Air Gap Backups
-
How would people define this?
Just send a backup to the cloud, or only achevied by backing up to tape (or other media) and store somewhere?We're looking to backup 4-5 VM's on a vmware host. 1TB max.
-
@hobbit666 said in Air Gap Backups:
How would people define this?
Just send a backup to the cloud, or only achevied by backing up to tape (or other media) and store somewhere?We're looking to backup 4-5 VM's on a vmware host. 1TB max.
Any major online storage provider offers some sort of immutable storage, which to me, is the easiest way to go. Even if you do get hit and they try to take out your backups, they can't mess with the backup files.
Tape works as well. Just a little more effort.
I've never liked a NAS to protect against ransomware, good for most backups otherwise. Too hard to air gap properly unless they also offer immutable storage.
-
@hobbit666 Yeah it's about immutability. As long as your cloud provider offers that, and you buy that, then you should be OK from ransonware.
Of course restores will likely be slow from the internet... so a local NAS based backup for typical restores is potentially a good idea.
-
Just enabled it on Wasabi give it a go
Enabled to "Lock" so to delete anything you have to contact them. -
@hobbit666 said in Air Gap Backups:
How would people define this?
Just send a backup to the cloud, or only achevied by backing up to tape (or other media) and store somewhere?"Just" sending to the cloud is the opposite, not air gapped at all. That's no different than any other "always attached" media. You have to have a mechanism that makes it so that the system sending the backup cannot alter or remove said backup. From the originating system's perspective, it must be immutable or not even exist.
-
@hobbit666 said in Air Gap Backups:
We're looking to backup 4-5 VM's on a vmware host. 1TB max.
Tape is the easiest and most obvious mechanism to air gapping.
-
@travisdh1 said in Air Gap Backups:
I've never liked a NAS to protect against ransomware, good for most backups otherwise. Too hard to air gap properly unless they also offer immutable storage.
You can make some NAS products act immutably just like their hosted cousins.
-
@scottalanmiller said in Air Gap Backups:
@hobbit666 said in Air Gap Backups:
How would people define this?Just send a backup to the cloud, or only achevied by backing up to tape (or other media) and store somewhere?
"Just" sending to the cloud is the opposite, not air gapped at all. That's no different than any other "always attached" media. You have to have a mechanism that makes it so that the system sending the backup cannot alter or remove said backup. From the originating system's perspective, it must be immutable or not even exist.
This is what I've always thought about "cloud" or "replication".
Think the word if been missing I immutable
. Now I understand that bit it makes more sense, as to me air gap would be things like tape 
-
@hobbit666 said in Air Gap Backups:
Now I understand that bit it makes more sense, as to me air gap would be things like tape
Tape is only gapped if it is manually removed from the tape device and a robot can't put it back in. Many small businesses use tape in a fully coupled way. So you have to be careful in both cases.
The problem linguistically is that when we talk cloud, we assume that the storage is mutable, but it might not be.
And when we talk tape, we assume that the tape is immediately removed and stored somewhere that cannot be accessed in an automated way, but it often isn't.
So there is a lot of assumption that goes into talking about it.
-
couldn't you just backup to something that can be shutdown by the backup app once the backup is complete?
then just add powering the device back up as one of the daily tasks to be undertaken by the sysadmins or whoever.
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
if you work in a 24x7 centre maybe you can get one of the night sysadmins to just unplug the backup medium once the job is complete?
i did that years ago at a place that had mainframe admins 24x7, they just added it to their nightly tasks.
-
@siringo said in Air Gap Backups:
couldn't you just backup to something that can be shutdown by the backup app once the backup is complete?
Sure, and tape is the easiest form of that. You can use removable drives or whatever. They are shut down and disconnected.
-
@siringo said in Air Gap Backups:
then just add powering the device back up as one of the daily tasks to be undertaken by the sysadmins or whoever.
If you power it back up, it's not air gapped.
-
@siringo said in Air Gap Backups:
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
Sure but... why? Tape is cheaper, faster, and more reliable.
-
@siringo said in Air Gap Backups:
if you work in a 24x7 centre maybe you can get one of the night sysadmins to just unplug the backup medium once the job is complete?
Right, but again, tapes are built specifically for this. Eject on finish, have the wetware come and pull the time sometime before the next shift and insert the new tape before the backup window starts.
Yes, you can use anything instead of tape here. But tape is purpose built to do every aspect of this as perfectly as possible.
-
@siringo said in Air Gap Backups:
i did that years ago at a place that had mainframe admins 24x7, they just added it to their nightly tasks.
Essentially every company of any size does this. It's a super rare large firm that doesn't have removable media that needs to be taken to storage daily.
-
@scottalanmiller said in Air Gap Backups:
@siringo said in Air Gap Backups:
then just add powering the device back up as one of the daily tasks to be undertaken by the sysadmins or whoever.
If you power it back up, it's not air gapped.
But neither is the tape while it's inserted in the drive.
-
@scottalanmiller said in Air Gap Backups:
@siringo said in Air Gap Backups:
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
Sure but... why? Tape is cheaper, faster, and more reliable.
The only part I might disagree with is cheaper. tapes are super expensive, though in the long run I suppose they could be cheaper.
LTO drives start at $2K and most single drive bays are more like $5K+... but I know those "drives as tapes" solution from the 2010's weren't cheap either...
-
@dashrender said in Air Gap Backups:
@scottalanmiller said in Air Gap Backups:
@siringo said in Air Gap Backups:
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
Sure but... why? Tape is cheaper, faster, and more reliable.
The only part I might disagree with is cheaper. tapes are super expensive, though in the long run I suppose they could be cheaper.
LTO drives start at $2K and most single drive bays are more like $5K+... but I know those "drives as tapes" solution from the 2010's weren't cheap either...
Yes, the drives are a large one-time up-front expense. The media is generally cheaper than HDD of the same size, which is just one reason why tape is often the preferred medium for air gapped and/or offsite backups.
-
@travisdh1 said in Air Gap Backups:
@dashrender said in Air Gap Backups:
@scottalanmiller said in Air Gap Backups:
@siringo said in Air Gap Backups:
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
Sure but... why? Tape is cheaper, faster, and more reliable.
The only part I might disagree with is cheaper. tapes are super expensive, though in the long run I suppose they could be cheaper.
LTO drives start at $2K and most single drive bays are more like $5K+... but I know those "drives as tapes" solution from the 2010's weren't cheap either...
Yes, the drives are a large one-time up-front expense. The media is generally cheaper than HDD of the same size, which is just one reason why tape is often the preferred medium for air gapped and/or offsite backups.
Boy they must have come down...I recall when LTO 2 (yea a long time ago) where stupid expensive!
-
@dashrender said in Air Gap Backups:
@travisdh1 said in Air Gap Backups:
@dashrender said in Air Gap Backups:
@scottalanmiller said in Air Gap Backups:
@siringo said in Air Gap Backups:
you used to be able to get those 'cassette' drives which were just disks in a casing that were used in a similar way to tapes. maybe there's something similar to that with a capacity of 1TB+ ?
Sure but... why? Tape is cheaper, faster, and more reliable.
The only part I might disagree with is cheaper. tapes are super expensive, though in the long run I suppose they could be cheaper.
LTO drives start at $2K and most single drive bays are more like $5K+... but I know those "drives as tapes" solution from the 2010's weren't cheap either...
Yes, the drives are a large one-time up-front expense. The media is generally cheaper than HDD of the same size, which is just one reason why tape is often the preferred medium for air gapped and/or offsite backups.
Boy they must have come down...I recall when LTO 2 (yea a long time ago) where stupid expensive!
LTO 2? Bah, young people will never know the joys of DLT.
