »

Hi Dusko

Veeam cannot connect to iscsi luns itself.
They need to be connected and visible for the windows OS in the windows disk manager to use them with veeam. If windows cannot see them, veeam can not use them.

If you want to have a ransomware protected backup environment, you should have a look at the linux hardened repo or SOBR with capacity tier.
Tape or airgapped usb drives are another solution to protect against windows attacks.

A SOBR with capacity tier can be used with your existing solution. Same for tape or copy jobs to usb disk.
A linux hardened repo should lot be using a qnap nas. It should be a general purpose server with locally attached disk.
Product Management Analyst @ Veeam Software
DuskoS
Lurker
Posts: 2
Liked: never
Joined: Jan 04, 2022 2:54 pm
Full Name: Dusko Savatovic
Contact:

Re: Hiding iSCSI volume(s)

Post by DuskoS »

Thanks Mildur,
"A linux hardened repo should not be using a qnap nas." Why not? I believe we can configure iSCSI target from linux to QNAP volume just the same as we did on Windows. It will just be a linux volume instead of NTFS/ReFS.
Mildur
Product Manager
Posts: 9848
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Hiding iSCSI volume(s)

Post by Mildur »

Your welcome.

Linux hardened repo uses the immutable flag from the linux filesystem to set the backup files immutable.
If a hacker has access to the qnap admin center, he can delete the iscsi LUN. QNAP does not check the Filesystem on the iSCSI LUN.
And if you use a VM for this linux repository, a hacker can get root access to this vm and simply remove the immutable flag and all backup files.
As root, you can always remove the veeam backup files which are immutable or format the partition with the backup filesystem on it.

A linux hardened repo needs special care/hardening, if you want to use it securely. QNAP and Linux server must not be reachable over any remote control feature. SSH, ILO, HTTP GUI, other remote management tools.
So it's better to use a hardware server. A VM and a NAS cannot be really good protected. A hardware server is much easier to protect.
Put it in a separate network, protected by a firewall. Disable SSH and Remote Management Services.
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: No registered users and 76 guests