This post is also available in: Italian

Reading Time: 6 minutes

Veeam Backup & Replication does not have a native integration with “entry-level” NAS appliance, but there are some different options if you want to configure a Veeam repository on a NAS hardware appliance.

The most common option is just to use the CIFS/SMB protocol on the NAS appliance and connect the repository as a network share.

But for some NAS appliances there is also the possibility to export a LUN with iSCSI and then you can connect it with a software iSCSI initiator to the Veeam Backup Server and use as “local storage”.

In most cases, the second option could be faster because you don’t have to manage file across the network, but you can manage blocks. But it really depend by the appliance and could be better make some comparison tests.

But both cases have a security limit: if the Veeam Backup Server is compromised at Windows OS level, then it can be easily reach the repository and attack the data on it (for example for a cryptolocker). If you are using an iSCSI LUN you have full access to the disk, if you use a network share you must give Windows-based credentials to write on it. So both cases are not so good if you want to have separated security access.

This is quite close to an “air-gap solution“, and could be really important because you must be able to protect your backup against a hacker who is already inside of your environment. Because being on the inside, these hackers are usually able to fairly quickly obtain privileged access and for Windows system could be much easier if AD or shared credential are used.

Of course, a real air-gap solution ensures that a secure computer network is physically isolated from unsecured networks, and this solution is not exactly the same, but could be a good trade-off.

There could another approach to add a good gap between the backup and the repository: trying to add a NAS appliance as a Linux server by putting SSH credentials.

First be sure to check your SSH settings on the Veeam Backup Server:

Then create the SSH credential; if needed you can also elevate the priviledges.

But for a QNAP appliance, when you try to connect it, you will get this kind of error: Failed to start PerlSoap protocol

The reason is quite simple: QNAP appliances does not have the Perl language installed. But you can simple add it from the store: Now, if you are using latest version of Veeam Backup and Replication and the QNAP firmware, you will see the QNAP filesystem with all its partitions.

Note that the persisten storage is mounted usually in the /share/MD0_DATA or /share/CACHEDEV1_DATA or a similar directory (just look at the biggest mount point):

Now you can create the repository by selecting an already created directory with proper permission for the user specified in the credential:

The number of maximum concurrent tasks should be selected depending by you NAS model (main CPU and memory) and the disks performance (mainly the type of RAID)… but for entry-level NAS a value of 2 could be safe. Remember that requirements for a Veeam repository are: 4 GB RAM, plus up to 2 GB RAM (32-bit OS) or up to 4 GB RAM (64-bit OS) for each concurrent job depending on backup chain’s length and backup files sizes. For more information, see Limitation of Concurrent Tasks.

Of course, you are probably under those limits, but the repository can work proper (for small environments). Also note that probably the performance of this approach may be slower than using a network share or an iSCSI LUN, especially if your repository does not have the required minimum resources.

But with this configuration, you have a better “air-gap” between the Veeam Windows-based components and the repository where data are stored. Also if the Veeam Backup is compromised you cannot direct access to the repository. But it’s not a “100% safe” approach: if the Veeam Backup is compromised , it’s possible to try to grab the stored credential on it and then use to gain direct access to the NAS.

But you can have a second protection level that could make a secondary copy (on external disks of the NAS or on another NAS) not using the Veeam Copy Job, but using native NAS command (like rsync)… the main requirement is to use a different account and different privileges.

One interesting example could be have a second NAS without any external access or service, that can access in read-only mode to the NAS with the Veeam repository and each day makes a local copy of the Veeam repository files.

The idea is to found all possible approaches that can permit that your backups will survive even when your entire environment is exposed. But remember that the only storing a copy of your backup on an offline storage media is the ONLY bulletproof protection solution that can guarantee the data integrity against attacks. The complete isolation is the true air-gap solution!

And which kind of QNAP appliances can I use? At least Intel or AMD based appliances, because the Veeam transport code is written for x86 architecture and not for ARM-based architecture.

The you can probably use each model with at least 2 cores and 2 GB of RAM, like for example:

[amazon_link asins=’B00L8GHOQ8,B015VNLGF8′ template=’ProductCarousel’ store=’vinfrastructu-20′ marketplace=’US’ link_id=’12f077d0-e63e-11e8-94d7-2708f50a88f9′]

Note that most of NAS can have an additional RAM DIMM to increase the system RAM.