Comprehensive data protection for all workloads
DerOest
Enthusiast
Posts: 33
Liked: 4 times
Joined: Oct 30, 2015 10:10 am
Contact:

Re: Offline airgap backup

Post by DerOest » Nov 13, 2018 1:20 pm 1 person likes this post

Ok, "with shipping code" is the argument i didn't grasp!

But thinking into the future, i trust more in Veeam to deliver a 99,9% solution than admins of different skill-levels across the world implementing selfbrew-security!

Maybe put your own idea of "enable customers to secure their backups on-prem" on the feature request list - I trust in you that you already did that :mrgreen:

Meanwhile, trusty old tapes - right now i've got to retreive the tapes from our other facility to put them into the safe...

markmu
Lurker
Posts: 1
Liked: never
Joined: Mar 30, 2015 9:07 pm
Contact:

Re: Offline Backup with Additional Firewall Design Questions

Post by markmu » Jan 02, 2019 9:50 pm

I was thinking about upgrading our off-site backups to off-site / off-line backups.

Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access to the backed up data? Would it be good enough? Obviously, access would be really bolted down, i.e. encryption, no routing advertisements, time, address and protocol restrictions, VPN between AD servers etc.

How much ancillary traffic is required for Veeam to communicate with VMware? Can it all be initiated from behind this firewall? Will this ancillary traffic defeat my off-line plans?

Mike Resseler
Product Manager
Posts: 5584
Liked: 584 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Offline airgap backup

Post by Mike Resseler » Jan 03, 2019 7:20 am

Hey markmu,
First: Welcome to the forums
Second: Yes, it is possible through Firewalls etc. All the ports are listed here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Now to answer your question: Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access... It will certainly secure it much more and will block certain types of ransomware, but not all. And it also doesn't block it from "internal user mistakes".

As you can read in this thread, and in other threads, securing your backups is not a matter of inserting one layer of defense, it is a matter of adding multiple layers. Offline backups is still the only way we know where you have 100% guarantee that it can't be encrypted. While other layers give you a very high percentage of security... There is always this little change...

For example, many people start to think about putting their backups in the cloud and see it as offline / air-gapped. It is close, but once a "bad guy" gets access to your cloud account... Well ;-)

mr-tin
Novice
Posts: 4
Liked: 2 times
Joined: Aug 08, 2016 12:52 pm
Contact:

Re: Offline airgap backup

Post by mr-tin » Jan 10, 2019 9:53 am

Could disabling windows admin shares on the Veeam Backup & Replication server help to reduce exposure or would this cause issues/interfere with Veeam backup operations :?:

jasonede
Service Provider
Posts: 20
Liked: 4 times
Joined: Jan 04, 2018 4:51 pm
Contact:

Re: Offline airgap backup

Post by jasonede » Jan 10, 2019 9:57 am

Mike Resseler wrote:
Jan 03, 2019 7:20 am
Hey markmu,
First: Welcome to the forums
Second: Yes, it is possible through Firewalls etc. All the ports are listed here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Now to answer your question: Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access... It will certainly secure it much more and will block certain types of ransomware, but not all. And it also doesn't block it from "internal user mistakes".

As you can read in this thread, and in other threads, securing your backups is not a matter of inserting one layer of defense, it is a matter of adding multiple layers. Offline backups is still the only way we know where you have 100% guarantee that it can't be encrypted. While other layers give you a very high percentage of security... There is always this little change...

For example, many people start to think about putting their backups in the cloud and see it as offline / air-gapped. It is close, but once a "bad guy" gets access to your cloud account... Well ;-)
If a bad guy gets access to your backup server though they'll spot that a backup/replication happens at the same time every day and then that gives them a window to try and attack the "airgapped" backup server as it will be online for that replication. It's a small window, but still could be enough to exploit a zero day attack.

Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 22 guests