Centralised backup and security

Extending a backup solution to also protect data in a different security zone requires careful planning. In this case, the need to avoid compromising security can be in conflict with one of the major goals of an enterprise backup solution: to use centralised management as a means to reduce operational costs.

In a simple example, consider a scenario where an enterprise tape backup solution is to be extended to also cover internet-facing servers outside the corporate firewall. The problems that immediately become apparent include these:

The firewall rules will have to be modified to allow some types of traffic between servers outside the firewall and the master backup server. It is important to minimise the number and scope of the the change required, to ensure they do not degrade security to any substantial extent.
Backup is one of the most bandwidth-intensive of all network applications, but since firewalls are far more processing-intensive than other network components their throughput is always limited. If there is any substantial volume of data outside the firewall then it's likely that the firewall will prove a major bottleneck to backups. In addition the data traffic required for backups will probably cause serious congestion at the firewall, possibly causing an unacceptable performance hit on customer-visible applications.

The best solution for both of the issues outline above is often to install a backup "slave server" outside the firewall, directly connected to a tape drive in the library via a SCSI or Fibre Channel adapter. This architecture is shown below.

Secure Backup

This resolves the second problem by having the bulk of the backup traffic bypass the firewall: data is copied from the backup clients (C and D above) to the slave server (E) and written directly to tape from there.

The only additional traffic through the firewall consists of control commands sent from the backup master to the slave and status update information sent back the other way. In practice this will usually reduce backup traffic through the firewall by around 98%.

The security issues are also mitigated to a large extent: the only changes to the firewall rules are to allow traffic on the specific ports that the backup application uses to exchange commands and status information between master and slave. This type of traffic should only be enabled between the master and slave backup servers - all other restrictions should remain in place unchanged.

Note that it's important to verify beforehand that the backup software in use is "firewall friendly"; in other words that it can be configured to use only a specific and very narrow set of firewall ports for communication. Ideally the ports to be used by the backup software should be configurable, enabling them to be set to values that are not used by any other applications or servers within the organisation. This is a helpful additional measure to further tighten the security of the solution.

Advantages

Minimises impact on firewall during backups - The bulk of backup traffic now travels directly from backup clients to the slave server via the network outside the firewall, and from there to tape. This means less impact upon performance for internet-facing servers and applications.
Increased backup throughput - Eliminating the firewall as the performance bottleneck will likely increase backup throughput substantially, reducing backup windows proportionally.
Improved security - Fewer changes required to the firewall means less impact upon security from implementing the backup solution.
Lowest operational cost - Much of the cost of operating a backup solution is incurred in monitoring and managing the master server. Since this architecture uses an additional slave server rather than a second, independent backup master outside the firewall it keeps the ongoing operational cost of the solution to a minimum.

Disadvantages

Greater cost than simple LAN client approach - In addition to a software client license for each host outside the firewall that is to be backed up, this solution also requires the purchase of a slave server license and additional tape drive for the library.
Still some security risk (albeit small) - A conservative approach to security notes that any relaxing of firewall rules increases the risk of a security breach. However, most security experts who've reviewed the firewall changes required to implement the architecture above will concede the changes are narrow enough that the associated security risk is minimal.

Search the Data Engines Site

Featured Content

Backup or Archive? An age old question - after almost 60 years of data storage and backup on electro-magnetic media, people are still confused as to what a "Backup" is and what an "Archive" is. See Tim's blog post explaining the difference.

Do you "Splunk" ?? It's not a rude question, but it could lead you to some empowering insights into what's happening out there in your multi-vendor, multi-faceted IT infrastructure.

Data Engines have developed a set of field tested, vendor backed data-at-rest encryption solutions that can help organisations mitigate data security risks for removable storage media like tape. Ask us how to ensure your primary data storage or backup data is safely encrypted, but most importantly, how you can insure full recovery in the future.