| 1 |
>> You're welcome. A pull system does rely on the server being secure, which |
| 2 |
>> is why I don't use it for offsite backups to the cloud :-O |
| 3 |
> |
| 4 |
> Wouldn't a push/pull combination be a good compromise? |
| 5 |
> |
| 6 |
> The remote servers push their backups to their own location on a staging |
| 7 |
> server. |
| 8 |
> The backup-storage server then pulls the backups from there. |
| 9 |
> |
| 10 |
> The staging can then be a VM with the real backups being moved onto |
| 11 |
> host-storage where the VM has no access to. |
| 12 |
> |
| 13 |
> This way, when the staging is compromised, only the latest backup can be |
| 14 |
> accessed. |
| 15 |
> When the remote server is compromised, only the latest backup can |
| 16 |
> potentially be overwritten. |
| 17 |
> But, the actual backups can not be accessed as the host will not have any |
| 18 |
> outgoing connectivity and when the backups are being pulled, the VM will |
| 19 |
> be stopped to allow access to the disk containing the backups. |
| 20 |
> |
| 21 |
> Following would be the steps: |
| 22 |
> 1) remote server(s) push backup to the VM |
| 23 |
> 2) host shuts down VM |
| 24 |
> 3) host mounts backup-store of VM locally |
| 25 |
> 4) host takes a backup of the "backup-store" |
| 26 |
> 5) host starts VM |
| 27 |
> |
| 28 |
> By using LVM snapshots, the downtime of the VM can be significantly reduced. |
| 29 |
> Additionally, the VM OS and software can be restored from a known-good |
| 30 |
> copy prior to each restart and the VM can be configured to only be running |
| 31 |
> during the backup-window of the remote systems. This would then |
| 32 |
> significantly reduce the window of opportunity for any security breach |
| 33 |
> attempts. |
| 34 |
|
| 35 |
I think I follow. :) Do you think that would be better than having |
| 36 |
the clients push to the backup server via rsync, then having the |
| 37 |
backup server update an rdiff-backup repository that the clients have |
| 38 |
no access to, then having another system pull from the backup server's |
| 39 |
rsynced data and create its own rdiff-backup repository? To me that |
| 40 |
seems like it would have the right combination of security, |
| 41 |
redundancy, and simplicity. |
| 42 |
|
| 43 |
- Grant |
Archives