Tag: hyper-v

Posted on

Veeam Backup Concept

In my profession, I regularly work with Veeam and have successfully completed several backup-related projects.

This backup concept is designed to be suitable for productive use, although currently implemented in a lab environment. Due to this lab context, there are specific constraints and adjustments. For example, deploying a dedicated physical backup server would be recommended for optimal security and performance in production.

Structure of the Backup System

This concept utilizes a centralized backup infrastructure hosted on Hyper-V with dedicated virtual machines. It includes several repository types:

  • NFS Repository and Backup Server: A Backup Server VM (ideally a dedicated physical server in production) with a retention period of 30 days and a long-term GFS (Grandfather-Father-Son) retention policy consisting of 4 weekly, 12 monthly, and 1 yearly backup.
  • Hardened Linux Repository: Immutable backups with a retention period of 30 days, providing enhanced security and a long-term GFS schedule (4 weekly, 12 monthly, and 2 yearly backups).
  • Offline Backup: Quarterly backups to external hard disks, rotated across 4 drives, ensuring redundancy, physical separation, and protection against hardware failures and ransomware attacks.

Secure Communication and Data Protection

Communication between systems adheres to stringent security measures:

  • Backup data is encrypted at rest using Veeam’s built-in encryption for both primary repositories and backup copy jobs.
  • NAS storage is connected to the Linux repository via iSCSI.
  • Secure connections between different sites are established via IPSEC.
  • Immutable backups are implemented, adding another security layer against unauthorised modifications or deletions.
  • Use of offline Backups and different locations.

Firewall Rules and Security

The backup infrastructure, including repositories and servers, is intentionally configured without direct internet access to enhance security. Two dedicated firewall rules, disabled by default, are temporarily enabled only when required for updating Veeam and Synology software. All other software updates are managed via the Endpoint Central patching server, which is the only authorized system permitted to connect directly to the Veeam server. All other connections originate solely from the Veeam server itself. A deny rule is implemented at the end of the firewall ruleset to block any other unauthorized traffic.

Backup Testing and Compliance

This backup concept strictly complies with Veeam’s recommended best practices and fully meets the 3-2-1 backup rule.

  • Three Copies of Data: Maintain three separate data copies.
  • Two Different Media Types: Utilize various storage media such as NFS-connected NAS in Datacenter 1, iSCSI-connected NAS and Linux hardened repository in Datacenter 2, and additional external hard disks.
  • One Off-Site Copy: Securely stored backups in multiple physical locations.
  • Offline or Immutable Copy: Immutable backups stored on the Linux hardened repository and quarterly offline backups on external hard disks to prevent ransomware threats.

Implementing and thoroughly testing this backup concept in a lab environment provides a robust foundation, ready for scaling and adapting seamlessly to a full-scale production environment.

Configuration Examples

Example Palo Alto Firewall Rules

Veeam

Veeam Security and Compliance Analyzer (Suppressed due to Community Free Edition limitations)

Suppressed

MFA and password-loss protection not available in Community Free Edition; I recommend using a password manager like Bitwarden, with passwords physically stored on an encrypted USB stick.

Hardened repositories currently implemented as a VM in the lab; a physical server is recommended for production.

Backup services run under a dedicated service account rather than the LocalSystem account for enhanced security.

In my lab, Backup encryption passwords are alphanumeric and not include special characters. I use a length of at least 30 characters for optimal security.

Encryption connection

Encryption Password

Links, Products and References

Veeam Community Edition

Veeam Script Security and Compliance

Patch Management – Manage Engine – Endpoint Central

Palo Alto Networks

Bitwarden Password Manager

Backup 3-2-1 Rule

Omnigraffle

Posted on

Configuring VLANs on Hyper-V by Filtering Interfaces

If you’re managing a VM in Hyper-V with multiple network adapters—such as in a firewall setup—it’s crucial to correctly configure VLANs. Often, you might need to set up a trunk on a specific interface, which can only be identified uniquely by its MAC address, especially when interface names are the same.

Identify the Adapter: First, determine the MAC address and switch name of the network adapters associated with your VM. Replace FORTIGATE-NEW with your VM’s name to find the correct adapter:

Get-VMNetworkAdapter FORTIGATE-NEW | fl macaddress, SwitchName

This will return something like:

MacAddress : 00155D450204
SwitchName : ASUS XG-C100C 10G PCI-E Network Adapter - Virtual Switch

MacAddress : 00155D450205
SwitchName : Internal

In this example, we will configure the “Internal” network adapter for a trunk.

Filter the Adapter Based on the MAC Address: This command filters out the specific adapter you want to configure by matching its MAC address. Ensure you replace "00155D450205" with the MAC address of the adapter you intend to use.

$adapter = Get-VMNetworkAdapter FORTIGATE-NEW | Where-Object {$_.MacAddress -eq "00155D450205"}

Configure Trunk and VLANs: After filtering the right adapter, this command sets up a trunk and specifies which VLAN IDs are allowed on this trunk. It also defines VLAN 70 as the native VLAN, meaning untagged traffic will be associated with VLAN 70.

Set-VMNetworkAdapterVlan -VMNetworkAdapter $adapter -AllowedVlanIdList "3111,2222" -Trunk -NativeVlanId 70

Verify the Configuration: Finally, confirm the VLAN configuration to ensure it has been applied correctly:

Get-VMNetworkAdapterVlan FORTIGATE-NEW

VMName        VMNetworkAdapterName Mode   VlanList
------        -------------------- ----   --------
FORTIGATE-NEW Network Adapter      Access 70
FORTIGATE-NEW Network Adapter      Trunk  70,2222,3111

Conclusion:

This approach effectively isolates traffic and manages network segmentation on a Hyper-V VM, especially in complex environments with multiple network adapters. Always ensure to replace placeholders with actual values relevant to your setup.