Hello...
I was wondering if I could get a sanity check and want to adhere to KISS as much as possible. This solution is backup only with no replication and DR functionality (failover) needed. We have (3) sites interconnected over a high-speed VPN connection. Each site is running a Hyper-V host with about 5 VMs per site. We were thinking of deploying a Linux Hardended Repo at EACH of the (3) sites as PRIMARY backup targets for Veeam. We were then going to load VBR backup server on a Windows VM on one of the Hyper-V hosts (See #4 below) at ONE of the sites and point all (3) Linux-hardened Repos to that backup server and manage all backup functions from this one server. We would also like to create backup copy jobs to copy backups to another site's hardened repo. So for instance, site 1 would back up to its local hardened repo and then also a backup copy job to site 2's hardened repo, Site 2 would back up to its hardened repo, and the copy job to site 3, etc. These are copy jobs and not replication jobs. So the questions:
#1) Is this possible to have (3) hardened repos at multiple sites managed by ONE backup server at one of those sites with VBR installed and accomplish what is listed above?
#2) We were planning to have all 3 Linux hardened repos in a firewalled-off "Backup" Network at each respective site with firewall rules managing access (Firewalled DMZ...No VLAN). Will this be an issue with isolated networks at each site? Proxys?
#3) If we do have these isolated networks at each site should the VBR windows server that manages everything ALSO be in the backup network at the one site along with the Linux repo? Or can it live in the production subnet? Or maybe even another subnet by itself? See #4 below.
#4) If the VBR server should NOT live on the production subnet we were thinking of spinning up a VM on the hyper-v host where the production VMs are located but having it with a dedicated NIC living on the backup network. And locking down the VM running the VBR server. Is this short-sighted or should we have a dedicated physical windows host running on the backup subnet with the Linux repo? We understand that if an attacker were to take over the Hyper-V host at the main site then the backup VBR VM would likely be deleted/encrypted. But we can possibly back up that VM to the repo too. I am just worried if the attacker were to crack into that VM itself.
#5) We also want to implement Sure Backup at each site as well using the on-prem Hyper-V hosts as the lab.
Thanks for any info.
Dave
-
- Service Provider
- Posts: 194
- Liked: 21 times
- Joined: Feb 12, 2019 2:31 pm
- Full Name: Dave Hayes
- Contact:
-
- Product Manager
- Posts: 10086
- Liked: 2688 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Isolated Backup Network - 3 sites
Hello Dave
1) Yes. A single VBR can work with three hardened repositories at each location. Proxy server is every HyperV host. This hosts will write the backup data directly to the hardened repo at their location. From there, you can copy backups to other hardened repositories.
2) Completely isolated networks will not work. The component must be able to talk to each other as stated in our port list im the user guide. Your HyperV host will be the proxy server. Backup server and proxy server must be able to connect to the HyperV host and hardened repository. Additionally each hardened repo must be able to connect to other hardened repos directly if you want to use backup copy jobs.
3+4) I would add the backup server to a management network if you have one. Having it in the same subnet as the hardened repos gives you an easy jump host for an attacker. Open the vm console, get access to the local admin (password reset) and you have access to the entire backup subnet. A firewall between backup server and hardened repository gives you also centralized monitoring capabilities. You will be able to log which source IPs had tried to access a hardened repo.
If you want to go with a dedicated machine as the backup server is a decision you must make on your own. Yes, a dedicated machine is more secure, but it will costs you more money.
If you go with a VM, Backups are already protected if you follow all the security best practice for the hardened repo. For now you would only loose your configuration if the backup server is an attacked. But Immutable configuration backups are on our roadmap.
5) the data mover on a HyperV server must be able to access the data mover on the hardened repo over network.

Best,
Fabian
1) Yes. A single VBR can work with three hardened repositories at each location. Proxy server is every HyperV host. This hosts will write the backup data directly to the hardened repo at their location. From there, you can copy backups to other hardened repositories.
2) Completely isolated networks will not work. The component must be able to talk to each other as stated in our port list im the user guide. Your HyperV host will be the proxy server. Backup server and proxy server must be able to connect to the HyperV host and hardened repository. Additionally each hardened repo must be able to connect to other hardened repos directly if you want to use backup copy jobs.
3+4) I would add the backup server to a management network if you have one. Having it in the same subnet as the hardened repos gives you an easy jump host for an attacker. Open the vm console, get access to the local admin (password reset) and you have access to the entire backup subnet. A firewall between backup server and hardened repository gives you also centralized monitoring capabilities. You will be able to log which source IPs had tried to access a hardened repo.
If you want to go with a dedicated machine as the backup server is a decision you must make on your own. Yes, a dedicated machine is more secure, but it will costs you more money.
If you go with a VM, Backups are already protected if you follow all the security best practice for the hardened repo. For now you would only loose your configuration if the backup server is an attacked. But Immutable configuration backups are on our roadmap.
5) the data mover on a HyperV server must be able to access the data mover on the hardened repo over network.

Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 194
- Liked: 21 times
- Joined: Feb 12, 2019 2:31 pm
- Full Name: Dave Hayes
- Contact:
Re: Isolated Backup Network - 3 sites
Thank you so much Fabian.! Sorry for delay as I was traveling. For #2 I would not say it would be "Completely" isolated since we can control the firewall rules to allow the "Backup" networks to talk to each other. We are going to give this a go and thanks for the detailed answer!
Dave
Dave
Who is online
Users browsing this forum: No registered users and 87 guests