Availability for the Always-On Enterprise
Post Reply
Thomas_VDB
Novice
Posts: 3
Liked: never
Joined: May 24, 2016 3:01 pm
Full Name: Thmas
Contact:

How to protect my backups?

Post by Thomas_VDB » Feb 27, 2017 4:08 pm

Hi,

We are using Veeam B&R to make a nightly backups and backup Copies.
All VM's of our 2 ESXi hosts are backed up each night to the HD of our Veeam Server, which is a physical server close to the 2 hosts.
Immediatly after the backups, the Backup copies are made to a NAS (Raid10) which is located on the other side of the building, and connected via iSCSI to the Veeam Server.

We have been hit before with ransomware, but Veeam saved the day with simple restores.

Because we are using 'always connected' hard drives as backup medium (for both backups and backup copies), it is not impossible that our backups should get encrypted as well.
I am a big fan of using HD as backup medium, because I like my backups as automated as possible. Manually rotating USB drives or
tapes just requires too much discipline :-) .

Anybody got some advice to protect against backup encryption on 'always on' HD media?
Don't want to be hit by ransomware and discover that the backups are useless...
- We are using surebackup to test are backups nightly.
- Now our Veeam Backup server is joined to the domain. Which means that if the ransomware knows the domain admin pw, it can start encrypting our Server VM's AND the backups. Would it be usefull to throw the Veeam Backup Server off the domain and use a local account only (with different credentials)?

Mike Resseler
Veeam Software
Posts: 4855
Liked: 509 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: How to protect my backups?

Post by Mike Resseler » Feb 27, 2017 4:14 pm

Thomas,

There are many additional defenses you can do. You already named one, making it a server outside of the domain and work with a dedicated account only known by limited people (not too mention to separate the writing account for the storage and so on and so forth.

But in your entire design, I seem to be missing the 1 in the 3-2-1 rule. Now you stated that you don't want to work with rotated drives / tapes and I assuming you don't have a remote datacenter so have you already looked at cloud connect? That could be your safety net here

Just a thought
Mike

tpayton
Veeam Software
Posts: 101
Liked: 31 times
Joined: Jan 16, 2013 5:27 pm
Full Name: Tyler Payton
Contact:

Re: How to protect my backups?

Post by tpayton » Feb 27, 2017 5:02 pm

In support we've had some customers report that they are making the move to using Linux repositories. They seem to like the idea of having a system that is outside the domain, and a different OS than most ransomware is meant to affect. And since Veeam doesn't need that Linux server to have NFS or CIFS turned on there isn't much access into the Linux server other than through SSH.

Thomas_VDB
Novice
Posts: 3
Liked: never
Joined: May 24, 2016 3:01 pm
Full Name: Thmas
Contact:

Re: How to protect my backups?

Post by Thomas_VDB » Feb 28, 2017 7:48 am

Hi,
Thanks for the replies. Both of them are very usefull.
Yes we are not using the 3 2 1 rule (only 2 copies of our data), and have no datacenter as we are an SMB (only 20 people).
To get closer to the 3 2 1 rule, we should add another Backup copy. This could then be to the cloud,
but also the linux repository is a very good idea.
I'll evaluate with my collegues and get to it.
Thanks!
Thomas.

Mike Resseler
Veeam Software
Posts: 4855
Liked: 509 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: How to protect my backups?

Post by Mike Resseler » Feb 28, 2017 8:01 am

Hi Ben,

While I agree with Tyler that the ransomware change on Linux is lower, it does exists. There is already ransomware for Linux. Not that many in the wild compared to Windows but they do exist which means you still can get infected so keep that also in mind when making a decision and if you go for Linux, don't forget to still use dedicated accounts :-)

Post Reply

Who is online

Users browsing this forum: beerfluent, crmz81, Google [Bot] and 38 guests