veeam backup & replication 9.5 update 3 — infrastructure ... · hardening is about securing...

© 2018 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.

Veeam Backup & Replication 9.5 Update 3 — Infrastructure Hardening

Edwin WeijdemaSolutions Architect

© 2018 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 2

Veeam Backup & Replication Hardening Guide

Executive summaryRunning your infrastructure in a secure configuration is a daunting task even for security professionals. Securing your systems and data with Veeam® Backup & Replication™ is a good starting point, but these Veeam components should also be adequately protected to make sure your systems and data are confidential, integral and available any time.

Protecting your Veeam Availability infrastructure successfully is all about understanding what and whom you are protecting your infrastructure against! Knowing what and whom you are protecting against makes taking the correct measures easier. One major measure at hand is hardening your Veeam Availability infrastructure.

This paper provides practical advice to help administrators, architects and security professionals harden their infrastructures following security best practices, so that they can confidently deploy their Veeam services and lower their chances of being compromised.

All software can be exploited. Software can be found anywhere today — the hardware in your infrastructure also contains software to run properly. It can be as firmware or embedded in the hardware on an EPROM. All software can have flaws that allow an attacker with enough motivation to exploit it. By hardening, you will make it much harder for an attacker to get anywhere quickly within your infrastructure, and he might skip your infrastructure and try someone else’s.

Target audienceKeeping today’s virtual data center available 24.7.365 requires more and more knowledge beyond the backup and recovery tools themselves. Infrastructure hardening is no exception. It involves knowledge on a broad scope of areas like security measures, technology, data management, and people and processes.

This paper is written for any administrator, architect or security professional responsible for keeping services available 24.7.365. Understanding the different possibilities and their effects on the different parts in the Veeam Backup & Replication infrastructure should give insights into how countermeasures could aid and harden the infrastructure. A basic understanding of the different functions of the Veeam components is a prerequisite.

IntroductionHardening is about securing the Veeam Availability infrastructure against attacks by reducing its attack surface and thus eliminating as many risks as possible. An adequate security starts in the base with a thoughtful design.

Proper protection starts with a secure design, which looks at placing the Veeam components and the way they interoperate with different infrastructure components, processes and people. Adding security to an already existing infrastructure is much harder and costlier than thinking about it while designing a new or refreshing an existing infrastructure.

You want to harden your Veeam Availability infrastructure because adding protection is a delicate balance between security and operational efficiency. When you know where the data is flowing through your infrastructure, you can place the different Veeam components correctly, which allows you to control access to these systems and deploy countermeasures to reduce the attack surface of the Veeam components.



ContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Target audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Secure by design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Segmentation using zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Untrusted zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Management zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Trusted zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Restricted zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Audit zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Remove unused components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Master image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Veeam Backup & Replication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Veeam Backup Enterprise Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Ports per component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Configuration database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Veeam Backup Enterprise Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Back up data in rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Access to systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Required permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Access control policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Password management policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Veeam Backup & Replication database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Backup repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Communication channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Trip-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Appendix A: How to remove the Veeam backup console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Steps to uninstall the console properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19



Secure by designOverly complex designs become harder for the IT team to manage and overlook, and it makes it easier for an attacker to exploit and stay in the shadows. Simpler designs that can be easily viewed are more secure.

Figure 1 - Veeam Major components overview

The Veeam Availability infrastructure is comprised of several components which cooperate. The six major components are:

1. Veeam Backup & Replication server — core component that acts as a configuration and control center for the backup infrastructure

2. Veeam proxy — a “data mover” component used to retrieve VM data from the source storage, process it and deliver it to the target

3. Veeam backup repository — a location used to store backup files, VM copies, configuration backups (BCO) and auxiliary replica files

4. Veeam Backup & Replication console — a client-side component that provides access to the backup server and lets you log in to Veeam Backup & Replication and perform all kinds of data protection and disaster recovery operations as you work on the backup server

5. Microsoft SQL Database Server — holds the Veeam Backup & Replication and Veeam Backup Enterprise Manager configuration database instances

6. Veeam Backup Enterprise Manager — an optional component intended for distributed enterprise environments with multiple backup servers, which it will federate into a single “pane of glass,” accessible through a web browser.

You should consider the Veeam Backup & Replication server to be the Number 1 target on your infrastructure, so it should have strict access. As a rule, the backup server is the single greatest target a hacker can claim in your infrastructure. A close-second major target is the backup repositories, which hold all data and systems encapsulated in the backup files.



Segmentation using zonesUltimately, all security is about protecting a valuable asset — in this case, it is data — but that protection involves a defense-in-depth strategy that includes all layers. To do a defense-in-depth, you should identify the most valuable data and build layers of defense around it to protect its Availability, integrity and confidentiality.

A zone is an area having a particular characteristic, purpose, use and / or particular restrictions. By using zones, you have an effective strategy for reducing many types of risks. While securing your environment more granularly, you will also lower costs associated with it. Instead of protecting everything with the same level of protection, you associate systems and information to specific zones. As a side effect, systems that are subject to regulatory compliance can be grouped in subzones to limit the scope of compliance checking and, therefore, reduce costs and time needed to complete long-winded audit processes.

Think about the importance of the data and systems in that particular zone and who should have access to it. Communication is only allowed between systems in adjacent zones. A common data classification for a zone is about shared Availability, confidentiality, integrity, access controls, audit, logging and monitoring requirements.

These common characteristics and requirements inherently lead to some level of isolation, but this isolation occurs not just between zones, but also within zones. This is called subzones.

The attack surface of data and systems within a zone can be significantly reduced by exposing a limited number of services through the zone’s perimeter and implementing strict access controls to limit access to specific groups of users. A potential attacker would have to gain access to all of the outer zones before getting to the restricted zone where the critical data is stored, reducing the likelihood of data theft or data mutilation. In addition, you are increasing the Availability of these critical systems.

You could use a zone model as a strategic defense model, which divides the different Veeam components into separate zones. Keep the following rules in mind while designing:

1. Secure by design

2. Know what is important to secure and rank it

3. Know your attack vectors and possible ways to secure them

4. Use the principle of least privilege

5. Have insight into costs and benefits

Important: Be aware that there is not a silver bullet that will solve your security needs! There are numerous ways to achieve your goal. Security is a state of mind and needs to be looked after every single day. If you think you are secure because you followed all best practices, you have a false sense of protection! Look at your organization needs and then choose the best way that fits your organization, taking into consideration money (budget), risks (attack vectors) and possible outcome (How does it fit in? What would be the damage?).



Figure 2 – example using zones to harden the infrastucture

Implementing zones can be done in several ways, depending on the approach you choose. But keep in mind that most of the threats nowadays are coming from the inside. Dividing your infrastructure into zones is a great way to provide better visibility into parts of greater importance. Without visibility, it is nearly impossible to gain control and detect threats early. For hardening the Veeam Availability infrastructure components, we place them in several logical zones.

One of the highest sought-after attack vectors will be gaining access to management accounts and components. This will allow an attacker to gain access to most parts of the infrastructure instantly. While looking over the major Veeam Backup & Replication components, you will notice that there are three management components available: the Veeam Backup & Replication console, also referred to as console; the Veeam Backup & Replication server, which is the core component orchestrating all different jobs and ordering movement of data through the infrastructure; and the Veeam Backup Enterprise Manager, which federates multiple backup servers into a single pane of glass. Let’s place all major Veeam Availability components into these defined zones.

Untrusted zone

To keep a balance between security and operational efficiency, you do not want to install the Veeam Backup & Replication console on any system outside of your organization’s infrastructure. But for operational efficiency, you want to give your administrators the ability to connect to the infrastructure from any device and any location through remote access with only a keyboard, mouse and video at their disposal.

For operational efficiency, you do not want to install Veeam Backup & Replication console on machines with poor connections / long distance because there can be between 50 – 400 MB of data transferred between the console and backup repository when starting the console. If the first file mount is performed over a slow connection, it may take a considerable time to load the file-level recovery wizard. If there is significant latency between the backup repository and console, it is recommended to deploy an instance of the console on or closer to the repository server.



Deploy a firewall on the perimeter between the untrusted zone and the DMZ. On the firewall and / or dedicated RDS Gateway Server, add two-factor authentication for remote administrators to access the RDS Gateway. Deny the mapping of drives, printers, clipboards, etc. on the RDS Gateway to secure your infrastructure against the dropping of content or files from any remote machine.

DMZ

The DMZ houses systems that require exposure to the untrusted zone. This zone provides access between systems in the DMZ and the management zone. Also, all traffic should be funneled through systems in the DMZ to reach internet resources. The systems deployed in this zone should be tightly controlled and hardened to reduce attack surface.

The Veeam Backup & Replication console is a client-side component that provides access to the backup server. The console lets several backup operators and admins log in to Veeam Backup & Replication simultaneously and perform all kinds of data protection and disaster recovery operations as you work on the backup server.

Install the Veeam Backup & Replication console on a central management server that is positioned in the DMZ and make sure its protected with two-factor authentication. You can also install other infrastructure tools on this management server, such as the Microsoft VMM Console and / or VMware vSphere Client to manage your hypervisor deployment.

The Veeam Backup Enterprise Manager will also be in the DMZ because it serves as a self-service portal for specific user groups in the organization.

Management zone

In the management zone, you place infrastructure services like DNS, Active Directory and SMTP. But also, the VMware vCenter Server and / or Microsoft System Center Virtual Machine Manager (SCVMM). From the Veeam components, the Veeam Backup & Replication server(s) will be in this management zone. The Veeam backup server will orchestrate all jobs and update all Veeam components in the different zones from a central location.

The Microsoft SQL Database Server, which is needed to host the Veeam backup database and the Veeam Backup Enterprise Manager database, should be placed in this zone if it is dedicated just for Veeam. It is a good practice to use a dedicated SQL Server to host the different SQL instances for infrastructure components and a different SQL Server for SQL instances for business processes. The Veeam Backup & Replication server is a heavy user of the SQL Server and placing the SQL Database Server close by gains you operational efficiency.

The VMware vCloud Director is part of a subzone within the management zone and controls the vAPPs running in subzones within the trusted zone.

The management zone requires secure and controlled access to the internet to download licenses and updates for different components in the infrastructure. It is highly recommended to use an internet proxy or reverse proxy situated in the DMZ as a controlled gateway to the internet.

All types of public cloud repositories should be placed in subzones within the untrusted zone. Organization data is leaving the security boundaries, so make sure that, as an extra precaution, data toward these cloud repositories is encrypted during transport and when stored in the cloud repository. If using Veeam Cloud Connect internally, you can also place your cloud repository in the restricted zone, but be sure to place it in a subzone. The Veeam Backup & Replication server will communicate with Microsoft Azure Proxy, AWS Storage Gateway, which performs the role of a virtual tape library (VTL), or the cloud gateway service for the transportation of data to the Veeam cloud service provider (Veeam Cloud Connect).



Trusted zone

The trusted zone will be populated with hypervisor hosts like VMware ESXi and / or Microsoft Hyper-V hosts. All components in the trusted zone will need access to different services in the management zone. The Veeam proxy servers, which are the data movers, are part of the trusted zone.

Veeam proxies can back up the VMs without having access to the guest OSs themselves. If you back up or replicate running VMs, you can enable guest processing options. Guest processing options are advanced tasks that require Veeam Backup & Replication to communicate with the VM guest OS. When VMs are separated in subzones, you can deploy and leverage the Veeam guest interaction proxy (GIP) in the trusted subzone, which will have secure access and deploys the needed runtime in the VM for guest processing tasks.

In the case that different business units or customers are running in the trusted zone, you should think about running them in subzones of the trusted zone. But be aware that overly complex designs can be counterproductive and give a misplaced feeling of being safe.

VMware vCloud Director vAPPs are also part of the trusted zone and would normally be divided into subzones per business unit or tenant. Veeam can capture whole vApps and vCloud Director configurations within the backup jobs.

Restricted zone

Primary storage, where production data and VMs reside, and other components that store data should be placed in this restricted zone. This zone should never be accessible by any user directly and should be available only to the virtual infrastructure components and application servers and administrators with strict rights. Also, the Veeam Scale-out Backup Repository™ (SOBR), simple repository, deduplication devices or cloud repository, when used in combination with Veeam Cloud Connect for the Enterprise (VCC-E), should be part of this zone. For organizations using VCC-E, it is possible to define cloud repositories on top of their SOBR or as separately defined cloud repositories in a restricted zone subzone.

Audit zone

Visibility is key to protect, detect and contain threats early. In this zone, monitoring solutions like Veeam ONE™ and / or Veeam Management Pack™ for System Center are placed. Also IDS and IPS systems should be placed in this audit zone.



CountermeasuresWithin the hardening process of your Veeam infrastructure, there are several countermeasures to take to harden your Veeam Availability infrastructure against threats. These include removing unused components and making use of a master image to capture all hardening actions in an image off which the Veeam components can be based.

Remove unused components

Remove all nonessential software programs and utilities from the machines where the Veeam components are deployed. While these programs may offer useful features to the administrator, if they provide ‘back-door’ access to the system, they must be removed during the hardening process. Think about additional software like web browsers, Java, Adobe Reader and such. All parts that do not belong to the operating system or to active Veeam components must be removed. It will make maintaining an up-to-date patch level much easier.

Veeam Backup & Replication server:

• Remove the Backup & Replication console from the Veeam Backup & Replication server. The console is installed locally on the backup server by default. How to remove the Veeam backup console is further explained in Appendix A.

• Switch off the Veeam vPower® NFS Service if you do not plan on using the following Veeam features: SureBackup®, Instant VM Recovery® or other-OS file level recovery (FLR) operations

• Switch off the Guest Catalog Service when Veeam Backup Enterprise Manager is not being used

• Switch off the Distribution Service when no agents are being deployed / managed through the Veeam Backup & Replication server

• Switch off the cloud service when you are not running as a service provider or connecting to a service provider

Master image

In a virtual infrastructure, it is common practice to build up a master image, which has been hardened from the start. Remove all known attack vectors and only open access when Veeam components are added and need specific (port) openings or extra software to function properly. This way all builds are consistent and kept up-to-date, making it a secured base.

Most Veeam components are deployed on a Microsoft Windows Operating System — the only exception is the Veeam repository. With the Veeam repository, you have the choice between Windows or Linux as the operating system.

For help with hardening those master image(s), you can make use of the free benchmarks CIS provides. CIS Benchmarks help you safeguard systems, software and networks against today’s evolving cyberthreats. Developed by an international community of cybersecurity experts, the CIS Benchmarks are configuration guidelines for over 100 technologies and platforms.

Patching

Patch operating systems, software and firmware on infrastructure components — most hacks succeed because there is already vulnerable software in use which is not up-to-date with current patch levels. This is also a major reason not to install any other software on the components that run Veeam software. Make sure you have a process in place to regularly update the different components in your infrastructure with patches and software updates.

https://www.cisecurity.org/cis-benchmarks/

https://www.cisecurity.org/cis-benchmarks/



Veeam Backup & Replication can automatically notify you about updates that must or can be installed to enhance your work experience with the product. Update notifications eliminate the risk of using out-of-date components in the backup infrastructure or missing critical updates that can have a negative impact on data protection and disaster recovery tasks. To check for updates, Veeam Backup & Replication uses a special XML file on the Veeam Update Notification Server http://dev.veeam.com (HTTP – TCP port 80). The XML file contains information about the most up-to-date product version and patches.

Veeam Backup & Replication downloads an XML file from the Veeam Update Notification Server once a week. It also collects information about the installed product. The collected information is compared with the information in the downloaded file. If new product versions, patches and updates are available, Veeam Backup & Replication informs you about them. It does not automatically download update files to the Veeam server from the internet. An administrator will need to read the release notes, weigh if this update needs to be installed right away or during the patch window, and download the correct application archive.

To enable new product versions and update notifications:

1. From the main menu, select General Options.

2. Click the Notifications tab.

3. Select the Check for product and hypervisor updates periodically check box.

Note: If you cannot enable internet access for the Veeam backup server, you can manually check for updates on Veeam software at https://www.veeam.com/updates.html

Firewalls

Try not to blur access points by using wrong measures — such as changing protocol ports that are in use by other random ports — to try to hide ports and protocols in use. While this may look like a good choice at first, in practice this often makes the infrastructure harder to manage, which opens other possibilities for attackers. Obscurity is not security!

You can check which ports are in use by what service on a Windows system by using a command window with the following commands #netstat -bona > portlist.txt and opening the created text file with #notepad portlist.txt

http://dev.veeam.com

https://www.veeam.com/updates.html



Add local protection mechanics, in addition to the border firewalls, intrusion detection, patching and such. You can make use of local mechanisms like up-to-date anti-malware, firewalls and network segmentation. This way, you create different rings-of-defense, slowing an attacker down.

To segment your infrastructure and Veeam Backup & Replication components, make sure the firewalls on the local server installations have the correct ports opened.

You can also deploy VMware NSX as a countermeasure with microsegmentation to make sure the attack surface is as narrow as possible without blocking everyone’s use of the services. Visibility into the network and all data flows is crucial to help you protect all different rings / cells within your infrastructure. You can add the Veeam components to NSX policies to make sure they can communicate with each other without opening it up to any user.

Deploying firewalls on every component in the infrastructure is a strong countermeasure, but it also requires you to understand how your applications work and how traffic flows through the infrastructure.

Figure 3 - Communication between Veeam components

Veeam components in general use ports 2500–5000 as data transmission channels (bi-directional). For every TCP connection that a job uses, one port from this range is assigned. Some specific connections and port assignments are described below to give some more insight in the different traffic flows between the major Veeam components.

Veeam Backup & Replication server

The backup server is the heart of the Veeam Availability infrastructure and orchestrates all data flows. It will communicate with Active Directory when the Windows Server with Veeam Backup & Replication is added to the Active Directory domain. It can find the different Veeam components by communicating with the DNS server and asking for the IP address tied to the FQDN of the requested Veeam server. When email notifications are enabled — in the main menu, General Options, Email Settings — the backup server will communicate over port 25 SMTP with the mail server.



The backup server communicates with two internet addresses to check for updates (when enabled) and new license files (when enabled). Update notifications are obtained through http://dev.veeam.com and license files through secure access https://autolk.veeam.com. When a Veeam Backup Enterprise Manager is deployed, you can close the firewall for access coming from the backup server to https://autolk.veeam.com because the Veeam Backup Enterprise Manager will take precedence over the setting in the Veeam Backup & Replication server, and it will handle licensing updates.

The Veeam Backup & Replication server will communicate extensively with the SQL Database Server holding the Veeam backup database instance. Communication with VMware vCenter Server is a full object pull into the memory as the infrastructure cache is being populated. After that, it will wait on push commands from the vCenter Server on infrastructure changes.

For deploying Veeam Backup & Replication components, the backup server uses several ports, namely TCP/UDP ports 135, 137 to 139, 445. Additionally, TCP port 6160 is used by the Veeam Installer Service.

Veeam Backup Enterprise Manager

You can instruct Veeam Backup Enterprise Manager to schedule an automatic connection with the Veeam licensing server and periodically send requests for a new license. To enable this setting, select the Update license key automatically check box on the Settings tab. With this setting enabled, Veeam will start requesting a new license weekly, and 7 days before the current license expiration date, daily. When this setting is enabled, it will have priority over any license setting made on a Veeam Backup & Replication server.

The Veeam Backup Enterprise Manager will communicate with the SQL Server holding the Veeam Backup Enterprise Manager database instance to store and retrieve its data. It will also ask every SQL Server holding a backup server database instance, which is tied to the Veeam Backup Enterprise Manager, to forward specific data to the Veeam Backup Enterprise Manager database.

The Veeam Backup Enterprise Manager service communicates to Active Directory over the high dynamic port range 49152-65535. This communication channel is also used when performing self-service restore.

Ports per component

Within the Veeam infrastructure, there are several components that use specific ports to communicate with other Veeam components in the data flow path. For the correct ports, see:

Veeam Backup Enterprise Manager — https://helpcenter.veeam.com/docs/backup/em/used_ports.html?ver=95

Veeam Backup & Replication for VMware vSphere — https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#backup

Veeam Backup & Replication for Microsoft Hyper-V — https://helpcenter.veeam.com/docs/backup/hyperv/used_ports.html?ver=95#backup

http://dev.veeam.com

https://autolk.veeam.com

https://autolk.veeam.com

https://helpcenter.veeam.com/docs/backup/em/used_ports.html?ver=95

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#backup

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95#backup

https://helpcenter.veeam.com/docs/backup/hyperv/used_ports.html?ver=95#backup

https://helpcenter.veeam.com/docs/backup/hyperv/used_ports.html?ver=95#backup



Encryption

The encryption technology in Veeam Backup & Replication allows you to protect data both while it is in transit between backup components and at rest, when it is stored at its destination. This can be disk, tape or a cloud repository. You can use one of the encryption methods or a combination of both to protect against unauthorized access to important data while it flows through the infrastructure.

Enable encryption if you plan to store backups in locations outside of your security domain. While CPU usage for encryption is minimal for most modern processors, some amount of resources will still be consumed, so plan accordingly on the Veeam proxies (for backup and replication jobs) and repositories (for backup copy jobs and replica from backups).

When using job encryption, make sure to use strong passwords and develop a policy for changing them regularly. Veeam Backup & Replication helps with this since it tracks passwords’ ages. Store passwords in a secure location.

Besides the job-level encryption, Veeam Backup & Replication allows you to encrypt network traffic going between the source side to the target side. Network traffic encryption is configured as part of global network traffic rules that are set for backup infrastructure components. For network traffic encryption, Veeam Backup & Replication uses the 256-bit Advanced Encryption Standard (AES). Veeam Backup & Replication uses different encryption keys for every job session.

Configuration database

The configuration backup does not store any password by default. If you want to store the combination of used accounts and their passwords in the Veeam configuration database, switch on the option to encrypt the configuration backup.

To encrypt the configuration backup:

1. From the main menu, select Configuration Backup.

2. Select the Encrypt configuration backup check box.

3. From the Password field, select a password you want to use for encryption. If you have not created a password beforehand, click Add or use the Manage passwords link to specify a new password.



After you enable the encryption option, Veeam Backup & Replication will create encrypted configuration backups. Besides encryption keys, the created backups capture credential records specified in the credentials manager. When you restore data from such a backup, you will not have to enter passwords for the credential records again (unless the passwords for the credential records have changed by the time of the restore).

Veeam Backup Enterprise Manager

You can use Veeam Backup Enterprise Manager and connect backup servers to it to enable password loss protection. When making use of Veeam Backup Enterprise Manager, export a copy of the active keyset from Veeam Backup Enterprise Manager. The exported keyset is saved as a file of a .PEM format and contains private and public Veeam Backup Enterprise Manager keys. Store it on a portable device and in a secure location!

Back up data in rest

Backup and replica data is a highly potential source of vulnerability. To secure data stored in backups and replicas, follow these guidelines:

• Ensure physical security of target servers — check that only authorized personnel have access to the room where your target servers (backup repositories and hosts) reside.

• Restrict user access to backups and replicas — check that only authorized users have permissions to access backups and replicas on target servers.

• Encrypt data in backups — use Veeam Backup & Replication inbuilt encryption to protect data in backups.

To encrypt the content of backup files at the Storage step of the wizard, click Advanced. Then click the Storage tab and select the Enable backup file encryption check box. In the Password field, select a password that you want to use for encryption. If you have not created the password beforehand, click Add or use the Manage passwords link to specify a new password.



Back up data in flight

Backup and replica data can be intercepted in transit, when it is communicated from source to target over a network. To secure the communication channel for backup traffic, consider these guidelines:

• Isolate backup traffic: Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on (also see segmentation).

• Encrypt network traffic: By default, Veeam Backup & Replication encrypts network traffic traveling between public networks. To ensure secure communication of sensitive data within the boundaries of the same network, you can also encrypt backup traffic in private networks.

You can enable network traffic encryption for data going between the source side and target side. Network traffic encryption helps you raise the security level for your data. If encrypted data is intercepted in the middle of data transfer, the eavesdropper will not be able to decrypt it and get access to it.

Veeam Backup & Replication encrypts the network traffic according to the 256-bit Advanced Encryption Standard (AES). Data transferred between public networks is encrypted by default. If you want to enable network data encryption within the same network, you must create a network traffic rule for this network and enable the data encryption option for this rule.

To enable network traffic encryption within the same network:

1. From the main menu, select Network Traffic.

2. In the Global Network Traffic Rules window, click Add.

3. In the Source IP address range section, specify a source range of IP addresses in the network for which you want to enable data encryption.

4. In the Target IP address range section, specify a target range of IP addresses in the same network.

5. Select the Encrypt network traffic check box.

As a result, data traffic going between backup infrastructure components whose IP addresses fall into the source and target IP address ranges will be encrypted.



Education

Educate your staff by creating an employee awareness training to make sure that your employees are aware of strange behavior and of their critical roles in protecting the organization’s services and data. This is not only for the IT department, but for everyone within the organization because every organization is rapidly becoming an IT company. Train your staff handling the Veeam Availability infrastructure, so they carefully look at how placement of Veeam components is done, how they can be accessed and who should have no access at all on different levels.

Have a recovery strategy in place. Before you find out your infrastructure is breached, you should know what to do when being compromised through attacks. Educate the staff responsible for the Veeam Availability infrastructure to make sure that backups cannot be accessed by an attacker to wipe them out. An off-site copy (air-gap) on any media is highly recommended to survive any attack.



Access to systemsOne of the highest sought-after attack vectors will be gaining access to management accounts and components. This will allow an attacker to gain access to most parts of the infrastructure. Make sure you have an account segmentation in place where you use different Veeam service accounts for different services / servers. Make use of the principle of least privilege for those service accounts and do not log in with such a service account to avoid keyloggers grabbing a password with management access.

Required permissions

Use the principle of least privilege. Provide the minimal required permissions needed for the accounts to run. The accounts used for installing and using Veeam Backup & Replication must have the following permissions.

If VMware vCenter Server is added to the backup infrastructure, an account that has administrator permissions is required. Instead of granting administrator permissions to the account, you can configure more granular permissions.

Veeam has identified the minimum permissions required for the various software functions. Review the “Required Permissions” document and configure the accounts used by Veeam Backup & Replication to meet these requirements.

Particularly, backup proxies must be considered the target for compromise. During backup, proxies obtain from the backup server the credentials required to access virtual infrastructure servers. A person having administrator privileges on a backup proxy can intercept the credentials and use them to access the virtual infrastructure.

Access control policy

Deploy an access control policy because managing access to management components is crucial for good protection. Use the principle of least privilege. Provide the minimal privilege needed for an operation to occur. If a process or system is exploited, you don’t want to allow an attacker to gain any more access than is minimally required.

Containment is key to keep the attackers from moving around too easily. Some standard measures and policies are:

• Do not use user accounts for admin access, reducing incidents and accidents

• Give every admin his own admin account, so it is traceable and visible

• Only give out access to what is needed for the job — principle of least privilege

• Limit users who can log in using remote access

Password management policy

Use a clever password management policy that works for your organization. Enforcing the use of strong passwords across your infrastructure is a valuable control. It’s more challenging for attackers to guess passwords / crack hashes to gain unauthorized access to critical systems. Selecting passwords of 10 characters with a mixture of upper and lowercase letters, numbers and special characters is a good start. Adding two-factor authentication for admin accounts is also wise to look at, depending on what you need to protect.

You need a lockout policy that complements a strong password policy. Accounts will be locked after a small number of incorrect attempts. This can stop password guessing attacks dead in the water. But be careful as this can also lock everyone out of the system for a period! For service accounts, sometimes it is better just to raise alarms fast instead of locking the accounts. This way, you gain visibility into suspicious behavior toward your data / infrastructure.

https://helpcenter.veeam.com/docs/backup/vsphere/required_permissions.html?ver=95

https://www.veeam.com/veeam_backup_9_0_permissions_pg.pdf

https://www.veeam.com/veeam_backup_9_0_permissions_pg.pdf



Veeam Backup & Replication database

The Veeam Backup & Replication configuration database stores credentials to connect to virtual servers and other systems in the Veeam Backup & Replication infrastructure. All passwords stored in the database are encrypted. However, a user with administrator privileges on the backup server can decrypt the passwords, which presents a potential threat.

To secure the Veeam Backup & Replication configuration database, follow these guidelines:

• Restrict user access to the database: Check that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).

• Encrypt data in configuration backups: Enable data encryption for configuration backup to secure sensitive data stored in the configuration database.

Backup repository

Backup repositories store backup files on storage tied to the backup repository. You can limit the amount of access to these file locations by enabling only the Veeam service account to have access to the backup files. Use different service accounts for every repository in use — NTFS or ReFS rights on Windows and CHMOD rights on Linux.

Communication channel

Veeam Backup & Replication uses SSH to communicate with Linux servers deployed as part of the backup infrastructure. Make sure to use a strong and proven encryption algorithm with sufficient key length for the SSH tunnel you use. Ensure that private keys are kept in a highly secure place and cannot be uncovered by a third party.



VisibilityCreating visibility into what goes on in the infrastructure is a major part of hardening your infrastructure. You can do this by making sure you will notice when an attack is / or has taken place, and then making sure logs and traces are saved for law enforcement and security specialists when needed. Ransomware attacks are highly visible when you are hit, but most hackers prefer to not expose themselves. They know that it is invaluable to have access and control infrastructures without anyone knowing.

History

Veeam Backup & Replication can store a history about which jobs have run in the past. This is extremely useful if you want to find out if something strange went on in your environment.

You can specify session history settings for jobs performed on the backup server.

1. From the main menu, select General Options.

2. Click the History tab.

3. In the Sessions section, specify the number of sessions to display in the Sessions list of the History view.

4. In the Session history retention section, specify the number of weeks for which Veeam Backup & Replication must keep session information in the configuration database.

Trip-wire

To know when you are under attack or have been breached, it is vital to have visibility into the whole data flow path. You should be able to know what is ‘normal behavior’ and what is NOT. Monitor your accounts and infrastructure for suspicious activity. Place virtual trip-wires, like creating a non-used admin account with alarms tied to it. When any activity on that account is observed, it will trigger a red alert instantly.



Alerts

There are several systems out there that can alert you to suspicious behavior when someone is snooping around and is trying to gain access to your infrastructure. It is important to get alerts as soon as possible while defending against other attacks like viruses, malware and ransomware. The biggest fear of these attacks is that they may propagate to other systems fast. Having visibility into potential ransomware activity is a big deal.

Example systems that could help you create visibility are:

1. Veeam ONE 9.5 has a predefined alarm called “Possible ransomware activity.” This alarm will trigger if there is a high CPU utilization combined with lots of writes to disk.

2. VMware vRealize Network Insight can take VMs, objects, groupings and their physical elements and easily fingerprint the application and determine the internal and external flows, the client connections, etc. This way, you get an analysis of what is ‘normal’ behavior and what is not.

3. VMware vCenter or Microsoft SCVMM has alerts that are triggered on virtual trip-wires.

4. You can also deploy VMware NSX as a countermeasure with microsegmentation to make sure the attack surface is as narrow as possible without blocking everyone’s use of the services. Visibility into the network and all data flows is crucial to help you protect all different rings / cells within your infrastructure. NSX provides the insight into traffic flows, which currently could be a blind spot.

https://www.veeam.com/wp-veeam-availability-suite-protection-against-ransomware-threats.html

https://www.vmguru.com/series/vrealize-network-insight/



Appendix A: How to remove the Veeam backup console

Disclaimer: This functionality hasn’t been thoroughly tested by the Veeam QA department, and therefore we cannot guarantee Veeam products to work properly in this configuration. This relates to both uninstalling and installing products in such a succinct mode on a remote computer.

The Veeam Backup & Replication console is a client-side component that provides access to the backup server. The console lets several backup operators and admins log in to Veeam Backup & Replication simultaneously and perform all kinds of data protection and disaster recovery operations as you work on the backup server. The console is installed locally on the backup server by default.

The console is installed locally on the backup server by default. While hardening the infrastructure, you might want to remove all nonessential and unused software and utilities. While these programs may offer useful features to the administrator, if they provide back-door access to the system, they must be removed during the hardening process.

A good practice is to install the Veeam Backup & Replication console on a central management server that is positioned in a DMZ and protected with two-factor authentication. Do NOT install the console on the local desktops of backup and recovery admins.

Steps to uninstall the console properly

The console cannot be removed through the installer or by using Add / Remove in Windows. With the following steps, you can properly remove the console and all its components and clean up the install if needed.

Step 1

Open a cmd prompt with administrative access.

Step 2

On the command prompt, type: wmic product list brief > installed.txt.This will create a text document with all installed products and their respective product codes.

https://www.veeam.com/vm-backup-recovery-replication-software.html



You will get a similar output as visible in the picture above for all installed programs and their corresponding IdentifyingNumber in {brackets}.

Step 3

For uninstalling the Veeam Backup & Replication console, first uninstall all Veeam Explorers™:

• Veeam Explorer for Microsoft Exchange

• Veeam Explorer for Microsoft SharePoint

• Veeam Explorer for Microsoft Active Directory

• Veeam Explorer for Microsoft SQL Server

• Veeam Explorer for Oracle

You can uninstall these components through the command prompt using the Msiexec command: msiexec /x {ProductCode}

An example for uninstalling the Veeam Backup & Replication console is: msiexec /x {D0BCF408-A05D-45AA-A982-5ACC74ADFD8A}

Step 4

Clean up the extra installed components from when you installed the Veeam Backup & Replication console as a standalone product on a machine through the Setup.exe menu.

Uninstall the following components, but make sure no other applications are using them prior to the uninstall. For commands, see Step 3:

• Veeam Mount Service

• Veeam Backup Transport

• Microsoft System CLR Types for SQL Server 2014

• Microsoft SQL Server 2014 Management Objects (x64)



Step 5

After uninstalling is finished, Restart the machine.

Step 6 (Optional)

You can remove the installation folder on C:\Program Files\Veeam\Backup and Replication

There is also a hidden folder called C:\ProgramData, and in this folder, a Veeam folder is created during installation.

You can remove this folder by opening an Explorer Window and opening the View tab. Now, click the Hidden items in the right upper corner to show the C:\ProgramData folder.



Step 7 (Optional)

After you have removed all components and want to install a fresh copy of the Veeam Backup & Replication console, you can use the Microsoft command Msiexec without starting up the Setup.exe.

On the installation media, there is a Msi in the backup folder called Shell.x64.msi. This is the console. Use the following command:

msiexec /i “{DriveLetterMountedISO}:\Backup\Shell.x64.msi” /L*V “C:\log\logfile.log”

which installs the selected product and creates a log file that may be useful when you check if everything worked successfully. For more information about the Microsoft Msiexec command, please see this link.

https://technet.microsoft.com/en-us/library/bb490936.aspx

veeam backup & replication 9.5 update 3 — infrastructure ... · hardening is about securing...

Documents