Security aspects of iSCSI-VMFS LN on Windows Proxy

[FreddyN]

Hi Guys

I need your help regarding security, iSCSI and Windows-Proxy.

We have a Customer where we install Veeam in a new enviroment.
VMware, iSCSI-Storage(Production and Backup), physical Windows-Proxy/Repo
We are using DAS and Storage-SnapShot.

After a backup, the WindowsProxy now sees all VMFS-LUNs. The customer is a bit 'upset' as "Windows is the moste vularable part of the infrastructure" and so on. He sees huge security risks in this.

How does Veeam protect the mapped VMFS-Volumes on the windows proxy?
As far as I know, 'Diskpart automount' does not protect againts any ransome-ware or active hacker to modify/destroy these volumes?

Best regards
Freddy

[Andreas Neufert]

Hi Freddy,

You mean you backup in DirectSAN mode ?
Alternatively you can backup with Network NBD mode, HotAdd or our Storage Snapshot integration. Non of them need that the datastores are visible on the Proxy.
I would look into the storage snapshot integration. What storage system and model do you use?

For the case that you want to stay on DirectSAN mode.
Usually the disk is only mounted in read only mode where diskpart is not even used.
https://learn.microsoft.com/de-de/windo ... mmands/san
san policy in windows stands by default now to offlineshared, which means all regular volumes are kept offline until you manually go into diskmanager and enable them. And only then (set manually to online) diskpart automation comes to play. Anyway I would set automount to disable.

Yes, if a hacker could get access to the Proxy server, then he could work with the volumes and format them. It is important to use a immutable backup target, that no admin account can tamper with. To prevent the hacker from working on the VMFS, you can use NBD/HotAdd/StorageSnapshot integration modes.

[FreddyN]

Hi Andreas

Yes, DirectSAN
I have always understood that direct storage access is a prerequisite for creating a backup based on StorageSnapShot.
First and foremost, the customer wants to handle as much data traffic as possible on the iscsi network and not the 'productive' network.
Backups via StorageSnapShot are preferred, but not mandatory.
So would HotAdd be preferable from the point of view of 'most security'?

Best regards
Freddy

[Andreas Neufert]

For Storage Snapshot integration, you do not need to expose the datastore volume to Veeam.
Our automation will create the storage snapshot and mount the storage snapshot read-only to Veeam.

For SAN traffic you can use Direct SAN and Backup from Storage Snapshot. So what storage system do you have so that we can check if we have a storage integration.

HotAdd would need Proxy VMs and data traffic goes through VMware.

[FreddyN]

Its an HPE Alletra 6000 with peer persistent sync.
Do I get this right: as long as I integrate the storage system into veeam, I dont have to configure access for the IQN of the proxy on the storage?

[Andreas Neufert]

Small correction of your statement. You do not have to give the IQN of the Veeam Proxy access to the production volume (VMware datastores), so Veeam has no access to this datastores.

When you add the Alletra 6000 to Veeam Storage Management, we will automatically create a host entry and will temporarly give us access to the snapshots or snapshot clones for reading data from it (not the production volume).
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

A very important configuration step for your VMware datastore access on the Alletra 6000 is to disable that the snapshots can be seen by VMware in the Alletra ACL. Otherwise whenever you create snapshots (even outside of Veeam) the snapshots are visible to VMware and have the same IDs as the production volume which can lead to some downtimes or data access issues. Check the Alletra documentation for this one.
https://infosight.hpe.com/InfoSight/med ... 81956.html