Administration Guides

Zero Trust With Veeam Backup Solution and PowerScale




How can Zero Trust improve your backup security?   With integrated backup repository automated immutable snapshots.  Your backup infrastructure is mission critical and the bad actors are targeting your backup hosts.    This solution guide will explain how to configure the Zero Trust API and integrate with Veeam Backup and Replication to ensure a point in time recovery at the disk level exists automatically.    This solution enhances protection by:

  1. Creating a rollback point Before any job runs to backup corporate data.  This is done using the pre-script option in Veeam and leverages Zero Trust api to create critical snapshots on the Powerscale storage where the backup data is stored
  2. Optional - integrate with endpoint protection systems or IDS IPS systems to monitor attacks over the network targeting your backup infrastructure and create pro-active automatic immutable snapshots of your backup data.

Solution Components

  1. Veeam Backup and Replication
  2. Ransomware Defender for PowerScale
  3. Ransomware Defender Zero Trust API license
  4. PowerScale Storage used as Backup Repository over SMB or NFS protocol

Solution Deployment Diagram

Solution Configuration Steps

  1. Create an SMB share to store backup data  example create an SMB share Veeam on path /ifs/veeam
  2. Create a PowerScale Backup Repository in Veeam
  3. Create the Zero Trust API authentication token
    1. Login to Eyeglass as admin
    2. Main Menu select Eyeglass REST API
    3. Click create token and enter veeam
    5. Click the newly created token to copy to clipboard
  4. Get the curl command for Zero Trust Integration
    1. Select API Explorer tab
    2. Paste into the token field
    3. Scroll down to the Ransomware Defender v2 API's
    4. click the try out button (note this will create a snapshot for any critical paths that are configured)
    6. Copy the curl syntax to a file to be used in steps later on.
  5. Create Critical Path Snapshots in Ransomware Defender
    1. Login to Eyeglass
    2. Open Ransomware Defender
    3. Click Snapshots Tab
    4. Enable Critical paths check box and + sign to add the critical path where the Veeam backup repository is stored.  Enter the path and click the cluster name where the SMB share was created.
  6. Veeam Backup server script configuration
    1. On the Veeam backup host create a path c:/zero-trust-scripts
      1. If the Windows OS used for Veeam does not have the curl command (test from command prompt and type curl)
      2. Optional -  Download
      3. Right click extract all files and copy all files into the path below.   Copy the files in the i386 folder to c:/zero-trust-scripts/curl 
      4. c:/zero-trust-scripts/curl
    2. Create a zerotrust.bat file
    3. paste the curl command copied from Eyeglass
    4. Edit the script as follows
      1. Replace all the single quotes ' with "  (required by Windows batch files)
      2. add -d ""  (allows empty body in the post request)
      3. add -k  (ignores self signed certs)
      4. modify to call curl binary if you downloaded curl as per steps above, adjust to the OS version and location of curl as needed.
    6. example script
      1. curl\curl.exe -k -d "" -X POST --header "Content-Type: application/json" --header "Accept: application/json" --header "api_key: igls-1sbevrp1mogkeg9q6r2usit6fpbkdk9md4umtlpinvm51cnbndqu" "" >> log.txt
    7. The script will create a log file called log.txt to record each execution of the script from backup jobs.
  7. Configure backup jobs to create snapshots
    1. You can integrate Zero trust on schedules jobs, all jobs as needed.
    2. Best Practise:  Integrate with all scheduled jobs to ensure snapshots are created.
    4. Ensure the Backup repository selected is the PowerScale storage Repository.
    5. Click the Advanced button on the Storage tab, Select the Scripts tab, click Before the job and browse to select the bat file created in the steps above.
    7. Enter the remaining fields for your backup job definition, select backup sources etc..
    8. Click apply
  8. Done.  Ready for Zero Trust.   See below how to test and verify the configuration.

Solution Results

  1. Right click the backup Job and run the test backup job.
  2. Open the log file located in:
    1. c:/zero-trust-scripts/log.txt
    3. A successful launch of the API will return the job id that runs on Ransomware Defender
  3. Successful backup job
  4. What happens if another job runs will it create another snapshot?
    1. The zero trust api has a hold of timer that blocks additional snapshots from being created until the timer expires.  This ensures that too many snapshots are not created on the critical paths.
    2. The default hold off timer is 1 hour, which means a snapshot a maximum of 1 snapshot is allowed to be created per hour. Each snapshot has an expiry set for 4 hours and it will auto delete itself.
  5. How to change the default expiry on critical path snapshots.
    1. See the guide here.

© Superna Inc