Veeam v11 - Hardened Repository aka Immutable backups



Show first post

88 comments

Userlevel 7
Badge +8

Nice to see all of this information in one post.  Not sure it is possible but you should see about editing the main post with the updates versus them being within the pages.  Just would make things easier to find all in the first post.  Maybe we don’t have the editing ability either.  LOL

Userlevel 7
Badge +3

Thanks @vNote42 

Userlevel 6
Badge +1

Thanks @vNote42

Userlevel 7
Badge +7

Hi 

I am looking to implement hardened repository im already using Veeam v11 however I have zero experience created Linux VM and required config on it.

Would anyone be so kind as to give me some pointers?

Thanks.

 

Check out excellent blog series by @PValsecchi :

https://nolabnoparty.com/en/veeam-v11-hardened-repository-immutability-pt-1/

https://nolabnoparty.com/en/veeam-v11-hardened-repository-immutability-configuration-pt-2/

Hi 

I am looking to implement hardened repository im already using Veeam v11 however I have zero experience created Linux VM and required config on it.

Would anyone be so kind as to give me some pointers?

Thanks.

 

Userlevel 7
Badge +11

Great Information folks this really helps!

Userlevel 7
Badge +7

There is new blog post from @PValsecchi about setting up MFA for SSH loginsto Linux Hosts.

https://nolabnoparty.com/en/veeam-v11-hardened-repository-immutability-add-mfa-pt-3/

 

Nice and detailled tutorial...

Userlevel 6
Badge +3

@vNote42 thanks for share and your update 

Userlevel 7
Badge +7

@vNote42 have you been able to post anything on How to setup Linux as repository server?

 

Hi @MAC_Daddy_1974 ! Just wrote an internal installation guide. I can recommend this post:

https://nolabnoparty.com/en/veeam-v11-hardened-repository-immutability-pt-1/ by @PValsecchi 

@vNote42 have you been able to post anything on How to setup Linux as repository server?

 

Userlevel 7
Badge +7

Check out the new Whitepaper from Veeam ( @HannesK  ): 

Protect against Ransomware with Immutable Backups: a Veeam Guide

Userlevel 7
Badge +7

[Update]

Veeam Hardened Repository passes independent compliance assessment

When properly configured, the Hardened Repository meets the requirements for non-rewritable, non-erasable storage as specified by SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations.

https://www.veeam.com/blog/hardened-repository-passes-compliance.html

 

Userlevel 7
Badge +7

Thank you.! Is there a step-by-step guide somewhere? I planning to upgrade to V11, and want to set up this hardening as soon as possible

I would recommend to start here: https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110

There you find the section: Deployment of Hardened Repository.

I am sure more detailed information and best practices for Linux repositories will come soon.

Userlevel 1

Thank you.! Is there a step-by-step guide somewhere? I planning to upgrade to V11, and want to set up this hardening as soon as possible

Userlevel 7
Badge +7

Thanks  @regnor and @vNote42  ,

MFA and the activation of network ports when access is neccessary are good mechanisms for my environments.

Userlevel 7
Badge +6

@JMeixner No physical access and no easy hands-on could be challenging. MFA, as @vNote42 says, could be the solution in that case.

Userlevel 7
Badge +7

@JMeixnercheck links below why disable remote access etc…

https://bp.veeam.com/vbr/VBP/Security/infrastructure_hardening.html

https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_linux.html

https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_windows.html

For windows hosts even hardened who are very important, i break all suspicious processus after some learning with elastic

Thanks for the links! Great ressources!

Userlevel 7
Badge +3

@JMeixner check links below why disable remote access etc…

https://bp.veeam.com/vbr/VBP/Security/infrastructure_hardening.html

https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_linux.html

https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_windows.html

For windows hosts even hardened who are very important, i break all suspicious processus after some learning with elastic

Userlevel 7
Badge +7

In my case I'd say 90% of my customers are currently using Windows ReFS to store backup files as their main repository, so I have some questions:

  1. Do you know if Microsoft is working to provide something equivalent to the  XFS “i” flag feature in ReFS?. For 100% Microsoft shops every time you mention Linux is still something they tried to avoid as much as they can. I can envision a lot of resistance if we are talking about the main repository in this specific case
  2. In terms of performance / space saving have Veeam done any lab test to compare XFS vs ReFS?
  3. For customers that will be willing to migrate their main repository from ReFS to XFS to take advantage of this feature: any tips, best practices? It would be great if Veeam provides a Whitepaper regarding this

I think immutable backups is the top driver to adopt V11 in the short term for a lot of customers

@andy40241 sorry for the late response.

  1. I am not aware of Microsoft is planning such feature. In my experience customer minds are open for Linux repositories when they hear about immutable backup files. A lot of them see Linux repositories as storage of a different media in the 3-2-1 rule. If there is no know-how at customer site, I would recommend to buy support for distribution of choice.
  2. I do not know official Veeam publications about performance and/or space savings comparison between ReFS and XFS. I would recommend to check this post for experiences with XFS of the community. Furthermore, Veeam does not make any differences between XFS and ReFS is their official sizer tools. Also for the (unofficial) Restore Point Simulator space savings are the same.
  3. There is also a discussion about this topic in the community. In my opinion the simples way is to fade out restore points on ReFS after starting new backups on XFS.
Userlevel 7
Badge +7

Thanks @vNote42

Userlevel 7
Badge +7

I assume your Linux repo would need to be a bare-metal machine to gain any security benefit from this? If I were to virtualize it, some hacker could just blow up my VHD file on the Hyper-V host? 


Cryptolocker will be happy to encrypt all your vhd and filesystem, in the worst case you VM will not longer be available so your backup repo too.

It’s definitely worth using physical for this, I had an emergency response to a business that had their Hyper-V domain joined, the ransomware they got hit with had encrypted the contents of the VHDX’s then the VHDX’s themselves on top for good measure as it just hit everything it could in the domain!

But management domains and whether or not to domain in general is a conversation for another day…

 

If you are going physical though do consider other forms of access such as IPMI/iLO/iDRAC that could be used as backdoors to the system and lock them down!

I would suggest to disable any remote access after the initial setup. If there's really a need to access the system why not do I physically?


Hi,

ok I understand the intention to disable all remote access...

But I don’t have physical access to my backup servers because they are located in datacenters all over Germany and some other european countries.

How do you handle such servers in your environments without remote access?

Ok, I could hire a helping hand every time any action has to be done at a server… But this would be expensive and I don’t think this would  be more secure… :confounded:

To keep remote access more secure, you can implement MFA for Linux. If this is possible for IPMI/iLO/iDRAC (is it?) this would sense too! If not, you could disable network port on the switch and enable it if access is necessary. 

Userlevel 7
Badge +7

I assume your Linux repo would need to be a bare-metal machine to gain any security benefit from this? If I were to virtualize it, some hacker could just blow up my VHD file on the Hyper-V host? 


Cryptolocker will be happy to encrypt all your vhd and filesystem, in the worst case you VM will not longer be available so your backup repo too.

It’s definitely worth using physical for this, I had an emergency response to a business that had their Hyper-V domain joined, the ransomware they got hit with had encrypted the contents of the VHDX’s then the VHDX’s themselves on top for good measure as it just hit everything it could in the domain!

But management domains and whether or not to domain in general is a conversation for another day…

 

If you are going physical though do consider other forms of access such as IPMI/iLO/iDRAC that could be used as backdoors to the system and lock them down!

I would suggest to disable any remote access after the initial setup. If there's really a need to access the system why not do I physically?


Hi,

ok I understand the intention to disable all remote access...

But I don’t have physical access to my backup servers because they are located in datacenters all over Germany and some other european countries.

How do you handle such servers in your environments without remote access?

Ok, I could hire a helping hand every time any action has to be done at a server… But this would be expensive and I don’t think this would  be more secure… :confounded:

Userlevel 7
Badge +7

I assume your Linux repo would need to be a bare-metal machine to gain any security benefit from this? If I were to virtualize it, some hacker could just blow up my VHD file on the Hyper-V host? 

Right! I would also warn against using raw device mappings (RDM) in vSphere! These are physical disk devices mapped directly into VMs. But with this a hacker having access to the hypervisor can also destroy your backup data - no matter if they are immutable or not. 

So when using hardened repository, use a (hardened) physical Linux host! 

Userlevel 7
Badge +6

I assume your Linux repo would need to be a bare-metal machine to gain any security benefit from this? If I were to virtualize it, some hacker could just blow up my VHD file on the Hyper-V host? 


Cryptolocker will be happy to encrypt all your vhd and filesystem, in the worst case you VM will not longer be available so your backup repo too.

It’s definitely worth using physical for this, I had an emergency response to a business that had their Hyper-V domain joined, the ransomware they got hit with had encrypted the contents of the VHDX’s then the VHDX’s themselves on top for good measure as it just hit everything it could in the domain!

But management domains and whether or not to domain in general is a conversation for another day…

 

If you are going physical though do consider other forms of access such as IPMI/iLO/iDRAC that could be used as backdoors to the system and lock them down!

I would suggest to disable any remote access after the initial setup. If there's really a need to access the system why not do I physically?

Userlevel 7
Badge +8

I assume your Linux repo would need to be a bare-metal machine to gain any security benefit from this? If I were to virtualize it, some hacker could just blow up my VHD file on the Hyper-V host? 


Cryptolocker will be happy to encrypt all your vhd and filesystem, in the worst case you VM will not longer be available so your backup repo too.

It’s definitely worth using physical for this, I had an emergency response to a business that had their Hyper-V domain joined, the ransomware they got hit with had encrypted the contents of the VHDX’s then the VHDX’s themselves on top for good measure as it just hit everything it could in the domain!

But management domains and whether or not to domain in general is a conversation for another day…

 

If you are going physical though do consider other forms of access such as IPMI/iLO/iDRAC that could be used as backdoors to the system and lock them down!

Comment