How to protect my backups?

Availability for the Always-On Enterprise

How to protect my backups?

Veeam Logoby Thomas_VDB » Mon Feb 27, 2017 4:08 pm

Hi,

We are using Veeam B&R to make a nightly backups and backup Copies.
All VM's of our 2 ESXi hosts are backed up each night to the HD of our Veeam Server, which is a physical server close to the 2 hosts.
Immediatly after the backups, the Backup copies are made to a NAS (Raid10) which is located on the other side of the building, and connected via iSCSI to the Veeam Server.

We have been hit before with ransomware, but Veeam saved the day with simple restores.

Because we are using 'always connected' hard drives as backup medium (for both backups and backup copies), it is not impossible that our backups should get encrypted as well.
I am a big fan of using HD as backup medium, because I like my backups as automated as possible. Manually rotating USB drives or
tapes just requires too much discipline :-) .

Anybody got some advice to protect against backup encryption on 'always on' HD media?
Don't want to be hit by ransomware and discover that the backups are useless...
- We are using surebackup to test are backups nightly.
- Now our Veeam Backup server is joined to the domain. Which means that if the ransomware knows the domain admin pw, it can start encrypting our Server VM's AND the backups. Would it be usefull to throw the Veeam Backup Server off the domain and use a local account only (with different credentials)?
Thomas_VDB
Novice
 
Posts: 3
Liked: never
Joined: Tue May 24, 2016 3:01 pm
Full Name: Thmas

Re: How to protect my backups?

Veeam Logoby Mike Resseler » Mon Feb 27, 2017 4:14 pm

Thomas,

There are many additional defenses you can do. You already named one, making it a server outside of the domain and work with a dedicated account only known by limited people (not too mention to separate the writing account for the storage and so on and so forth.

But in your entire design, I seem to be missing the 1 in the 3-2-1 rule. Now you stated that you don't want to work with rotated drives / tapes and I assuming you don't have a remote datacenter so have you already looked at cloud connect? That could be your safety net here

Just a thought
Mike
Mike Resseler
Veeam Software
 
Posts: 2357
Liked: 287 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: How to protect my backups?

Veeam Logoby tpayton » Mon Feb 27, 2017 5:02 pm

In support we've had some customers report that they are making the move to using Linux repositories. They seem to like the idea of having a system that is outside the domain, and a different OS than most ransomware is meant to affect. And since Veeam doesn't need that Linux server to have NFS or CIFS turned on there isn't much access into the Linux server other than through SSH.
tpayton
Veeam Software
 
Posts: 88
Liked: 24 times
Joined: Wed Jan 16, 2013 5:27 pm
Full Name: Tyler Payton

Re: How to protect my backups?

Veeam Logoby Thomas_VDB » Tue Feb 28, 2017 7:48 am

Hi,
Thanks for the replies. Both of them are very usefull.
Yes we are not using the 3 2 1 rule (only 2 copies of our data), and have no datacenter as we are an SMB (only 20 people).
To get closer to the 3 2 1 rule, we should add another Backup copy. This could then be to the cloud,
but also the linux repository is a very good idea.
I'll evaluate with my collegues and get to it.
Thanks!
Thomas.
Thomas_VDB
Novice
 
Posts: 3
Liked: never
Joined: Tue May 24, 2016 3:01 pm
Full Name: Thmas

Re: How to protect my backups?

Veeam Logoby Mike Resseler » Tue Feb 28, 2017 8:01 am

Hi Ben,

While I agree with Tyler that the ransomware change on Linux is lower, it does exists. There is already ransomware for Linux. Not that many in the wild compared to Windows but they do exist which means you still can get infected so keep that also in mind when making a decision and if you go for Linux, don't forget to still use dedicated accounts :-)
Mike Resseler
Veeam Software
 
Posts: 2357
Liked: 287 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Shestakov and 13 guests