Offline airgap backup

[DerOest]

Ok, "with shipping code" is the argument i didn't grasp!

But thinking into the future, i trust more in Veeam to deliver a 99,9% solution than admins of different skill-levels across the world implementing selfbrew-security!

Maybe put your own idea of "enable customers to secure their backups on-prem" on the feature request list - I trust in you that you already did that

Meanwhile, trusty old tapes - right now i've got to retreive the tapes from our other facility to put them into the safe...

[markmu]

I was thinking about upgrading our off-site backups to off-site / off-line backups.

Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access to the backed up data? Would it be good enough? Obviously, access would be really bolted down, i.e. encryption, no routing advertisements, time, address and protocol restrictions, VPN between AD servers etc.

How much ancillary traffic is required for Veeam to communicate with VMware? Can it all be initiated from behind this firewall? Will this ancillary traffic defeat my off-line plans?

[Mike Resseler]

Hey markmu,
First: Welcome to the forums
Second: Yes, it is possible through Firewalls etc. All the ports are listed here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Now to answer your question: Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access... It will certainly secure it much more and will block certain types of ransomware, but not all. And it also doesn't block it from "internal user mistakes".

As you can read in this thread, and in other threads, securing your backups is not a matter of inserting one layer of defense, it is a matter of adding multiple layers. Offline backups is still the only way we know where you have 100% guarantee that it can't be encrypted. While other layers give you a very high percentage of security... There is always this little change...

For example, many people start to think about putting their backups in the cloud and see it as offline / air-gapped. It is close, but once a "bad guy" gets access to your cloud account... Well

[mr-tin]

Could disabling windows admin shares on the Veeam Backup & Replication server help to reduce exposure or would this cause issues/interfere with Veeam backup operations

[jasonede]

Hey markmu,
First: Welcome to the forums
Second: Yes, it is possible through Firewalls etc. All the ports are listed here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Now to answer your question: Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access... It will certainly secure it much more and will block certain types of ransomware, but not all. And it also doesn't block it from "internal user mistakes".

As you can read in this thread, and in other threads, securing your backups is not a matter of inserting one layer of defense, it is a matter of adding multiple layers. Offline backups is still the only way we know where you have 100% guarantee that it can't be encrypted. While other layers give you a very high percentage of security... There is always this little change...

For example, many people start to think about putting their backups in the cloud and see it as offline / air-gapped. It is close, but once a "bad guy" gets access to your cloud account... Well

If a bad guy gets access to your backup server though they'll spot that a backup/replication happens at the same time every day and then that gives them a window to try and attack the "airgapped" backup server as it will be online for that replication. It's a small window, but still could be enough to exploit a zero day attack.