Veeam is touring through the Netherlands and one of these stops was Spijkenisse. I blocked this date in my calendar because as a Blogger and Cloud Evangelist, I wanted to attend. Although I visited VeeamON in New Orleans, I was excited for an update about their upcoming releases and the other topics sounded also very interesting.

VeeamON Tour began with a warm welcome from Lodewijk van Klaveren, Manager Channels Benelux and a strategic overview where Veeam was and where Veeam will be heading in the future. This was held very short to give the audience enough time to hear about all the new technical stuff Veeam will offer in the upcoming release.

Next was System Engineer, Kevin Kroese, who gave us a complete overview about all the new announced features coming with Veeam Availability Suite v10.

What’s new in Veeam Availability Suite v10

Built-in management for Veeam Agent for Windows and Veeam Agent for Linux (9.5 Update 3)

Centralized management for both Veeam Agent will be integrated into the Backup and Replication Console. This should make the deployment of Agents much easier than using other software deployment methods like SCCM or Altiris. During the deployment you can choose between Managed by Agent or Managed by Server.

• Managed by Agent means that the agent is deployed as we know it for 1.0/1.5/2.0 including the GUI so an end user can manage their backup jobs (Notebook user).
• Managed by Server means that a small thin agent will be deployed to the end device (mostly server OS) and all the configuration will be done in the Backup and Replication Console.

And one of the best things about the build-in agent management is that it will be available with the next Update 3 which is scheduled for November.

Veeam CDP (Continuous Data Protection)

With Veeam CDP, Backup and Replication will get the ability to lower the RPO of a replication job from now 15min to 15sec. To accomplish this, Veeam is using VAIO (vSphere API for IO Filtering) which is available on the VMware vSphere platform (Standard licensing and higher) only. This will remove the need of a snapshot during the replication job because VAIO will intercept and redirect the VM I/O to the replica. As of today this feature will only be available in the Enterprise Plus licensing.

Scale-Out Backup Repository — Archive Tier

Veeam Backup and Replication will also introduce a new Scale-Out Backup Repository type called Archive Tier. This new repository will save primary repository space and minimize costs by using cloud object storage like AWS Glacier, S3, Azure Blob storage or others. There is also currently a cooperation between Starwind and Veeam where you can use Starwind Cloud VTL as local Tape target. From there it will be replicated to S3 and then destaged to AWS Glacier.

Primary Storage Integrations — Universal Storage Integration API

Veeam introduced the first storage snapshot integration in 2013 with the release of version 7.0. The first vendor for storage snapshots was HPE with their StoreServ and StoreVirtual / VSA systems. Every new version Veeam added additional storage vendors to their product. Version 8.0 integrated Netapp, version 9.0 brought EMC VNX, VNX2 and VNXe support and with version 9.5 Nimble storage was integrated. But as you can see only every year or release Veeam could integrate a new storage vendor. That was the reason Veeam will introduce Universal Storage Integration API in their next release. This will be a plug-in architecture where the storage vendor will develop the storage plugin for Backup and Replication, Veeam will test it and support it if everything is fine. Because of this change it will be easier to integrate new storage vendors into Veeam. The following vendors will be integrated in the next version(s):

• 9.5 Update 3
  • IBM Spectrum Virtualize (IBM SVC, Storwize family)
• v10
  • Lenovo Storage V Series (storage based on IBM Spectrum Virtualize software)
  • INFINIDAT
• next year
  • PureStorage

NAS Backup Support for SMB and NFS Shares

One of the most awaited new features for the new v10 release is NAS Backup support for SMB and NFS. As far as I understood there will be new Veeam proxies specific for SMB/NFS backups which will have an universal SMB/NFS client for backing up the NAS data. In addition Veeam will also support NDMP as protocol for NAS backups. Backups for NAS will not use the classic Veeam container format, it will introduce a new container format which will be optimized for files. Also the metadata and catalog database will not be a MSSQL server because they need a database that is optimized for file search.

Veeam ONE

When Veeam Availability Suite is purchased, Veeam ONE is included. Currently Veeam ONE consists of 3 tools. Veeam Monitor, Veeam Business View and Veeam Reporter. In v10 Veeam Business View will be moved to Veeam Monitor. Also the following features will be included in Veeam ONE v10:

• Service and Process Monitoring including actions like e.g. What needs to be done if a service is down.
• Backup Infrastructure Audit – Create Audit Report
• DSGVO support

Oracle RMAN Integration

When speaking with Oracle admins they want to backup their databases with the tools they know, especially RMAN. Therefor Veeam created a plugin which needs to be installed on the database server which will operates as some sort of gateway between RMAN and the Veeam Backup repositories. This plugin will be supported for RAC Cluster as well as for VM and physical Oracle DBs. Restores can be easily done by using Veeam Explorer for Oracle.

One last note from the What’s new was also that there will be Nutanix AHV support in the near future.

What’s new in Veeam Backup for Microsoft Office 365

A week before VeeamON Tour took place, Veeam released a new version (1.5) of Veeam Backup for Microsoft Office 365.

Read my previous blogpost for more information.

What’s new with Veeam Agents for Windows and Linux

As I said before central management for the Veeam Agents will be released with 9.5 Update 3 which is as far as I heard it November. So only a few weeks left and we can see the new shiny feature for Agent deployment.

Veeam Agents comes in 3 license packages:

• Free
• Workstation
• Server

An overview and feature list of each license can be found in this paper for Windows and here for Linux. One new feature of the Veeam Agent for Windows will be the Cluster Support (WSFC and all AlwaysOn clusters) in the Server edition. This will allow you to backup all WSFC based Windows clusters as well as SQL AlwaysON or Exchange DAG. Currently all of these are not supported or only partial support. For more infos see this KB article.

Another feature of the new version is that it will include a “Change Block Tracking” driver. Currently the agent can only to CBT through Master File Table (MFT) analysis which is only working for NTFS. Unfortunately I forgot the real use case behind the driver but I would assume to also support other file systems like ReFS etc.

For everyone who are using Linux in their enviroments in the new version (2.0) of the Veeam Agent for Linux the following features will be included:

• Cloud Connect Support
• SOBR Support
• Encryption
• Compiled Kernel Modules

For both Agents there will be also an Agent management from Veeam ONE (monitor and report) and from the Availability Console.

Ransomware and Encryption trojans

Next was Senior System Engineer, Henk Arts, who gave us an insight how to protect your data from ransomware and encryption Trojans. Here is an overview of his presentation.

Media coverage on the various versions of encryption Trojans are coming fast and furious. These threats are meant to extort money out of the infected and are otherwise known as ransomware.

Trojan malware like Locky, TeslaCrypt and CryptoLocker are the variations currently used to attack companies. The breach gateways are often security loopholes in web browsers and their plugins or inadvertently opened email attachments. Once inside the company, the ransomware can spread at breakneck speeds and begin to encrypt valuable data. Governments recommends companies implement a solid ransomware mitigating backup and recovery strategy for effective protection against data loss caused by CryptoLocker or any other Trojan.

Another area of focus for IT Security Professionals to protect against malware are network shares. Ransomware is also being used to access network shares.

Given the criticality of the workloads and data within the environment, the “1” in the 3-2-1 rule continues to play an important role. According to this rule, 3 copies of the company data should be saved on 2 different media and 1 copy should be offsite.

The backup architecture recommended by Veeam ensures that a primary backup storage device is used for quick backup and restore processes at which time backups are then copied to a secondary backup storage device using a native Backup Copy Job. In this blog, you’ll see how Veeam helps you build a reliable backup strategy against ransomware  and quickly recovers your data after the ransomware attack.

Data export options to strengthen your backup strategy against the ransomware threat

1. Backup Copy Job to disk

As mentioned above, the first option is to transfer the data from one location to another using Backup Copy Job. Here, a file is not just copied, but the individual restore points within the backup are read and written to a second disk destination. Should the primary backup be encrypted or become corrupt, the Backup Copy Job would also fail because Veeam would not be able to interpret the data.

In such a scenario, one can only hope that the second backup repository has been separated from the rest of the IT environment. One could also use a Linux-based backup repository to secure against Windows Trojans.

2. Removable hard disks

Another option is to use a removable storage device as the secondary repository. This is usually done with removable hard drives such as USB disks. With the help of the Veeam option for media rotation (see User Guide), Veeam will detect when an old piece of media is re-inserted and automatically ensure that old backup files are deleted and a new backup chain is started.

What’s important to note here is that removable media (conventional USB hard disks, etc.) should be interchanged regularly and should not be kept connected to the system permanently.

3. Tape

The once “condemned” tape option is becoming an increasingly popular option for IT to leverage again in regards to encryption Trojans. This is because tapes do not enable direct data access, and thus provide protection against ransomware. Just like rotatable media, tapes should be exported to a secure location for optimum protection.

4. Storage snapshots and replicated VMs

Organizations can enjoy additional availability and ways to implement the 3-2-1 rule with storage snapshots and replicated VMs. These are “semi” offline instances of data that can be resilient against malware propagation; much like the Veeam Cloud Connect technology explained below.

5. Veeam Cloud Connect

The best solution is for complete out-of-band protection such as Veeam Cloud Connect. Here, backups are taken via the same Backup Copy Job and automatically sent off to a service provider via the Veeam Cloud Connect mechanism.

 

The Veeam Cloud Connect service is offered through the Veeam Cloud & Service Provider program, and is being offered by service providers and IT resellers. You can consult your local partner and learn about their offerings.

Safeguarding Backup Repositories from ransomware

The backup repositories should also be safeguarded as much as possible in order to protect them from ransomware encryption attacks.

The access rights to the Backup Repository Server should be restricted such that only the Veeam service account has access to the Repository Server and the file system.

In case of NAS systems, only the Veeam service account should be provided with the permissions for the Backup Repository.

For security reasons, working on a local desktop with a domain administrator is absolutely not recommended because this can lead to the ransomware spreading around the network very quickly.

Many administrators by default deactivate the Windows Firewall as soon as the installation of Windows is complete. This built-in mechanism can provide protection against ransomware attacks from the network via the Windows security loopholes. It’s considered to be a best practice that you take a little time out and activate the necessary inbound and outbound requirements in the Windows Firewall. This documentation contains a list of the ports used.

A virus scanner with an activated real-time search should also be installed on all Windows systems. After installing a new server, often times a customer forgets to install their antivirus software.  However, since virus scanners access a system deeply, they might block Veeam services. This knowledge base article provides information about the exceptions to be defined.

Summary

The tips provided here can help you considerably enhance your backup and recovery strategy for ransomware protection. Your backups will remain secure against infections and allow you to avoid any data loss in case of attacks. Always ensure that your local and remote Veeam Backup Repositories are being safeguarded. In conclusion, validate that your backups are also regularly exported in such a manner that the data is not directly accessible. By following these simple steps, you’ll be protecting your environment from the spread of malware such as CryptoLocker.

Conclusion

Overall the whole event was a big success for Veeam. There were many people interested in backup with Veeam. I had also good conversation with people I already know and also with new ones like the representative from Quantum. For me the event was also a success because I expanded my network.

Sources: Veeam; Marco Horstmann; Manfred Hofer