https://www.bdrsuite.com/

Docly

Security Guidelines

Estimated reading: 7 minutes 0 views

Best Practices for Securing BDRSuite Backup Server over WAN

BDRSuite Backup Server is compatible with both Windows and Linux environments. However, opting for Windows is recommended for an user-friendly and feature-rich BDRSuite Backup Server experience. This choice ensures optimal performance and seamless utilization of the BDRSuite Backup Server’s capabilities.

When establishing the backup infrastructure, it is imperative not to underestimate the importance of security. This comprehensive document serves as a guide, offering instructions for securely hosting the BDRSuite Backup Server on your machine along with its agents which are connected to it over a WAN environment.

Also, it outlines various security features and recommendations to mitigate potential security risks, safeguarding against unauthorized access and protecting your sensitive data.

Service providers offering DRS(Disaster Recovery Services) across Wide Area Networks (WAN) can follow the instructions and best practices to ensure a secure and reliable backup and recovery experience using the BDRSuite Backup Server, aligning with service provider protocols for enhanced data safety and operational excellence.

Ensure Windows Integrity

Implementing measures to ensure Windows integrity helps prevent unauthorized modifications and ensures the reliability of the operating system.

  • Verify that your server operates on the most recent Windows version with a non-expired Long-Term Servicing (LTS) date.
  • Make sure that the operating system is updated with the latest security patches.
  • Check the Windows license information for compliance, addressing any security concerns promptly to maintain the LTS availability.

Firewall Configuration

  • Configure NAT(Network Address Translation) and the Windows firewall so that only necessary ports and data traffic is allowed.
  • This secures the connections and only allows access from authorized computers.
  • Outbound access is critical for the BDRSuite Backup Server to connect to the BDRSuite Portal Server for license validation. Your BDRSuite Backup Server connects to the BDRSuite Portal Server (For Licensing) via port 443. Make sure that outgoing access to your BDRSuite Backup Server allows data traffic via these two ports.
  • For inbound data communication in the BDRSuite Backup Server, open port 32004.
  • If you are providing tenant-level access or external web portal access, open the ports 6060 for HTTP and 6061 for HTTPS.

Ref : BDRSuite Ports and NAT Rules

  • It is recommended using HTTPS (Hypertext Transfer Protocol Secure) for accessing the web server, which provides a secure and encrypted connection.
  • Also, replace the default SSL certificate, often provided by BDRSuite, with a certificate owned by the company.

Ref : How to replace default SSL certificate

This practice enhances the security of the web server, ensuring that data exchanged between users and the BDRSuite Backup Server remains confidential and protected from potential security threats or unauthorized access.

Antivirus

Implementing a trusted antivirus solution along with the BDRSuite Backup Server provides an additional layer of protection against malware, viruses and potential malicious activity that could jeopardize the functionality and security of your backup environment. Consistent antivirus scanning and real-time protection significantly increase the security and resilience of your infrastructure.

Note: It is recommended to exclude the BDRSuite Backup Server Installation Folder(Default location: C:\Program Files\Vembu\VembuBDR), DB Storage location, Backup Storage Repositories and the Backup Directory from the antivirus filter rules to avoid conflicts with the software.

Best Practices for BDRSuite Backup Server Security

DNS name for public IP

Considering that the BDRSuite Backup Server is assigned a public IP, it is then recommended to use a DNS name instead of an IP address. This ensures consistency even if the IP changes or is temporarily unavailable.

Encryption for Data Security

Enable backup encryption to prevent unauthorized access during restore. BDRSuite Backup Server uses the military-grade AES256 encryption algorithm for the backup data in transit and at rest.

3-2-1 Backup Strategy

Implement the proven 3-2-1 backup rule to improve redundancy.

  • This involves maintaining a primary backup locally.
  • A secondary copy securely stored in the cloud.
  • Another offsite copy at an alternate location or on a tape medium.

This strategy ensures robust data protection, minimizing the risk of data loss and bolstering overall backup resilience.

Activate recovery plans with automated System Boot Verification

Enable the Hyper-V role on the machine hosting the BDRSuite Backup Server to enable a seamless process of automatic booting and disc scanning for the backed up data.

This ensures the integrity and reliability of your backup system. This system boot verification is a simulated execution of the restore process without making any actual changes to your live environment. This innovative feature is a valuable tool to evaluate the effectiveness and reliability of your recovery plans before execution in a real-world scenario.

Disaster Recovery Add-on Service

Increase the redundancy and reliability of your primary backup server by incorporating the Disaster Recovery Service (BDRSuite OffsiteDR Server / BDRSuite CloudDR ), which adds an extra layer of security and continuity to your data protection strategy.

Email Notification

Enabling email notifications for deletions is a proactive measure. If a backup is deleted on the BDRSuite Backup Server, the recipients receive an email notification so that they can be informed of this event immediately.

User Account Management

Promote user awareness for creating secure passwords and enforce password policies for length, complexity and reset intervals.

  • Enable multi-factor authentication (MFA) for an extra layer of security by using a unique code sent via email for user validation.
  • Perform routine user account audits and remove or update dormant or unused accounts to ensure a secure environment.

RBAC (Role-Based Access Control)

Set up RBAC to manage access based on user roles. BDRSuite  Backup Server offers different access roles such as full access and read-only access.

  • Select appropriate user access levels to prevent access rights from being exceeded and to ensure that users only see relevant information.
  • Perform regular reviews of role assignments and adjust them to organizational changes as needed.

Network Share Security

To increase the security of network shares, it is recommended to enable password-protected drives that can only be accessed by the IP of the BDRSuite Backup Server. This ensures that only authorized access is granted and strengthens the protection of your shared network resources.

SMTP Server Security

When utilizing an SMTP server for email notifications, it is crucial to enhance the security of email-based authentication by enabling password authentication. By implementing this measure, you add an additional layer of protection to your email communication, ensuring that only authorized users with valid credentials can access and utilize the SMTP server for sending notifications.

Restricting DB Server Access

Restrict DB server access only to the IP/DSN name of the BDRSuite  Backup Server and prevent direct database connections from outside.

DB Backup

The BDRSuite Backup Server automatically creates daily backups for the backend database, which are crucial for rebuilding the BDRSuite Backup Server in the event of a complete machine failure.

  • Store these backups in the primary backup location and configure the repository for external drives or cloud storage to be independent of the BDRSuite Backup Server.

This ensures recovery of the backup data in situations where the BDRSuite Backup Server is no longer operational.

BDRSuite Backup Sizing

Proper sizing ensures optimal performance and efficient resource utilization of the BDRSuite Backup Server. Click here to learn more about BDRSuite Backup Server Sizing.

Conclusion

Implementing best practices for using the BDRSuite Backup Server over a Wide Area Network (WAN) is needed for safeguarding critical data which is used for backup and recovery operations. By adhering to practices such as enabling password authentication, regularly updating the Windows environment, and following the 3-2-1 backup strategy, the Service Providers (SPs) or organizations can significantly reduce vulnerabilities and enhance the overall security posture of their backup infrastructure over WAN.

On This Page