Veeam Availability Platform Designs for Ransomware ...€¦ · In this brief, Veeam® will share...

© 2017 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 1

Veeam Availability Platform Designs for Ransomware Resiliency SeriesRick Vanover vExpert, MCITP, VCP


Veeam Availability Platform Designs for Ransomware Resiliency: Chapter 1

ContentsCHAPTER 1: Veeam Availability Suite resiliency tips to enhance data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Why should the Veeam Availability Suite design be assessed due to ransomware? . . . . . . . . . . . . . . . . 3

The most important recommendation: There must be a copy of the data on offline storage . . . . . . . 3

Second recommendation: Use different credentials for backup repositories . . . . . . . . . . . . . . . . . . . . . . 5

Third recommendation: Have more frequent restore points and more types of restore points . . . . . . 7

Additional recommendation: Continued diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

CHAPTER 2: Veeam Backup & Replication and Veeam Agents resiliency tips to enhance data protection . . . . . . . . 8

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Many Options for Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration Recommendation Option 1: Additional Backup that is File-Only . . . . . . . . . . . . . . . . . . . 8

Restores with a File-Only Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configuration Recommendation Option 2: Replicated VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuration Recommendation Option 3: Ejecting Media and Computer Account Permissions for Veeam Agent for Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . 12

Eject Removable Media When a Job Is Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Computer Account Permissions for Network Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Ransomware Resiliency Requires Continual Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About Veeam Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16


Chapter 1: Veeam Availability Suite resiliency tips to enhance data protection



IntroductionThe threat of ransomware is real and should be top of mind for CIOs as well as technology administrators of all types. In this brief, Veeam® will share some key tips to add ransomware resiliency to provide the best levels of Availability for critical applications and data. These tips will apply directly to Veeam Availability Suite™ and other Veeam products to provide design options for more resiliency should ransomware strike.

Why should the Veeam Availability Suite design be assessed due to ransomware?The threats are real. At Veeam, we’ve seen ransomware situations where backups have been deleted from existing threats; additionally, there is a risk of encrypting both the source data and the backups. Due to the continuous threat climate changing, Veeam is committed to continually tweaking the recommendations based on current conditions. In this first chapter, we’ll address three of the key recommendations to keep your Availability levels high and meeting expectations.

This paper (and subsequent chapters) will be a collection of both generic and specific recommendations for Veeam Backup & Replication™ configurations. There is no single “best” design or configuration — so the goal of these design chapters is to give the Veeam customer and partner ecosystem options for better Availability in the ransomware era.

The most important recommendation: There must be a copy of the data on offline storage This is also referred to as an “air gap.” Offline storage is the single most effective ransomware resiliency technique, and it can be achieved in many direct ways. The most obvious example here is tape storage. Tape storage is completely offline unless being read from or written to. Here are a few tips to leverage tape in the ransomware threat climate:

• Leverage the GFS retention capability on tape to include more restore points on tape

• Consider keeping some tapes “out” of the media pool to have restore points out of any tape rotation

• Diligently monitor the job status for tape jobs. Backup or backup copy jobs may get more attention if there is a warning or failure; tape jobs should have just as much (if not more) priority.

Given the relatively low acquisition cost of tape and high portability, this may make the case for additional restore points on tape, given the strong value of being completely offline.



An additional offline storage option includes support for rotating drives within Veeam Backup & Replication. A rotating drive is a good way to get the performance of a disk system with the offline characteristics in regards to the integrity of the backup data. The rotating drives option is set as a property of a backup repository (advanced option) and is selected below:

Figure A

The one important caveat of using rotating drives (which can include entire disk systems) is that if it re-appears, a new full backup or backup copy job cycle may be required. Rotating drives generally are presumed to be one drive or drive system inserted or online at a time with one or more additional instances of the same equipment offline and possibly in another site.

For the rotating drive option, one on-premises example that doesn’t involve moving disks and requiring an additional full backup (or backup copy) would be a configuration that has the following characteristics:

• A physical server running either a Linux or Windows operating system. If it is a Windows operating system, it is recommended to have a completely different and out-of-band authentication (have no domain membership and different credentials for local accounts and have Windows Firewall on).

• Direct attached storage. Some general-purpose storage direct attached as a local drive or drive system, the recommendation on this storage is to have RAID on the drives.

• Have this system offline except during a scheduled backup window. Have this system completely powered off (and optionally disconnected from the network) except when it is due to run. A script can be set after a backup or backup copy job, which could include a shutdown script as shown in the figure below:

Figure B



• Have an out-of-band mechanism to turn this system on. This can be as primitive as a calendar appointment or advanced as an automatic task scheduler from a separate system to remotely turn on this system. But keep this backup repository offline generally at all times, and only have it online during a backup or restore task.

Note the above configuration for an offline repository (that is disk) isn’t recommend for the first instance of the backups (as general restores would be difficult to do). This would be a good option for the “different media and offline” element of the 3-2-1 rule that Veeam promotes often.

Second recommendation: Use different credentials for backup repositoriesOne of the key characteristics of ransomware is its ability to propagate. By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. There are various ways to accomplish this with Veeam Backup & Replication by leveraging the following authentication mechanisms:

• Windows credentials (either domain or local account)

• Veeam Cloud Connect credentials (specified by a service provider)

• Linux credentials (Linux account or Linux private key)

• Integrated backup storage accounts (current with EMC Data Domain, HPE StoreOnce and ExaGrid appliances)

• Credentials for SMB shares

The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc. The following view shows a few different backup repositories with each Veeam Cloud Connect, Windows Credentials and an integrated backup storage account:

Figure C



In this example, several different credentials are in use so that the risk of propagation is reduced. In regards to having resiliency against ransomware, having these different credentials as well as types can provide one less propagation attack surface.

Specifically, for the Windows set of credentials, it is important to ensure that all backup repository access is not by the same Active Directory environment or by the same account as used in Veeam Backup & Replication in the user context as well as on the network at large. This means a completely separate Forest with no trusts (or only local accounts). For backup repository roles on Windows systems, and the role of backup storage is their only function, a good approach is to have it on a completely separate security configuration as the rest of the network. This configuration would have the following characteristic of the backup repository server (Windows system running the role of the repository and containing the backups) not be on an Active Directory domain and have different passwords and usernames for all functions. For every object in the Backup Infrastructure tab of Veeam Backup & Replication, there are associated credentials for the components to access them. This means that communication to that backup repository would function (from the Veeam components) only from the account specified for the configuration. An additional step is to have all Veeam Backup & Replication components running Windows operating systems be off of the domain and each with different credentials — important if ransomware were to impact the domain controller (potentially limiting the access to restore data).

There is a benefit for at least one system to use Linux credentials, as the propagation of ransomware through Windows operating systems is reduced (and vice versa). In the example above, the ExaGrid systems use Linux authentication for example.

Veeam Cloud Connect is also worth an explanation here. Veeam Cloud Connect uses authentication issued by a service provider. This account is how backups are sent to the cloud repository, and it is not an operating system authentication mechanism thus making it out of band from operating system credentials on-premises.



Third recommendation: Have more frequent restore points and more types of restore pointsThis recommendation is to of course have more frequent backup job restore points, but also to include other mechanisms to provide frequent and different types. There can be more resiliency available when the different types of restore points are available. This includes the following mechanisms:

• Storage snapshots of VMware VMs with supported Veeam arrays: Have a storage snapshot for high-speed recovery with the many different integrated arrays supported in Veeam Availability Suite. This provides an out-of-band recovery technique for a system potentially infected with ransomware.

• Replicated virtual machines. The Veeam replicated VM is another high-speed recovery technique that may be beneficial in a ransomware situation. It is important to note that for Hyper-V replicated VMs, consider the domain and account recommendations above. If a Hyper-V replication exists on a domain where the ransomware could propagate, that could impact the replicated VMs as well. Much like the credential recommendation above, consider having the Hyper-V hosts on a completely separate Active Directory Forest with no trusts elsewhere as well. If a Hyper-V host that serves as a replication target is not on a domain and using different credentials, it is more resilient to ransomware propagating to its filesystem and encrypting the replicated VMs.

• The backup copy job. The backup copy job can be a versatile data mover to take backups that may be on a Windows storage system and put them onto a Linux storage system or into a Veeam Cloud Connect repository.

• An additional backup job. There may be backup jobs that for many organizations run daily or every few hours for the organization’s Availability requirements. An additional recommendation is maybe having an additional backup job that runs on a different retention and with less restore points to provide an additional restore option if needed. Additionally, an additional Veeam Backup & Replication console could be used with a completely different configuration and backup repository as well. Note there would be no additional Veeam license consumption in this configuration, and the backups could go to a different repository with a much longer RPO. An example would be a backup job that runs only weekly to a Linux repository and keeps only three restore points.

Additional recommendation: Continued diligenceThe diligence required in the ransomware era is going to be part of doing business from here onwards. Subsequent chapters of this series will introduce more recommendations, recommendations for new Veeam products as well as different approaches to meeting some of the existing recommendations.


Chapter 2: Veeam Backup & Replication and Veeam Agents resiliency tips to enhance data protection



IntroductionThe threat of ransomware continues to make headlines and keep IT professionals and CIOs wondering what they can do to be resilient against this threat. This paper is the second chapter of specific recommendations for Veeam® Availability Platform components to be resilient against ransomware. The first chapter was published on the Veeam website, and this chapter will continue with additional recommendations for configuration options in regards to ransomware threats.

Many Options for ResiliencyThroughout the years, Veeam has always taken a broad agnostic approach to systems and storage. This applies to the design for a backup infrastructure and how it can be made resilient against ransomware. To that point, there is no single ransomware resiliency design that is the “best” for all situations except to have some form of offline storage in the broader plan. The previous chapter had recommendations on the following:

• Offline storage

• Different credentials for backup repositories

• More frequent and different types of restore points

In this chapter, we’ll introduce some additional recommendations that can be an option to Veeam environments to strengthen resilience against ransomware. There will be additional chapters for this content at a later time, but for environments that can easily leverage these recommendations now, resiliency is possible. The three recommendations in this chapter will complement the previous recommendations and upcoming recommendations as well.

Configuration Recommendation Option 1: Additional Backup that is File-Only Veeam Backup & Replication™ can perform image-based backups with exclusion and specific inclusion rules. This can be very helpful for an additional backup type that contains only critical data that may be at risk of a ransomware attack. There are a few assumptions here to add this extra level of resiliency:

• The file server in question is a Hyper-V or vSphere virtual machine

• The virtual machine has an additional full image-based backup performed as well

• This file-only backup is ideally going to a different repository

Below is an example of a VMware vSphere virtual machine being backed up with only a specified list of files included in the backup:



This VMware virtual machine serves as a file server and is around 17 GB on disk. The file server data in question is around 1.2 GB. Note that this full backup read the 1.2 GB, applied some storage efficiencies, and transferred just less than 600 MB. This creates a full backup of just the files in question on this system. As a reminder, this is an additional backup job that is only for a set of files that are critically important to this system.

This capability is made possible by the file exclusions tab in a backup job. This is in the Application-Aware Processing options of a backup job. A single backup job can have an option to include only selected files and folders OR exclude selected files and folders. This option is shown in the example below for the file server share in question, which on this vSphere virtual machine is the “C:\Airdata” folder:



There are a few good characteristics of this additional type of backup. First, it is likely quicker than a full image-based backup. By having this type of backup completely separate of the image of the operating system, there is a potential to be more resilient against a full system restore that does have the ransomware on the operating system. For example, imagine this progression of events:

• Day 1: System obtains ransomware, but doesn’t encrypt data, and the ransomware isn’t detected.

• Day 100: Ransomware encrypts data after being dormant.

• Day 100: Restore to backup from Day 99 has encryption return in 1 day.

This can also be an additional backup job in addition to the full image-based backup of the virtual machine.

Restores with a File-Only Backup Job

By having a data-only backup in addition to the image-based backup, there is an additional restore scenario option that can help in this situation. The restore of the file-only backup is shown below. Note the “AirData” folder is the only visible folder on the volume, and its contents are completely there:

The file-only backup is an additional level of resiliency, especially for a virtualized file server or a data folder that has critical data.

Note: Veeam Availability Suite™ v10 introduces NAS backup support. Additional recommendations will come when this is available.



Configuration Recommendation Option 2: Replicated VMsReplicated VMs have always been critical to a broad Availability strategy and can play a part in ransomware resiliency as well. Replicated VMs have many characteristics that can benefit a Veeam installation in recovering from a ransomware situation:

• They are a complete recovery of a virtual machine

• The recovery is relatively quick (compared to moving a lot of files)

• It has a power off state at most times, reducing risk of ransomware propagation

Having replicated VMs brings in a few other characteristics as well. For one, not every VM may be a candidate for a replicated option. One approach would be to identify a “tier” of VMs that need the quickest recovery should a ransomware situation happen; and have this replication target on the same site and same network for the quickest and most seamless recovery. It becomes a different discussion if the notion of a replicated VM off-site becomes the right recovery option in a ransomware situation. That would work in most situations, but it is advised to give some thought to the failback process and remote network speeds.

One approach to having some or all VMs replicated specifically for a ransomware resiliency approach, or as an additional level of Availability, is to have the replicated VMs in the production data center. This can be in addition to replicas placed off-site. Consider the diagram below:

In this example, there are three hosts with four virtual machines on each. The fourth VMware host (and this could be repeated the same with Hyper-V) has four virtual machines replicated to it. These four virtual machines are (presumably) the most critical ones in the group of productions hosts. To make this type of configuration resilient against ransomware, a few designs should be considered:

• Consider creating an additional Veeam Backup & Replication console that manages the replication of the most critical VMs to replicate and not to have it on the same Active Directory domain or using the same security credentials as other systems.

• Have the target of the replication be a VMware or Hyper-V host that is not in the same administrative realm of the production hosts. (No Active Directory integration if vCenter is used, no System Center Virtual Machine Manager, etc.)

These points are to keep the process of making the replicated VMs on-premises ready to go yet not connected to any security constructs of the production hosts. This is a ransomware resiliency technique to consider if Veeam Backup & Replication or the VMware or Hyper-V hosts are targeted. This is done to be more resilient against encryption of the powered-off VM through shared authentication.



Configuration Recommendation Option 3: Ejecting Media and Computer Account Permissions for Veeam Agent for Microsoft WindowsThe recommendations thus far have focused on Veeam Backup & Replication for VMware vSphere and Microsoft Hyper-V environments. These recommendations, however, apply broadly to the Veeam Availability Platform and its components. This next set of recommendations will apply to the newly released Veeam Agent for Microsoft Windows. The endpoint device can be an entry point for ransomware, but also may have important data on it as well. Veeam Agent for Microsoft Windows has one powerful capability to eject the media upon a backup job.

The two recommendations for Veeam Agent for Microsoft Windows involve ejecting removable media to make it offline and structuring permissions a bit differently for writing backups to a network share.

Eject Removable Media When a Job Is Complete

To configure a backup with Veeam Agent for Microsoft Windows, the backup can be one of three types (entire computer, volume level or file level) as shown below:

The capability to eject removable media applies to local storage resources. A Veeam Backup Repository or Veeam Cloud Connect are also viable options to be resilient against ransomware as there is a different authentication mechanism used to communicate to those storage resources. The destination of a backup is shown below:



For removable storage devices (This is a 1TB USB drive), the “VeeamBackup” folder is the default destination as shown below:

In the properties of the schedule, you can select the backup to be ejected once the backup is completed as shown below:



Ejecting the removable media is an effective technique because it can be completely offline.

Computer Account Permissions for Network Share

Another option is to go to a remote share with a computer account rather than a user account to be given the permission to write to the share. When a shared folder is used as a target in Veeam Agent for Microsoft Windows, there is an option to write to the share with a username and password. This is shown in the figure below:



In the properties of that share, this example has several computer accounts listed (rather than user accounts) as permissions assigned by users. This is shown in the figure below:

While the ejected media and offline storage is more resilient, it is nice to have an additional option when writing to a shared folder to be more resilient against ransomware. The Cloud Connect backup target would be ideal as it is a completely different set of authentication (not part of the operating system) and the file system of the target Cloud Connect system is completely abstracted from the operating system being backed up with Veeam Agent for Microsoft Windows. Subsequent chapters of this series will include additional recommendations for Veeam Cloud Connect for VM backups.

Ransomware Resiliency Requires Continual Diligence

One of the key attributes of ransomware resiliency is to continually monitor the data for threat-scape, access levels and business requirements. In this chapter, we covered recommendations for a file-only backup job, replicated VMs and ejected media on endpoints using Veeam Agent for Microsoft Windows. In this series’ upcoming chapters, we’ll focus on more resiliency options for Veeam environments.



Rick Vanover (vExpert, MCITP, VCP, Cisco Champion) is a senior product strategy manager for Veeam Software based in Columbus, Ohio. Rick is a popular blogger, podcaster and active member of the virtualization community. Rick’s IT experience includes system administration and IT management; with virtualization being the central theme of his career recently. Follow Rick on Twitter @RickVanover or @Veeam.

About Veeam SoftwareVeeam® recognizes the new challenges companies across the globe face in enabling the Always-On Business™, a business that must operate 24.7.365. To address this, Veeam has pioneered a new market of Availability for the Always-On Enterprise™ by helping organizations meet recovery time and point objectives (RTPO™) of < 15 minutes for all applications and data, through a fundamentally new kind of solution that delivers high-speed recovery, data loss avoidance, verified protection, leveraged data and complete visibility. Veeam Availability Suite™, which includes Veeam Backup & Replication™, leverages virtualization, storage, and cloud technologies that enable the modern data center to help organizations save time, mitigate risks, and dramatically reduce capital and operational costs.

Founded in 2006, Veeam currently has 47,000 ProPartners and more than 242,000 customers worldwide. Veeam‘s global headquarters are located in Baar, Switzerland, and the company has offices throughout the world. To learn more, visit http://www.veeam.com.

About the Author

https://twitter.com/RickVanover

https://twitter.com/veeam

http://www.veeam.com

https://www.veeam.com/data-center-availability-suite.html

https://www.veeam.com/vm-backup-recovery-replication-software.html

http://www.veeam.com



Date post:	23-Jun-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Veeam Availability Platform Designs for Ransomware ...€¦ · In this brief, Veeam® will share...

Documents