Veeam and air-gap / digital disconnect solutions

Yeah..I’m not aware of any offline solution aside from tape, myself. You can use an ‘isolated’ physical server housed with storage disks, assuming you can house all your data, and create a Linux Hardened Repo on the server itself. If you need to make it offline, you could remotely disable the switch port it’s connected to. Maybe not exactly what you’re looking for, but a potential option.

thanks. Yes hardened repo server is an option as we could adopt a simple script to down/up the NICs. This server could be on-prem or cloud based. Its workable but would like to see an out-the-box solution to tackle this requirement. Tape is always an option but I think we mostly want to avoid it due to obvious problems and also human intervention thats required. thank you.

You could use AWS S3 storage gateway as a virtual tape library (yes tape again) to send data to S3 then eject media.

I would recommend just using S3 directly with immutability, but depending on policy the VTL solution may be a better fit.

I think Wasabi with immutability is a great way to go. Just not really airgapped. I think the key is backups can’t be deleted/lost more than the offline aspect… did you question RTO? 
Thank you for the kind words on your cert help, this is exactly what I love to hear :-)

thanks, yes I’ve seen these and the capabilities however is it offering air-gap/digital disconnect? This is where the requirement is.

Quite right, it doesn’t but as has been previously mentioned unless you’re going to use tape then I’m not sure any other solution will do this? And what is wrong with tape? But Exagrid does offer an an acceptable solution for Ransomeware attacks and protects against being able to delete your immutable images.

like many appliances they offer great solutions with immutability etc...etc however the only viable solution I see at present is….

1. Dell Cyber Vault
2. Linux hardened repo where we could script the down/up of the NIC. That will offer a logical airgap

would be great to see more development is these options

Disclaimer straight away: Object First SE here.

As mentioned, Object First OOTBI is a great option to have implement immutable backup storage into your infrastructure. It was specifically designed for Veeam and provides direct-to-object storage configuration powered by the Smart Object Storage API. https://objectfirst.com/object-storage/

In case on-premises storage is not an option, VTL can be used. Amazon Storage Gateway is a great option for AWS. You can also take a look at Starwinds VTL, if you want to use Wasabi.

Hey, some time ago a friend of mine told me that, they were executing a pre and post task scrip that enables / disables the port switches were the destination NAS for the backups is connected to,

so they keep only the management interface for monitoring, but the interfaces used for the NFS and CIFs are activated only by Veeam with the script.

Maybe that helps, 
Nevertheless, S3 + immutability is, in my opinion, much better, 
Copy Outside of the Site, Immutable, Flexible / elastic in size / capacity, no need warranty / mantenance.

cheers.

right, there is no easy way to accomplish this, but the idea behind is to protect the storage, if you get a bad actor inside your VBR server, you have a bigger problem than a leaked switch password, with a user only able to enable / disable a few ports.

also this was done before immutability was available, so a cheap workaround, they are poor! 🤣

I do see the utility of this, but I dont like that it adds extra steps and possible troubleshooting in case of a DR or quick recovery, but is a good way to “kind of” air-gap a repository.

cheers.

Find out first if you want onprem or cloud. 

Next I’d decide, the size you require using a sizing calculator at VeeamBP as you will need that talking to vendors and reps.  

You will need to know how many copies of production data, size of servers, change rate and as much as you can.

After you know the size, what features do you want, speeds, RTO/RPO. Are you looking at slower larger disk, or an all flash array? do you need to boot up all the VM’s from backup to run in production while doing a restore? it’s going to get slow on a bunch of spinning rust if your production SAN is an AFA.

Any SAN can be stacked up with a Linux immutable repository these days. Things like Object First, and Exagrid take a lot of the work away, and scale quite nicely as you grow.  Wasabi is a great cloud solution that can be made immutable with no egress fees. At the end of the day. Immutable and AirGap are not the same thing though.  

Example. If i put an immutable Linux host in front of my storage, add MFA to Veeam, separate VLANS isolated to a specific jump box, and have my SAN management port with a simple password, I’ve wasted my time if someone can go in and format or delete the volumes/pools.  You need to make sure you are secure everywhere. This is where Tape is so good. When I eject a tape, unless you you physically access or destroy the datacenter, that data will remain. If you do this for multiple sites or ship them elsewhere, you are even more protected. You can encrypt the tapes and put them in a safe for internal threats for double protection.

I am a huge fan of tape because it’s cheap too. If I export a Quartey job for ransomware protection, I don’t have to worry about it using all my space or being too expensive. If I am using cloud storage or disk, there is a lot more cost associated with it.  It’s nice to say, lets just keep that 6 more months incase someone wants to restore something.

• this is more of an example. quarterly jobs in my environment are not even cheap on tape anymore. I’m sure by the time LTO10 comes out and I upgrade I'll be waiting for 12 🤣