DMZ backup and repo design

[jeronimo]

Hello,

I need some architectural advice.

There are multiple networks (DMZ) and we would like to contain backup data per zone as much as possible. No component of zone A should be able to access (backup) data of zone B.

We are not using special appliances like DD but instead prefer plain and simple storage server(s) running VHR hardened repo (VBR 13 appliance) potentially with SOBR layer on top.

If you do not want to cross firewall boundaries between proxy/gateway and repo (for performance reasons), VHR would need to be multi-homed. (Not sure if it can/should be done.)

Otherwise we'd need to contain the one and only repo inside some isolated network, and have all flows from the DMZ (and prod) proxies go through the firewall to the repo. (probably not too bad unless you do many fulls at the same time)

However, in both cases, it's still the same repo. How does it actually limit access to backup data depending on which zone (its proxies) the request comes from? <- I think that's the main question here.

Maybe it doesn't matter as long as VBR server is not compromised.

What is the recommended (and safest) approach here?

Note we talk about Vsphere (Hot-add), but there is also a little file- and application-based workload.The situation seems worse when the proxy is in-band with the clients like for application-based backups as that would not require initial hypervisor-level escape to gain access to the proxy.

Thanks.

PS. Paranoid is my middle name.

[Mildur]

Hi Jeronimo,

and we would like to contain backup data per zone as much as possible

I see this as only being possible if you have a dedicated Hardened Repository (HR) machine for each DMZ.

Having a single repository with multiple network cards would make it reachable over the network from all DMZ machines, without any firewall in between to monitor or control that traffic.
I would probably look into using a single repository and test your firewall performance to make sure it can handle the load. If needed, consider upgrading the firewall to a larger model. Multi-homing is not ideal from a security perspective, so I would recommend investing in stronger security controls rather than loosening them.

Maybe you can share more details about your scenario and what these DMZs are used for. Is this for a single customer environment, or is it a hosting service operated by a service provider? Also, approximately how many VMs will be protected and how much VM data?

Best,
Fabian

[jeronimo]

Hello,

I think it doesn't actually matter much if there is a firewall or not since VHR is pretty locked down already.
The main issue is the single repo and becomes more of a protocol issue (veeam transport authentication etc).

What would need to happen, if proxy in DMZ was compromised, for it to gain access to non-dmz data?
Or more generally, how does proxy/gateway get authorized by repo to access specific data, independently of what proxy it is?
How does access between proxy/gateway and repo work exactly?
I think those are the main questions, without being able to concisely solve those, a decision will be hard to make.

Concerning DMZs as such we are talking about our own external DMZ partly facing Internet. There are not many clients there, maybe a dozen or so.

Thanks