Technical Fact 13: security measures to protect your backups with Veeam

25-mei-2022 16:31:14

Incredible progress has been made by technology in the last couple of years. The future of technology is overwhelming for some, while it can be exciting for others. In our ‘Technical Facts’ series, we have put together some interesting and surprising facts about tech! In this technical fact, we explain how we provided our client with a new, secure backup environment.

Nowadays you often hear that companies have become victim of crypto-lockers or hacking. Therefore, it is not only important to have a backup solution, but also essential to secure it so that it can't be affected by cyberattacks either. And that is exactly what we did in the case below.

Background information

The company whose backup environment we configured, had recently become a customer. He was in need of two things: an IT audit so that he would be able to stabilize and improve his IT environment along with a new backup solution because the current one was no longer performing to standards. Due to the increasing number of impacted companies by ransomware, a hard requirement was that it needed to be set up as securely as possible.

That’s why we started off with an IT audit. This way we could gain an overview of the entire environment. When the audit was completed, we had a clear understanding of the hardware that was outdated and the software that needed an update.

Core ICT’s approach

As soon as we had a clear overview of the current IT environment and backup solution requirements, we brainstormed together with our team to come up with the best possible solution. The setup we concluded on consisted of two physical Lenovo servers, running a Windows Server OS that contains Veeam software.

A setup for a secure and safe backup solution

To give you a better insight in the way we set up this solution, we will make a distinction between the physical points and the network points.

Physical Points:

We installed two Lenovo servers on two different sites. The reason for this decision? We wanted to make sure that when one of the servers would shut down (regardless of the reason) the other server would take over. And to make the backup even more resilient, we took an additional redundancy measure. We connected the power of each server to two different feeds, of which one is a UPS.

Network Points:

To leave as little to chance as possible, we created 3 new separate VLAN’s. This way we could split all components and only allow access on specific required firewall ports between these VLAN’s and the existing ones.

  • VLAN 1 = Veeam traffic main site
  • VLAN 2 = Veeam traffic secondary site
  • VLAN 3 = XCC controllers of both Veeam servers

The Firewall rules needed for the copy jobs were:

  • Tcp 445
  • Tcp 2500-3300
  • Tcp 6161
  • Tcp 6162

We also blocked all internet access from every single Veeam subnet. This to isolate the backup servers as much as possible. Access to the servers is also very limited from the other VLAN’s the customer uses. We renamed the local administrator user of the Veeam servers and setup NIC Teaming with LACP for optimal performance. All used passwords are of course fully randomized.

NIC Teaming with LACP

We also created a separate drive for paging files (in our case a P: drive) and turned it off on the C: drive.

Small tip: creating a separate drive for paging files will increase the overall performance of your system.

Disk Setup best practices

XCC setup

  • Setup disk RAID 6
  • Set stripe size is set to 265k
  • Set write policy to Write back

Windows setup

  • Setup ReFS filesystem
  • Setup block size to 64k

It’s important not to forget to change the authorization on this drive. This way, nobody except for the ‘System’ and the ‘Administrator’ users can make changes to the backup files. After this you can install the Veeam application on the server and configure it to your liking.

Tips when you want to use Veeam as a backup solution

  • Select ‘Use per-machine backup files’ in the storage compatibility settings. This will provide slightly less storage reduction through Veeam deduplication (compared to when you don’t use it), but it limits impact in case of filesystem corruption.

  • Make sure to configure a remote repository on both Veeam servers and use it as a target for the copy jobs. This way you will have all backups on both servers, which provides the redundancy.

  • Setup each VM to have its own backup job. This enables:
    - granular retentions
    - better visibility of warnings & errors
    - granular changes to jobs.

    The downside is that it takes more time to set up, especially when you have many VMs.

  • Configure NTP to point to an international address, so that if the hackers get to your NTP server itself, they can't let the backups expire (and push them 10 years forward, for example). This is an additional security measure.

After we gave all VMs a separate backup job, our customer could once again sleep on both ears. He can be confident that his backups are of high quality and that his valuable data is protected.

Are you looking for a new backup solution yourself? Don't hesitate to contact us! We are happy to discuss the possibilities with you.

Aangeraden artikels

Op basis van Technical Facts

Schrijf u in op onze nieuwsbrief