Solved

Air Walled DPM 2012 R2 Backups

Posted on 2015-01-09
13
209 Views
Last Modified: 2015-01-13
Hi all,

I have a DPM 2012 R2 in use, to backup Hyper-V 2012 R2 workloads across a bunch of servers. It's working great and I'm very happy with it.

The only issue I have is that the backups are accessible in the same network as the content they're backing up. So, for example, if someone in the same network decided to be malicious, they could delete the source but also the backup.

What I want to know is, without resorting to tapes, is there a somewhat simple way I can backup DPM to two other machines? I have two spare machines each with sufficient disk space to hold another copy of the DPM data that I'd like to use, in a rotation, so I can have the one not in use physically disconnected from the network, thus protecting it from a malicious attack.

I suppose I could try WSBU to backup DPM but I have a feeling that would be a disaster. I know I can chain DPM 2012 R2 servers but the chain has to be sequential, so this doesn't solve my problem, as all 3 servers would still need to be on the network at the same time.

Does anyone have any ideas? Microsoft says 3rd party products can be used to back up DPM but I'm not sure which ones are appropriate and I also kind of feel like this is probably achievable in the Microsoft world?

Any help would be appreciated.
0
Comment
Question by:HostOne
  • 7
  • 6
13 Comments
 
LVL 4

Author Comment

by:HostOne
ID: 40539710
Hmmm:
Perhaps this would work, actually: http://www.starwindsoftware.com/vtl-page 

Then trick DPM into thinking I have two tapes, which are really disks, and use those.

Thoughts?
0
 
LVL 4

Author Comment

by:HostOne
ID: 40539734
http://www.quadstor.com/virtual-tape-library.html
Better yet - it's free! I think I've answered my own question, sorry, unless someone has a better idea?
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40540413
All aspects of DPM should be in an administrator only context. A standard user should not be able to touch anything DPM related.

What exactly is being asked here?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 4

Author Comment

by:HostOne
ID: 40541943
What I am saying is this. I have an existing DPM backup. Great. Works well and I am very happy with the product. What I want is to then _extend_ that backup offsite - but not using tapes. Let's assume the entire building blows up or, more likely, someone malicious gets in the network and deletes everything. If the backup is in the same network, no matter how cleverly you've segmented the network, if you can reach it - so can an attacker. So I want to have a rotation of disks that DPM can backup to, that can be taken away and disconnected from the network - airwalled - so no matter what someone does to the network, the backups cannot be reached.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40542686
What volume of data needs to be off-site?

Cloud backup is one option.

A data centre with a good connection to disaster recovery site would be another.

Hyper-V Replica would be an option to a disaster recovery site or Azure.

There are options.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40542702
Thanks for your options Phillip, however none of them provide an airwalled solution. I do really appreciate the response, none the less.

I already use Hyper-V replica to a second site and cloud based backups are not airwalled - they're still in the same network (also cost prohibitive for me, as I am talking about around 100TB of data - based on their pricing calculator, here: http://azure.microsoft.com/en-us/pricing/details/backup/ - this comes to an insane $20,190 Australian dollars a month! I could pretty much build my own datacentre for that).

So if I used Azure based backup (integrated into DPM) and someone untoward gets into my network and onto the DPM server, they can still delete the Azure backup. Likewise for all other cloud based solutions. Most of them require a VPN / MPLS or client based connection, so no matter how you do it, you still require a live and continuous network connection to the destination - and that allows the attacker the option of deleting not only your data but also your offsite backups. This has actually happened in the real world.

What I want is a backup destination that can be physically removed from the network. So someone can burn my stuff to the ground, end-to-end and I still have data that's outside the network and untouchable. Basically like tapes, however backing up 100TB to tape require libraries and multi-tapes and I've been in this industry long enough to so those go bad so many times I've just got no faith in them (more than once I've been called in to a place who had tape backups, needed to DR and found out the tapes hadn't been working, despite success reports, for months).

As it stands, I oddly enough have two spare physical machines with 100TB of storage capacity.

What I am imagining is a way to connect them to my network, one at a time, in a rotation, to store another copy of the DPM backup on, then rotate them every few days (basically pull the network cable out of one and stick it in the other), leaving one of the two disconnected at all times.

I see DPM supports chains but only linear chains, so that doesn't help.

I am thinking virtual tape libraries could be the answer.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40542718
We have off-site rotations that involve NAS setups with the data being encrypted.

100TB? Ouch. That's forklift territory. :)

Off the wall: Intel R1208JP4OC with dual RS25GB008 SAS HBAs. DataON DNS-1660 loaded up with enough 4TB drives to give you enough storage for so many years of backups. If in the same data centre plug in, back up, unplug. Have a couple or three of the DNS-1660 units physically rotated out. Or, have one in Melbourne, one in Sydney, and another rotated about and kept somewhere secure.

Enforced 2FA like AuthAnvil would give you the extra level of protection. Only key folks would have a SoftFob or key fob. At least that would eliminate access via network breach.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40542741
What do you use for the offsite NAS rotations? Not just the hardware but how do you manage the rotation (software)?

My big concern is a situation like this: http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html. In that case, someone got in and had root level access. They then went on and destroyed everything.

We obviously take every security precaution we reasonably can, however I'd sleep better at night knowing there was an airwalled solution in place.

2FA is a good idea and we're in the process of moving all our equipment to it, now but even with it, if you had domain admin/root access and you got in, you could just destroy the storage targets, even if you couldn't read them.

As for the 100TB machines - we can do that in (almost) in a single RU, for just under $5,000 AUD each, if you're interested in how. You buy a Quanta STRATOS-S100-L11D (http://www.quantaqct.com/Product/Servers/Rackmount-Servers/1U/STRATOS-S100-L11D-p152c77c70c83c85) - they're under $2,000 AUD with say 8GB of RAM and a single CPU. You then put 12*8TB Seagate disks ($250 each) in them and there you go, almost 100TB for less than 5 grand (ok 90TB odd with redundancy). Desktop grade disks but it's a backup of a backup and I still have redundancy, so I don't really care.
0
 
LVL 38

Accepted Solution

by:
Philip Elder earned 500 total points
ID: 40543451
For the NAS setup we are using ShadowProtect with its ImageManager setup to back up to Synology or Q-Nap NAS boxes. They are set up identically so it's a matter of shut down, pull the plugs, swap, and power up.

We use Quanta's 60 bay JBOD for our Scale-Out File Server solution set that get's deployed into data centres for IT Pros that want to deliver IaaS to clients. We've been quite happy with their product.

The 1U form factor is pretty intriguing but not really great for pulling and carrying out. Though, it does beat a 60 drive JBOD unit! :)

This is definitely a harder nut to crack than first anticipated.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40544033
ShadowProtect may be an option - thanks, I'll look into it (from memory they charge for size, though, so I think that's going to play out badly, for me). I am a little worried it might interfere with DPM, too.

I think the virtual tape library option is the best. That way, I can still use DPM, it will think it's backing up to massive tapes and I can just "rotate" my two servers by swapping the network cable from one to the other.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40544679
They charge by physical or virtual install. If virtual the price is very reasonable the more VMs are to be covered.

All of our SMB/SME clients are backed up in this way.

We are looking into Veeam as an alternative for more complex data centre based environments. We've not given DPM much consideration though that may change as the latest iteration seems to be a lot more Hyper-V cluster friendly.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40546189
Thanks for your help. I think I will try the Virtual Tape Library but your advice has been great.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40546619
You are welcome. Drop us a note here to indicate what solution worked or did not.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VM backup deduplication is a method of reducing the amount of storage space needed to save VM backups. In most organizations, VMs contain many duplicate copies of data, such as VMs deployed from the same template, VMs with the same OS, or VMs that h…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question