When you set up the backup infrastructure, one thing that you must not overlook is security. The backup infrastructure can be potentially used as a backdoor to gain access to your systems and data.
This section includes a number of recommendations that will help you prevent potential security issues and reduce the risk of compromising sensitive data.
Ensure timely guest OS updates on backup infrastructure servers. Install the latest updates and patches on backup infrastructure servers to minimize the risk of exploiting guest OS vulnerabilities by attackers.
Backups and Replicas
A potential source of vulnerability is the backup or replica itself. To secure data stored in backups and replicas, consider the following recommendations:
- Ensure physical security of target servers. Check that only authorized personnel have access to the room where your target servers (backup repositories and hosts) reside.
- Restrict user access to backups and replicas. Check that only authorized users have permissions to access backups and replicas on target servers.
- Encrypt data in backups. Use Veeam Backup & Replication built-in encryption to protect data in backups. To guarantee security of data in backups, follow Encryption Best Practices.
Data Communication Channel
Backup data can be intercepted in-transit, when it is communicated from source to target over a network. To secure the communication channel for backup traffic, consider the following recommendations:
- Isolate backup traffic. Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on.
- Encrypt network traffic. By default, Veeam Backup & Replication encrypts network traffic travelling between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, you can also encrypt backup traffic in private networks. For details, see Enabling Network Data Encryption.
Internet Access for Backup Servers
Some Veeam Backup & Replication functionality requires that backup servers have outbound internet access. For example, to enable product update check, automatic license update and license usage reporting, a backup server must be connected to the internet and be able to send requests to servers on the internet.
However, inbound connectivity to backup servers from the internet must not be allowed. If you want to manage backup servers remotely over the internet, you can deploy the Veeam Backup & Replication console on a jump server. Service providers who want to manage backup servers remotely can use the Veeam Backup Remote Access functionality. For more information, see the Using Remote Access Console section in the Veeam Cloud Connect Guide.
The account used for RDP access must not have local Administrator privileges on the jump server, and you must never use the saved credentials functionality for RDP access or any other remote console connections. To restrict users from saving RDP credentials, you can use Group Policies. For more information, see Experts Exchange.
An attacker who gained high-privilege access to backup infrastructure servers can get credentials of user accounts and compromise other systems in your environment.
Particularly, backup proxies must be considered the target for compromise. During backup, proxies obtain from the backup server credentials required to access virtual infrastructure servers. A person having administrator privileges on a backup proxy can intercept the credentials and use them to access the virtual infrastructure.
One of the most possible causes of a credential theft are missing guest OS updates and use of outdated authentication protocols. To mitigate risks, consider the following recommendations:
- Choose strong encryption algorithms for SSH. To communicate with Linux servers deployed as part of the backup infrastructure, Veeam Backup & Replication uses SSH. Make sure that for the SSH tunnel you use a strong and proven encryption algorithm, with sufficient key length. Ensure that private keys are kept in a highly secure place, and cannot be uncovered by a 3rd party.
For Linux hardened repository, instead of SSH Veeam Backup & Replication uses self-signed certification (SHA256RSA self-signed certificates with 2048-bit RSA key).
- Avoid using password authentication to connect to remote servers over SSH. Using key-based SSH authentication is generally considered more secure than using password authentication and helps averting man-in-the middle (MITM) attacks.
Veeam Backup & Replication Database
Another security concern you must consider is protecting the Veeam Backup & Replication configuration database. The database stores credentials of user accounts required to connect to virtual servers and other systems in the backup infrastructure. All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt the passwords, which presents a potential threat.
To secure the Veeam Backup & Replication configuration database, consider the following recommendations:
- Restrict user access to the database. Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
- Encrypt data in configuration backups. Enable data encryption for configuration backup to secure sensitive data stored in the configuration database. For details, see Creating Encrypted Configuration Backups.
Veeam Cloud Connect
Veeam Cloud Connect secures communication between the provider side and tenant side with TLS. If an attacker obtains a provider’s private key, backup traffic can be eavesdropped and decrypted. The attacker can also use the certificate to impersonate the provider (MITM attack).
Veeam Cloud Connect providers must consider the following recommendations:
Keep the certificate in a secure place. Make sure that the TLS certificate is kept in a highly secure place and cannot be uncovered by a 3rd party.