When Veeam Backup & Replication v11 went Generally Available on the 24th of February I posted the What’s in it for Service Providers blog. In that post I briefly outlined all the new features and enhancements in v11 as it related to our Veeam Cloud and Service Provider Partners. As mentioned each new major feature and enhancement listed below deserves its own seperate post. While these posts are targeted at Service Providers, the majority of these features can be levered by all types of organizations. In this post I am looking at the new Hardened Linux Repository which allows setting immutability against backups on primary landing zones. This now offers end to end immutability options when used with Capacity and Archive Tier immutability features.
As a reminder here are the top new features and enhancements in Backup & Replication v11 for VCSPs (with links as created)
- Linux Backup Proxy Enhancements and other Linux Enhancements
- Data Integration API Enhancements supporting more platforms
- Continuous Data Protection for VMware Platforms
- VMware Cloud Director to Cloud Director Replication
- VMware Cloud Director Native HTML5 Tenant Portal, SSP Enhancements and 10.2 Support
- Archive Tier, Object Storage and other SOBR Enhancements
- Hardened Linux Repository for Immutability on Primary Landing Zones
- New PowerShell Module and RESTful API
- Enhanced Linux File-Level Recovery
- Veeam Agents for Windows and Linux v5.0 and Agent for Mac v1.0
Locking up Linux Repositories for Landing Zone Protection
Previously, we have only been able to take advantage of immutability in the Capacity Tier of the Scale Out Backup Repository… this left a data exposed on the primary landing zone and sceptical to attacks and other events. Those include data corruption or data compromisation, accidental deletion of data and the more sinister insider threat that is of malicious intent. The Hardened Linux Repository enables primary backups to be immutable, this is done by giving you the ability to achieve local immutable backup storage by using supported Linux x64 distributions that provides this functionality natively. This protects data from loss because of malware activity or other failure scenarios mentioned above by blocking the deletion and modification of data.
The other component of this solution is that we suggest further hardening of the Linux system but restricting SSH access to the server. When adding the Linux server, we use temporary credentials. To do that, you Add and select Single-use credentials for hardened repository when configuring the SSH Connection during he New Linux Server wizard.
There are a number of great walkthroughs on setting this up and rather than me repeating that here, i’ve linked to them in the More Content section at the end of this post. One that I will highlight here is the work done by Timothy Dewin and Preben Berg who put together a great project that does all the config and hardening for you by way of a VeeamHubRepo Debian package built to quickly configure a hardened Linux repository on Ubuntu. This is great for labs and testing out this feature before putting into production and is a brilliant release from the guys.
Once you have configured the new Linux Repository and configured the Immutability settings, the backup repo can be used standalone or in a Scale Out Backup Repository. The count of the immutability period indicated in the backup repository settings starts from the moment the last restore point in the active chain is created. The immutability period is extended only for the active backup chain. More information about how this works can be found here. Finally from the UI you can now see the Immutability period of a perticular backup from the properties section.
Benefit to Service Providers
Building on the existing Immutability support with Object Storage, the addition of the Immutable Hardened Linux Repository allows Service Providers to secure their primary landing zones for their BaaS or IaaS Backups. As with the Capacity and Archive Tiers, I have been preaching to VCSPs since we released 9.5 Update 4 about how leveraging these new features reduces the size of the primary landing zone and now, with Linux Immutability landing zone can be secure as well. With the Capacity Tier, the Archive Tier together with the Move, Copy functions as well as the Immutability options all along the way, VCSPs can create multiple levels of Backup Storage Classes at graduating prices which gives their customers more choice and also more potential revenue.
Content and Materials
https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_linux.html
https://helpcenter.veeam.com/docs/backup/hyperv/immutability_for_linux_hiw.html?ver=110
