Jump to content

Network Segmentation: Where to place Backup System?


Recommended Posts

Hi all,


I'm just trying to get my head around a network segmentation question about backup infrastructure: In demand of minimum data loss, a backup system is set up to pull the incremental changes every hour and pushes it to a repository server. It will pull things like vmdsk files regularly (where incrementation is not really possible), files from the smb file share or SQL databases from different servers.

In my usual concepts, we segment all these servers apart from each other - DCs, fileservers, VM hosts, databases, public webservers,...

But where should I put the backup system with that requirements now? If I use a distinct segment, I will have all the backup traffic constantly going through the segmentation firewall, limiting the bandwidth for all other users. I have some ideas, but I don't really know which one is the best for this case.

What way would you go to improve the situation (without changing the backup strategy)?

  1. Add additional network interfaces to all the machines and connect all these ones in a separate (probably just virtual) VLAN to the backup system? This makes a wonderful hole in the segmentation concept, doesn't it?
  2. Configure bandwidth limitation (or priorities) on the firewall, so that backups are very slow, but don't block user traffic?
  3. Buy a lot of backup-VMs, one for each segment, and only have the traffic to the repository then?
  4. Buy larger firewalls and switches to handle the additional traffic?
  5. Put the backup system in the same segment as the largest backup traffic might appear (probably the one which has access to the VM hosts) and live with the rest of the traffic?
  6. Put all the systems that need to be backed up in the same network segment and hope for the best?

I'm curios to hear your opinions!


Link to comment
Share on other sites

Hmm that sounds pretty good already.
In our case we get around the traffic problem by running backups only when there is no one or a few people at work.
You answered your own question on point one :classic_biggrin:.
point 2,3,4 & 5 could work but it is really dependent on the Backup size.
The last one would be not so good. If one device gets infected everything could go to shit really fast.

  • Like 1
Link to comment
Share on other sites

  1. I wouldn't sweat so much about what VLAN your backups reside on, they're not your off-site backups anyway.
  2. Ensure you have off-site backups. This will take bandwidth, but a provider can also send you drives to copy a seed backup to, and then just incremental from there.

Those last two are important because if somebody gets domain admin, you don't want them to be able to touch your historical backups. Your backup admin should be protected at all costs, your DR plan is at stake.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...