Veeam immutable backups on TrueNAS scale?

[Thomas_VDB]

Hi,

Veeam Immutable backups require linux, and as Scale is linux based, can a TrueNAS scale box be configured as a hardened/immutable backup repo.
I've read that Veeam's immutable backup principle relies on XFS. And TrueNAS uses ZFS. So no go?

Thomas.

I could just use a regular linux install to create my immutable backup repo, but my server's HBA card does not do RAID, and I need to present a big volume.
Don't want to go software raid with regular linux.

 

[HoneyBadger]

Hey @Thomas_VDB

Veeam v12 allows for immutable backups on object storage, which you can present from TrueNAS by using the Minio plugin on CORE or Minio App on SCALE.

 

[Thomas_VDB]

But is this solution really as hardened as a native Linux immutable repo?
Because with your suggestion the underlying OS doesn't get hardened/locked down.

 

[MrGuvernment]

How would using XFS filesystem secure the underlying OS, hardening and locking down TrueNAS would still be on the end user to go beyond the defaults, as would any storage backend used as a target for Veeam...

 

[UDSGuy]

Out of curiosity, is this for a cyber vault or do you need to achieve SEC compliance?

 

[Thomas_VDB]

Out of curiosity, is this for a cyber vault or do you need to achieve SEC compliance?

We are a small business and are using Veeam for our local backups. We are interested in immutability to protect/recover from malware attacks. However we want to keep backups local as we have too much data to send each night to the cloud.

I am doubting that the approach of using Minio plugin in TrueNAS is as safe as the recommended approach from Veeam (Linux server with XFS).

 

[Thomas_VDB]

I just stumbledd on this : might be the easies/best way to go for me :

Supermicro 36 HDD setup for Veeam and S3

Hi all, we are in the process of ordering a new Supermicro device to host Veeam backup data. Since we are not familiar with ZFS with this post post we are looking for an advise. Today we user ReFS on RAID 60 on an HPE Apollo 4200 system that reached the capacity limit. Our ideal setup is...

www.truenas.com

Running a linux VM on top of TrueNAS Core, in bhyve...

 

[MrGuvernment]

We are a small business and are using Veeam for our local backups. We are interested in immutability to protect/recover from malware attacks. However we want to keep backups local as we have too much data to send each night to the cloud.

I am doubting that the approach of using Minio plugin in TrueNAS is as safe as the recommended approach from Veeam (Linux server with XFS).

First questions are:
1. Segmentation - Do you have your backup VMs / servers on their own isolated VLAN locked down
2. Not using the same domain / accounts to access the backup server that are used on other servers
3. Veeam configured to reach into the servers using creds saved in Veeam to pull the backups (you want pull not push for a backup solution)
4. The storage the backups are stored on, 1-3 apply as well.

This will minimize damage to a potential compromise if they can not get to your actual backup server / backups.

 

[HoneyBadger]

We are a small business and are using Veeam for our local backups. We are interested in immutability to protect/recover from malware attacks. However we want to keep backups local as we have too much data to send each night to the cloud.

I am doubting that the approach of using Minio plugin in TrueNAS is as safe as the recommended approach from Veeam (Linux server with XFS).

Minio is listed as one of the supported object providers in Veeam's blog on immutability:

• On-premises S3 compatibility featuring object lock immutability with Veeam deduplication and compression. This includes vendors like ObjectFirst, Cloudian, Scality, IBM, Minio, Hitachi, SpectraLogic Black Pearl, etc.

The underlying TrueNAS OS could be "hardened" as well to various degrees - enabling 2FA or disabling the webGUI entirely, disallowing console access without a password, using upstream network filtering to prevent access to anything other than the TCP port(s) used by Minio or traffic from any originating IP other than the Veeam server, disconnecting the out-of-band management interface. Snapshots and a second TrueNAS system with "pull" style replication configured can add a second level of protection for your local backups as well.

 

[einhirn]

Hi Thomas_VDB,

Hi,

Veeam Immutable backups require linux, and as Scale is linux based, can a TrueNAS scale box be configured as a hardened/immutable backup repo.
I've read that Veeam's immutable backup principle relies on XFS. And TrueNAS uses ZFS. So no go?

Thomas.

I could just use a regular linux install to create my immutable backup repo, but my server's HBA card does not do RAID, and I need to present a big volume.
Don't want to go software raid with regular linux.

for a real hardended immutable Veeam repo, you'd want a box that is locked down to console only access: No SSH, no remote management, no Web interface etc. I don't know whether TrueNAS can somehow be administered via local console, i.e. how to access the web interface from there. The other point: yes, Veeam uses XFS specifics to achieve immutability. I can think about using a standard install of linux with OpenZFS and using a ZVOL as a device for XFS, but I've never tried that and can't vouch whether it would work or be practical. But to do it "right", you'll need a separate box for the hardened repository because it won't do anything else than store your data - the reason being: what can't be remote controlled, can't be hacked. And the Veeam services take useful (at least from what I understand) steps to enforce immutability.

The whole Minio setup would also work but it would take lots and lots of storage because of Minio versioning saving each version as a full copy - maybe that could be counteracted with ZFS dedup, but I haven't read many success stories for using ZFS dedup yet. If anyone knows some, please point me to it.
Also Minio immutability relies on the internals of the minio software stack - if there's an issue there, you could possibly still lose the data. If Minio could somehow be integrated with ZFS' immutability flag (eg. periodically read/copy Minio's immutability status and set file flags accordingly), that would be pretty neat and much closer to veeam's own solution in terms of security: unprivileged account for the service that writes the data, and a second, privileged service that sets immutability flag in file system - probably keeping track of how long a file should be immutable and preventing the flag to be removed before that time.