Good ideas for securing backups

[benf]

Ive been reading through a bunch of options on Veeam 11 for better securing our backups in our datacenter. Thought I would ask the forum and get some real world insight.

We have a single datacenter location for production with 14 vlans. We are running Vsphere 7.x in a single vsan cluster (about 100 or so vm's).

Right now the Veeam server is attached to all vlans in order to be able to restore individual items in each vlan, including the management vlan. Ive been wanting to setup a backup vlan and put veeam console, the repo's and our enterprise panel as a stand-alone and then have a router between that and all the other lans. This seems pretty straight forward, but by the time I open ports and such that I need I feel like Im in no better position than I am now. If I don't let Veeam access the individual vlans I cant do certain things (it seems) like restore files/objects. Should I be making a Veeam proxy in each vlan segment and then using that as the 'route' back to the central area and then if I restore I can somehow use that proxy to push data back? It didnt seem like this was an option in v9 or v10.

We have a 2nd datacenter location for replication of core systems on the other side of the country, this is pretty straight forward with WAN acceleration and such so seems to be the 'easier' part of the puzzle. Everything is working fine, I just have an opportunity to rebuild the entire setup and really want to set this up in the best way but also still be usable (which sometimes are not the same thing)

Maybe I am just overthinking the whole thing.

[Mildur]

Ive been wanting to setup a backup vlan and put veeam console, the repo's and our enterprise panel as a stand-alone and then have a router between that and all the other lans.

I recommend to not put the backup repos, management server and consoles/webguis in the same lan segment. You do not want the administrative consoles on the same network location as your backups. Without a firewall between them. Backup repos should be a restricted zone with no access, only veeam DataMover needs the access.
Have a look at the best practice network segmentation:
https://bp.veeam.com/vbr/VBP/Security/H ... Zones.html

[benf]

Ok, so maybe do similar to what I was thinking but let the Veeam B&R servers be in the management network (where they are now) and then just put the storage on its own vlan. I was listening to some youtube videos about it and for some reason I kept thinking the whole thing even though I clearly saw/heard storage on its own

So my storage right now is mapped to iSCSI with REFS volumes, which is easy enough to map but then those 'drives' are actually in the management lan. So probably what I need is to put servers in the backups lan to mount the SAN volumes. I will review this infographic closer, thank you for this.

[Mildur]

Your welcome
If you can format the SAN Volumes, look at the new linux hardened repo from V11.
You could map the SAN Volumes to a linux physical server and format it with xfs for Fastclone and use the immutability feature.
Of course, your SAN management needs to be also in the restricted zone.
If you have an attack from a hacker, it‘s easy for him to delete your SAN volumes on the storage.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110