Sep 18

Hardening VMware and Backup

Hi, availability is based on policy-based mechanisms where data is often manually relocated to optimize cost and performance or to recover from a security intrusion. Tomorrow’s availability must evolve to a more autonomous model where the system reacts and adjusts automatically to any significant changes in the behavior of data, apps, or users anywhere across the enterprise. This level of automation is a big leap from where we are today. How can we bridge that gap from where we are to where we need to go? Keep in mind that Data Protection is crucial for ensuring the security of your data… My opinion is based on this Life Cycle: Data Protection = Cybersecurity approach + Data Governance + Modern Backup & Disaster Recovery. When we talk about Cybersecurity on an IT infrastructure, engineers have to apply some security rules to each component (server, storage, network etc.). This process is called “hardening”. Hardening has a true impact on the architecture (communication etc.), especially with the Modern Backup & Disaster Recovery environment. The following article is a feedback about Backup Job with Veeam Backup & Replication and hardening VMware vSphere infrastructure (Virtualization)…


First, you can read this post (Veeam B&R: Flow matrix and Transport mode) focused on Backup Proxies interaction and ports requirements. Understand Veeam core components and their communication is very useful especially to improve the security of your architecture (cybersecurity and compliance). Note: Veeam Help Center section covers typical connection settings for the backup infrastructure components (used ports).

Then, VMware published hardening guides on their website (I used “vSphere 6.5 Update 1 Security Configuration Guide“). Security Hardening Guides provide prescriptive guidance on deploying VMware products in a secure manner. Basically, it consists to apply/ modify some parameters on VMware components such as: vCenter server, ESXi servers and Virtual Machines.

Hardening VMware and Backup (Veeam):

TWhen we followed the guide and apply the modifications, the Backup Jobs had stopped working. So we thought the problem was linked to hardening. Then, we had to find the option generates these errors: “Failed to parse *.present” and “Error: Getting VM info from vSphere”. The last one was the best indices, we thought instantly Veeam Backup Server cannot get Virtual Machine information from the .VMX file. Then, we had to find which parameter brings about the issue in more of 30 rules on VMs…

Fixed:

After a few minutes (thanks to VMware PowerCLI), we located it! The Guideline ID concerned is “VM.verify-PCI-Passthrough”, this one allows auditing all uses of PCI or PCIe passthrough functionality. The configuration parameter is: “pciPassthru*.present” and the desired value is: “FALSE”. Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine result in a potential security vulnerability. The vulnerability can be triggered by buggy or malicious code running in privileged mode in the guest OS, such as a device driver. Industry-standard hardware and firmware do not currently have sufficient error containment support to make it possible for ESXi to close the vulnerability fully. There can be a valid business reason for a VM to have this configured. This is an audit-only guideline. You should be aware of what virtual machines are configured with direct passthrough of PCI and PCIe devices and ensure that their guest OS is monitored carefully for malicious or buggy drivers that could crash the host.

Veeam B&R needs to get Virtual Machine information (stored in the .VMX file) for processing the backup. You can change the value on each VM and remove it like this: pciPassthru0.present = “” (instead of pciPassthru0.present = “FALSE”).

Then, execute your Backup Jobs as usual!


Veeam B&R 9.5 U3 – New protection feature!

Ransomware – Protect your Backup Server Guide!

Ransomware: Save your customers with Veeam B&R!

VeeamON Chicago – Vision & Strategy 2018 – Recap!

VeeamONForum France Recap!

VeeamON Forum France – Interviewed by LeMagIT: LeMagIT

 
 

Please follow and like us:
fb-share-icon
Tweet

Christopher GLEMOT

CTO | Technical specialist around Data Management, Security, Cyber Security, Cyber Resilience, Backup, Disaster Recovery, Multi-Cloud, and Storage | Veeam Vanguard | Varonis Elite | Owner of original-network.com

Advertisement

1 ping

  1. […] Continue reading » […]

Leave a Reply

error

Enjoy this blog? Please spread the word :)