Solved

Air Walled DPM 2012 R2 Backups

Posted on 2015-01-09
13
198 Views
Last Modified: 2015-01-13
Hi all,

I have a DPM 2012 R2 in use, to backup Hyper-V 2012 R2 workloads across a bunch of servers. It's working great and I'm very happy with it.

The only issue I have is that the backups are accessible in the same network as the content they're backing up. So, for example, if someone in the same network decided to be malicious, they could delete the source but also the backup.

What I want to know is, without resorting to tapes, is there a somewhat simple way I can backup DPM to two other machines? I have two spare machines each with sufficient disk space to hold another copy of the DPM data that I'd like to use, in a rotation, so I can have the one not in use physically disconnected from the network, thus protecting it from a malicious attack.

I suppose I could try WSBU to backup DPM but I have a feeling that would be a disaster. I know I can chain DPM 2012 R2 servers but the chain has to be sequential, so this doesn't solve my problem, as all 3 servers would still need to be on the network at the same time.

Does anyone have any ideas? Microsoft says 3rd party products can be used to back up DPM but I'm not sure which ones are appropriate and I also kind of feel like this is probably achievable in the Microsoft world?

Any help would be appreciated.
0
Comment
Question by:HostOne
  • 7
  • 6
13 Comments
 
LVL 4

Author Comment

by:HostOne
ID: 40539710
Hmmm:
Perhaps this would work, actually: http://www.starwindsoftware.com/vtl-page

Then trick DPM into thinking I have two tapes, which are really disks, and use those.

Thoughts?
0
 
LVL 4

Author Comment

by:HostOne
ID: 40539734
http://www.quadstor.com/virtual-tape-library.html
Better yet - it's free! I think I've answered my own question, sorry, unless someone has a better idea?
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40540413
All aspects of DPM should be in an administrator only context. A standard user should not be able to touch anything DPM related.

What exactly is being asked here?
0
 
LVL 4

Author Comment

by:HostOne
ID: 40541943
What I am saying is this. I have an existing DPM backup. Great. Works well and I am very happy with the product. What I want is to then _extend_ that backup offsite - but not using tapes. Let's assume the entire building blows up or, more likely, someone malicious gets in the network and deletes everything. If the backup is in the same network, no matter how cleverly you've segmented the network, if you can reach it - so can an attacker. So I want to have a rotation of disks that DPM can backup to, that can be taken away and disconnected from the network - airwalled - so no matter what someone does to the network, the backups cannot be reached.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40542686
What volume of data needs to be off-site?

Cloud backup is one option.

A data centre with a good connection to disaster recovery site would be another.

Hyper-V Replica would be an option to a disaster recovery site or Azure.

There are options.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40542702
Thanks for your options Phillip, however none of them provide an airwalled solution. I do really appreciate the response, none the less.

I already use Hyper-V replica to a second site and cloud based backups are not airwalled - they're still in the same network (also cost prohibitive for me, as I am talking about around 100TB of data - based on their pricing calculator, here: http://azure.microsoft.com/en-us/pricing/details/backup/ - this comes to an insane $20,190 Australian dollars a month! I could pretty much build my own datacentre for that).

So if I used Azure based backup (integrated into DPM) and someone untoward gets into my network and onto the DPM server, they can still delete the Azure backup. Likewise for all other cloud based solutions. Most of them require a VPN / MPLS or client based connection, so no matter how you do it, you still require a live and continuous network connection to the destination - and that allows the attacker the option of deleting not only your data but also your offsite backups. This has actually happened in the real world.

What I want is a backup destination that can be physically removed from the network. So someone can burn my stuff to the ground, end-to-end and I still have data that's outside the network and untouchable. Basically like tapes, however backing up 100TB to tape require libraries and multi-tapes and I've been in this industry long enough to so those go bad so many times I've just got no faith in them (more than once I've been called in to a place who had tape backups, needed to DR and found out the tapes hadn't been working, despite success reports, for months).

As it stands, I oddly enough have two spare physical machines with 100TB of storage capacity.

What I am imagining is a way to connect them to my network, one at a time, in a rotation, to store another copy of the DPM backup on, then rotate them every few days (basically pull the network cable out of one and stick it in the other), leaving one of the two disconnected at all times.

I see DPM supports chains but only linear chains, so that doesn't help.

I am thinking virtual tape libraries could be the answer.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Expert Comment

by:Philip Elder
ID: 40542718
We have off-site rotations that involve NAS setups with the data being encrypted.

100TB? Ouch. That's forklift territory. :)

Off the wall: Intel R1208JP4OC with dual RS25GB008 SAS HBAs. DataON DNS-1660 loaded up with enough 4TB drives to give you enough storage for so many years of backups. If in the same data centre plug in, back up, unplug. Have a couple or three of the DNS-1660 units physically rotated out. Or, have one in Melbourne, one in Sydney, and another rotated about and kept somewhere secure.

Enforced 2FA like AuthAnvil would give you the extra level of protection. Only key folks would have a SoftFob or key fob. At least that would eliminate access via network breach.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40542741
What do you use for the offsite NAS rotations? Not just the hardware but how do you manage the rotation (software)?

My big concern is a situation like this: http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html. In that case, someone got in and had root level access. They then went on and destroyed everything.

We obviously take every security precaution we reasonably can, however I'd sleep better at night knowing there was an airwalled solution in place.

2FA is a good idea and we're in the process of moving all our equipment to it, now but even with it, if you had domain admin/root access and you got in, you could just destroy the storage targets, even if you couldn't read them.

As for the 100TB machines - we can do that in (almost) in a single RU, for just under $5,000 AUD each, if you're interested in how. You buy a Quanta STRATOS-S100-L11D (http://www.quantaqct.com/Product/Servers/Rackmount-Servers/1U/STRATOS-S100-L11D-p152c77c70c83c85) - they're under $2,000 AUD with say 8GB of RAM and a single CPU. You then put 12*8TB Seagate disks ($250 each) in them and there you go, almost 100TB for less than 5 grand (ok 90TB odd with redundancy). Desktop grade disks but it's a backup of a backup and I still have redundancy, so I don't really care.
0
 
LVL 38

Accepted Solution

by:
Philip Elder earned 500 total points
ID: 40543451
For the NAS setup we are using ShadowProtect with its ImageManager setup to back up to Synology or Q-Nap NAS boxes. They are set up identically so it's a matter of shut down, pull the plugs, swap, and power up.

We use Quanta's 60 bay JBOD for our Scale-Out File Server solution set that get's deployed into data centres for IT Pros that want to deliver IaaS to clients. We've been quite happy with their product.

The 1U form factor is pretty intriguing but not really great for pulling and carrying out. Though, it does beat a 60 drive JBOD unit! :)

This is definitely a harder nut to crack than first anticipated.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40544033
ShadowProtect may be an option - thanks, I'll look into it (from memory they charge for size, though, so I think that's going to play out badly, for me). I am a little worried it might interfere with DPM, too.

I think the virtual tape library option is the best. That way, I can still use DPM, it will think it's backing up to massive tapes and I can just "rotate" my two servers by swapping the network cable from one to the other.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40544679
They charge by physical or virtual install. If virtual the price is very reasonable the more VMs are to be covered.

All of our SMB/SME clients are backed up in this way.

We are looking into Veeam as an alternative for more complex data centre based environments. We've not given DPM much consideration though that may change as the latest iteration seems to be a lot more Hyper-V cluster friendly.
0
 
LVL 4

Author Comment

by:HostOne
ID: 40546189
Thanks for your help. I think I will try the Virtual Tape Library but your advice has been great.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40546619
You are welcome. Drop us a note here to indicate what solution worked or did not.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now