Hi all,
I have been implementing some of the security measures covered in the Veeam documents. First step was to get the 2 VBR servers out of their domain and into their own workgroup with their own DNS. That has been working for a while.
Next would be to isolate these servers and a jump server. I have not done much network isolation at all and so have to start with the basics from what I can glean from reading.
The customer is small, 2 sites (head office and data center) with VBR at head office and VMs at data center with a server there acting as proxy (it has VBR loaded there but not really used - only loaded for disaster recovery). Backups are at the head office for all VMs and copy jobs move copies to the data center. Small company.
From what I understand, here is what I have to do:
- create a new subnet at head office and another at data center and put the VBR server/proxy into those
- also put the jump server in the first subnet
- the switches support VLans so create those on each switch
- the production servers are then in a different subnet (their main subnet) so the ports on the switch need to allow traffic between the VBR subnet and the production subnet
- but this opens up the VBR servers to the production subnet - does this mean traffic restriction is done closing all ports incoming to the VBR server to just the ports Veeam needs?
- the jump server would only allow RDP connections to it where 2FA is used; the jump server would only allow traffic between itself and the VBR server; maybe this means the jump server is in its own VLAN too and only have that VLAN available to the Veeam server
Am I on the right path or am I totally starting off wrong?
Albert
-
- Enthusiast
- Posts: 56
- Liked: 2 times
- Joined: Jun 12, 2015 3:34 pm
- Full Name: McK Admins
- Contact:
-
- Product Manager
- Posts: 10273
- Liked: 2745 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Network segmentation - need some basics
Hi
You find all required ports in our user guide:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best,
Fabian
I'm not a fan of putting the jump server in the subnet where my backup components are. Having access to the jump server may give me unrestricted access to all systems in that subnet. Our best practice guide has a recommended schema on how to place the components. --> https://bp.veeam.com/vbr/Security/Hardening_Zones.html- also put the jump server in the first subnet
Is it just a switch or does it have Firewall capabilities?- the switches support VLans so create those on each switch
- the production servers are then in a different subnet (their main subnet) so the ports on the switch need to allow traffic between the VBR subnet and the production subnet
A Firewall must be used to control which client/server can access which component in the restricted backup subnets.- but this opens up the VBR servers to the production subnet - does this mean traffic restriction is done closing all ports incoming to the VBR server to just the ports Veeam needs?
You find all required ports in our user guide:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Semrush [Bot] and 59 guests