OceanProtect 1.6.0 Backup Storage Ransomware Protection Solution Best Practice (Integration with Commvault)
Interoperability Test Report
Axians Global
All Rights Reserved
1. Overview
Ransomware is a type of malware that encrypts the victim’s files or locks the system to require ransom payment to restore access. Ransomware is usually spread through phishing emails, malicious links, or vulnerabilities.
Ransomware mainly leads to the following hazards:
- Data loss: After files are encrypted by ransomware, victims cannot access key data, causing service interruptions.
- Financial loss: Ransom payment does not guarantee data restoration, and the ransom amount is usually high.
- Reputation damage: Data leakage or service interruptions can seriously damage enterprises’ reputation.
- Compliance risks: Data leakage may cause enterprises to encounter lawsuits and fines due to violation of data protection laws and regulations.
Traditional network security measures, such as firewalls, intrusion detection systems (IDSs), and antivirus software, are mainly used to defend against known threats. However, attackers continuously use new technologies and means, making it difficult for traditional security measures to effectively cope with the attacks. Traditional data protection solutions only check whether data is successfully backed up. They lack a mechanism for detecting backup data content, a mechanism for preventing backup copies from being tampered with, and the resilience of backup systems against ransomware attacks.
Based on different application scenarios, the ransomware protection storage solution can be divided into:
- Ransomware protection storage solution for SAN
- Ransomware protection storage solution for NAS
- Ransomware protection solution for backup storage
- Ransomware protection solution for backup appliances
This best practice describes the ransomware protection storage solution for backup storage (OceanCyber 300 1.2.0+OceanProtect X8000 1.7.0+Commvault 11.36+OceanStor BCManager eReplication 8.6.0), where:
- OceanProtect Air Gap is used to establish an isolation zone.
- OceanProtect file system WORM ensures data anti-tampering.
- OceanProtect backup link encryption prevents data theft and tampering on backup links, and array encryption and replication link encryption prevent data leakage on the storage layer and replication link layer.
- The detection and analysis of the OceanCyber 300 Data Security Appliance (OceanCyber Appliance for short) protect data on the OceanProtect Backup Storage devices, and provide functions such as ransomware detection and data restoration.
The solution helps users build data foundation resilience to implement secure data restoration.
1.1 Introduction
This document describes the best practices of the OceanCyber 300 1.2.0+OceanProtect X8000 1.7.0+Commvault 11.36+OceanStor BCManager eReplication 8.6.0 backup ransomware protection storage solution.
1.2 Intended Audience
This document is intended for:
- Marketing engineers
- Technical support engineers
2. Solution Overview
OceanProtect X8000 1.7.0 integrates Commvault backup software and is externally connected to the OceanCyber 300 Data Security Appliance to detect and analyze backup data and generate secure snapshots for uninfected backup copies. Based on the Air Gap function of the OceanStor BCManager eReplication component, data from a specified file system in the production zone is periodically replicated to the security isolation zone. After the replication is complete, secure snapshots are automatically generated for secure isolation and anti-tampering of important data. In addition, replication link encryption, backup link encryption, and array encryption prevent data theft on transmission links and backup links between backup storage devices, and on storage layers.
The entire network consists of a production zone and a security isolation zone. The security isolation zone connects to the production zone only via specified replication ports. Generally, the replication ports are disconnected and is connected only during replication. If restoration verification is required for the security isolation zone, you are advised to deploy a restoration verification host in the security isolation zone to verify the data in the isolation zone.
2.4 Typical Ransomware Attack Handling Scenarios
2.1 Solution Architecture
Figure 2-1 Solution architecture
As shown in Figure 2-1, the network is composed of a production zone and an isolation zone.
- Production zone
Consists of the production hosts, backup server, OceanCyber 300 Data Security Appliance, backup storage in the production zone, and switches connected to the backup storage in the isolation zone.
- Isolation zone
Consists of verification hosts, the OceanStor BCManager eReplication management server, backup server, backup storage, and switches connecting the verification hosts to the backup storage in the isolation zone. The verification hosts in the isolation zone can verify the consistency of replicated data. The OceanStor BCManager eReplication management server must be able to communicate with the storage management network in the isolation zone. This server controls the connectivity of replication links of the storage in the isolation zone by enabling or disabling the ports used by these links. In this way, the links are connected during data transmission and disconnected after data transmission is complete.
- Ethernet switches are used to connect replication links between the storage devices in the production and isolation zones. Firewalls can be configured between replication links to further improve replication link security.
- In actual scenarios, considering that the security isolation zone ensures data security and provides management and maintenance functions, it is recommended that a management console be deployed in the security isolation zone and connected to the production zone over an independent network. To ensure security, access authentication, such as VPN and token authentication, is required.
2.2 Solution Components
Table 2-1 Components in the solution architecture
Component | Description | Deployment Position | Configuration Requirement |
|---|---|---|---|
Production host | Functions as an application system host in the data center of the production zone, which can be a common production host, such as Oracle database host or VMware ESXi host. | Production zone | The production host is configured based on actual service requirements. |
Backup server (deployed together with the media server) | Creates, executes, and schedules backup jobs, and configures backup policies. | Production zone | The backup server can be deployed independently or together with the media server. |
OceanCyber 300 Data Security Appliance | Protects data of the OceanProtect Backup Storage and provides functions such as ransomware detection and data restoration. | Production zone | Two 25GE or 100GE ports are configured. |
Switch 1 | Functions as a service switch deployed in the data center of the production zone, which is used for data transmission between the data security appliance and storage in the production zone. | Production zone |
|
Switch 2/3 | Functions as a service switch deployed in the data center of the production zone, which is used for data transmission between the data security appliance, production host, and storage in the production zone. | Production zone |
|
Backup storage in the production zone | Stores data. | Production zone |
|
Switch 4/5 | Functions as an Air Gap replication link switch deployed in the data center of the production zone, which is used to synchronize data from storage in the production zone to that in the isolation zone. | Production zone |
|
Switch 6/7 | Functions as an Air Gap replication link switch deployed in the data center of the isolation zone, which is used to synchronize data from storage in the production zone to that in the isolation zone. | Security isolation zone |
|
(Optional) Firewall | Restricts the communication of non-replication ports. A firewall is recommended when replication links are not in point-to-point connections or pass through public network links. | Production zone | A firewall restricts the communication of non-replication ports only and is not for enabling or disabling replication ports. In deployment, the replication link traffic needs to be evaluated to prevent the firewall from becoming a bottleneck. |
Restricts the communication of non-replication ports. A firewall is recommended when replication links are not in point-to-point connections or pass through public network links. | Security isolation zone | A firewall restricts the communication of non-replication ports only and is not for enabling or disabling replication ports. In deployment, the replication link traffic needs to be evaluated to prevent the firewall from becoming a bottleneck. | |
Verification host | Functions as an application system host in the data center of the isolation zone, which can be used to start applications and detect virus for application data in the isolation zone. | Security isolation zone | Select a physical server or VM based on customer services. |
Switch 8 | Used for the communication among the host, OceanStor BCManager eReplication management server, and the storage device. | Security isolation zone |
|
OceanStor BCManager eReplication management server | Connects or disconnects the Air Gap replication links. | Security isolation zone |
|
Backup storage in the isolation zone Backup server (deployed together with the media server) | Protects and rolls back production data. Creates, executes, and schedules backup jobs, and configures backup policies. | Security isolation zone |
It can be deployed independently or together with the media server. The backup server is deployed together with the media server in this best practice. |
2.3 Key Technologies
- Detection and analysis of the OceanCyber 300 Data Security Appliance
Based on a predefined policy, the OceanCyber 300 Data Security Appliance periodically creates snapshots for the OceanProtect Backup Storage and performs in-depth detection on the snapshots to check whether the backup data of files, NAS, and VMware VMs has been encrypted by ransomware. If an exception is detected, the backup copy is marked as infected, and alarms and Air Gap link disconnection are triggered to prevent infected data from being replicated to the isolation zone. If no exception is found, the backup copy is marked as uninfected and converted to a secure snapshot.
The detection and analysis function of the OceanCyber 300 Data Security Appliance provides ransomware encryption detection and in-depth detection on backup copies. The built-in detection function of the OceanProtect Backup Storage (X8000 and later models) supports only ransomware encryption detection on backup copies.
Ransomware encryption detection on backup copies: After data backup is complete, ransomware encrypts backup copies. The detection and analysis function can identify the backup copies that are attacked by ransomware and mark them as infected.
In-depth detection on backup copies: If a large amount of production data, such as data in files or VMware, is encrypted by ransomware, the detection and analysis function parses the contents of the backup copies after the backup software backs up the data. This function can identify whether the original files or files in VMware are infected. If yes, the backup copies they will be marked as infected.
- Air Gap
Replication link isolation switch, which enables the replication links only when a replication job is running and disables the replication links after the replication job is complete. The enabling and disabling of the entire replication links can be controlled only in the isolation zone. This solution uses the OceanStor BCManager software in the isolation zone to configure Air Gap replication policies. In this way, the replication links are enabled only during data replication and disabled immediately after data replication is complete.
The Air Gap capability of the OceanCyber 300 Data Security Appliance and that of OceanStor BCManager is described as follows:
OceanStor BCManager is deployed in the isolation zone. The Air Gap capability of OceanStor BCManager asynchronously replicates differential data from the storage in the production zone to the storage in the isolation zone based on policies. After the replication is complete, the replication port of the storage in the isolation zone is disconnected and secure snapshots are automatically created. The OceanCyber 300 Data Security Appliance is deployed in the production zone. The Air Gap capability of the OceanCyber 300 Data Security Appliance only disconnects the replication port in the production zone when an exception is detected to prevent infected data from being replicated to the isolation zone. Air Gap replication of OceanStor BCManager can be used together with Air Gap link disconnection of the OceanCyber 300 Data Security Appliance. However, Air Gap link disconnection of the OceanCyber 300 Data Security Appliance cannot replace the Air Gap replication capability of OceanStor BCManager.
Built-in detection of the OceanProtect Backup Storage does not support the Air Gap link disconnection capability.
- WORM
WORM can be configured for file systems in the backup storage, preventing backup copy data from being tampered with after the backup storage is attacked by ransomware.
- Storage pool encryption
Storage pool encryption is implemented by controllers online, which does not affect the front-end services and prevents production data from being stolen on disks.
- Replication link encryption
The technology encrypts the data transmission links between the backup storage in the production zone and that in the isolation zone to prevent data from being stolen or tampered with during data transmission on replication links.
- Backup link encryption
Backup link encryption (CIFS/NFS encryption) prevents data from being stolen or tampered with during transmission between hosts (media servers) and the backup storage.
2.4 Typical Ransomware Attack Handling Scenarios
- Protection against ransomware attacks on core service systems in the production zone
- A core service system, if encrypted by ransomware, can be quickly restored to the latest time point before encryption. The backup software uses the latest snapshot copy to restore service data. The restoration process in this scenario is the same as that in the centralized backup solution and is not described here. The OceanCyber 300 Data Security Appliance performs data source backtracking on backup storage copies through restoration to the original location or shared location.
- Because data cannot be deleted within a data retention period, WORM file systems can prevent backup data from being tampered with in the following scenarios:
- The backup server is attacked and file systems are deleted after the backup storage administrator’s permissions are obtained.
- The storage file system and backup data are maliciously deleted.
- The backup server is attacked, privilege escalation is illegal, the backup administrator’s permissions are obtained, or data are maliciously deleted.
- The backup server is attacked and file systems are deleted after the backup storage administrator’s permissions are obtained.
- Protection against damage of storage systems in the production zone
After the production zone is damaged, data can be restored from the isolation zone, ensuring that a copy of secure and reliable data is available for fast restoration.
If a backup storage system in the production zone is attacked (for example, the ransomware latency period exceeds the backup data retention period, causing all backup data to be infected), a security isolation zone further improves the data security assurance capability. If all backup storage systems in the production zone are damaged, production data can be restored using the synchronized copies in the security isolation zone.
2.5 Precautions
- Detection is not supported if encryption, deduplication, or compression is enabled for Commvault.
- The original backup data of Commvault cannot be high-entropy files.
A DataTurbo administrator can be created only under vStore System_vStore.
- A maximum of 16 DataTurbo users can be created.
- The OceanCyber 300 Data Security Appliance supports a maximum of eight storage devices and a maximum of 16 concurrent detection jobs.
- Enabling DataTurbo is exclusive with pre-event blacklist, in-event I/O behavior detection, and honeyfile detection.
- Currently, in-depth detection is supported only for backup copies of Commvault backup files, VMware, and databases (Oracle and MySQL).
3. Planning and Configurations
This section describes the planning and configurations of the production zone and isolation zone.
3.1 Configuration Planning
3.1.1 Backup Storage Planning
- Capacity planning for the backup storage in the production zone
- Scenario 1: Deduplication is disabled on Commvault.
If deduplication is enabled only on the OceanProtect rather than Commvault, the capacity planning for the OceanProtect is the same as that in the centralized backup solution. You need to plan the capacity of the backup storage based on the backup policy, retention period, data type, data change rate, data volume to be backed up, and deduplication ratio.
- Scenario 2: Deduplication is enabled on Commvault.
When deduplication is enabled on Commvault, since Commvault is integrated with OceanProtect through WORM Storage, WORM lock day = Copy retention time + WORM DDB Seal Frequency. WORM DDB Seal Frequency is the copy retention time by default and can be reduced to half of the copy retention time, therefore, you need to reserve space for corresponding copies (space after deduplication).
- Capacity planning for the backup storage in the isolation zone
- Scenario 1: The snapshot copy retention in the production zone is the same as that in the isolation zone, and the capacity planning is the same.
- Scenario 2: The snapshot copy retention in the production zone is different from that in the isolation zone. The isolation zone has scenarios where periodic secure snapshots are used to prolong the data retention period and snapshot clone volumes are used for restoration verification. Therefore, you are advised to reserve at least 20% of the space in addition to the space for the original file system to be replicated. This prevents insufficient capacity of the storage pool in the isolation zone from affecting data synchronization from the production zone to the isolation zone.
3.1.2 Network Planning
- Network planning for the OceanCyber 300 Data Security Appliance in the production zone
Table 3-1 Network description
Name | Description |
|---|---|
BMC/Management network | The BMC network is used to connect to the management network port of the OceanCyber Data Security Appliance to manage the hardware device. The management network is used to manage and maintain the service system of the OceanCyber Data Security Appliance and deliver security policies to the connected storage devices. |
Service network | The service network is used to connect to a protected storage device (through NFSv3/CIFS) and to perform ransomware detection and analysis on the NAS file systems of storage devices. |
- Network planning for the storage in the production and isolation zones
Figure 3-1 Network planning
- Network planes
- The management network is used for system management and network communication between devices.
- The replication network is used for replication data communication between the backup storage in the production zone and that in the isolation zone.
- The service network is used for network communication between hosts and storage devices.
- The O&M network is used for O&M management between hosts and devices.
- The management network is used for system management and network communication between devices.
- Network planning for backup storage in the production or isolation zone
- Physical port planning: You need to plan the network ports for connecting the backup media servers to the backup storage devices and the network ports for the replication links between the backup storage in the production zone and that in the isolation zone. You can plan ports based on service requirements.
- Logical port planning: Logical ports are created for the remote replication between storage arrays by using Air Gap and for the connection between the backup media server and backup storage. You are advised to configure at least one logical port for each 10GE ETH port. If Fibre Channel is used for replication links between storage arrays or links between hosts and storage arrays, you do not need to create logical ports.
- Physical port planning: You need to plan the network ports for connecting the backup media servers to the backup storage devices and the network ports for the replication links between the backup storage in the production zone and that in the isolation zone. You can plan ports based on service requirements.
- Network planning for hosts
Physical port planning: Plan physical ports based on the data to be backed up and disaster recovery (DR) requirements. It is recommended that each host have at least two 10GE physical ports.
- Network planning for backup media servers
Physical port planning: Plan physical ports based on the data to be backed up. It is recommended that each backup media server have at least four 10GE physical ports to meet backup requirements.
- Network planning for backup servers
Physical port planning: Ensure that the management network of the backup server can communicate with that of the backup media server.
- For details about the network planning and configuration of OceanCyber 300, see Network Planning in the OceanCyber 300 1.2.0 Installation Guide.
- OceanCyber 300 can automatically create shares for NAS file systems on protected storage devices, map the shares to itself, and perform ransomware detection. You do not need to configure shares for NAS file systems on storage devices.
3.1.3 Verification Host Planning
Verification hosts are configured as required. Backup storage data can be accessed from the isolation zone. It is recommended that at least one verification host and backup server be deployed for periodic data consistency check.
3.1.4 Policy Planning
- Policy planning for the production zone
- Backup and detection policy planning
For small-scale data (less than 100 TB), you are advised to back up data once a day and check the backup data after all backup jobs are complete on the same day.
For large-scale data, no detection time window can be reserved. You are advised to select a time window with a small number of backup jobs for detection. For example, only archive log backup jobs are available.
- Other planning
After the detection is complete, uninfected snapshots are converted to secure snapshots. Secure snapshots occupy space and can be deleted only after they expire. Therefore, you are advised to retain secure snapshots for one month.
- Policy planning for the isolation zone
- Deploying OceanStor BCManager eReplication
The management network of the OceanStor BCManager eReplication management server must be able to communicate with storage devices in the isolation zone. The OceanStor BCManager eReplication management server can be deployed on a physical server or VM platform, and must be deployed on an independent server for security purposes. It is isolated from the server where the service host is deployed.
- Configuring protection policies on OceanStor BCManager eReplication
OceanStor BCManager is deployed in the isolation zone and is isolated from the network in the production zone. Therefore, the status of the OceanCyber 300 detection jobs cannot be detected. You need to configure a scheduled Air Gap replication policy on OceanStor BCManager. The typical Air Gap replication time window is from 00:00 to 06:00 and data is synchronized every 24 hours. It is recommended that data be replicated once a day and the replication duration be at most 4 hours. If the daily replication volume is 10 TB, the required bandwidth is about 720 MB/s (10 TB/4/3600). The replication logical port is created based on 10GE physical ports, each controller of the storage systems in the production and isolation zones provides one replication logical port to meet bandwidth requirements.
After the synchronization is complete, a secure snapshot is generated. You can adjust the policy based on service requirements.
- Configuring policies for secure snapshots
It is recommended that a secure snapshot be generated in the isolation zone every day and the protection period be one month. The secure snapshot policy is configured on OceanStor BCManager. In the protection policy, a secure snapshot is created in the isolation zone each time after data synchronization is complete by using Air Gap. You can adjust the policy based on service requirements.
- Overall policy planning for ransomware protection
The overall policy planning for ransomware protection involves the backup policy, detection policy, Air Gap replication policy, and secure snapshot creation policy after replication. The general principle is to execute the backup, detection, Air Gap replication, and secure snapshot creation jobs in sequence. That is, detection is performed after all backup jobs are complete, Air Gap replication is performed after detection is complete, and secure snapshot is created in the isolation zone after Air Gap replication is complete. This ensures that all data is complete, clean, and valid.
On the live network, the backup data volume is excessively large. As a result, the backup, detection and Air Gap replication jobs cannot be completed within one day. In this case, you can start detection at the minimum time period of the backup job. If the sum of the detection duration and Air Gap replication duration exceeds 24 hours, you are advised to configure detection and Air Gap replication to run concurrently. If an exception is detected and an Air Gap replication job is in progress, OceanCyber proactively stops the replication job to prevent infected data from being replicated to the isolation zone. If the Air Gap replication job has ended and infected data has been replicated to the isolation zone, you can manually roll back the latest snapshot in the isolation zone to the time point before replication. (This operation is optional because there is no execution environment for instantly infected data replication to the isolation zone and the data will not be transmitted to other snapshot copies in the isolation zone.)
After in-depth detection of backup copies is enabled, the system performs in-depth parsing and detection on backup copies in the backup storage device, which may prolong the overall detection time. You are advised to enable this function if the intelligent detection policy is applied to file systems of an OceanProtect storage device.
If in-depth detection of copies is enabled, the detection performance will be compromised. It will drop from 50 TB/hour to 12 TB/hour if this function is enabled.
Self-learning supports only in-depth detection. You are advised to perform self-learning for one month. During self-learning, all backup copies are clean by default, and the detection results will show as uninfected.
4. Configuration Example
This chapter describes how to configure and verify the ransomware protection in the production and isolation zones with OceanCyber 300 Data Security Appliance+OceanProtect X8000 1.7.0+Commvault 11.36.
4.1 Networking for the Configuration Example
4.2 Hardware and Software Configuration
4.3 Production Zone Protection
4.1 Networking for the Configuration Example
Configure example networking by referring to the LLD template.
Figure 4-1 Template of the ransomware protection storage solution (for external OceanCyber)
Figure 4-2 Networking diagram of the configuration example
The networking is described as follows:
- Production zone: In this document, the production zone consists of one production host, one set of OceanProtect X8000 Backup Storage, one backup server (deployed together with the media server), one data security appliance, and one 10GE switch.
- The production host is connected to the backup media server through at least two 10GE links of a 10GE switch.
- The OceanProtect X8000 Backup Storage is connected to the backup media server through at least two 10GE links of a 10GE switch.
- The backup server and backup media server are deployed together on the same server.
- The data security appliance is connected to OceanProtect X8000 through a 10GE switch. For details about the port connection, see « Installation Planning and Preparation > Network Planning » in the OceanCyber 300 1.2.0 Installation Guide.
- Isolation zone: In this document, the isolation zone consists of one verification host (optional), one set of OceanProtect X8000 Backup Storage, one backup server (deployed together with the media server) (optional), one BCManager management server, and one 10GE switch.
- The verification host is connected to the backup media server through at least two 10GE links of a 10GE switch.
- The OceanProtect X8000 Backup Storage is connected to the backup media server through at least two 10GE links of a 10GE switch.
- The backup server and backup media server are deployed together on the same server.
- The management network of the BCManager management server can communicate with that of the OceanProtect X8000 Backup Storage in the isolation zone.
- Replication link
In the actual test, the replication links between the production zone and isolation zone are connected to one switch. The storage devices in the production zone and isolation zone are connected to the switch through four 10GE optical fibers, two for controller A and the other two for controller B of each storage device.
Example of IP address planning for the networking (public IP addresses are in the same network segment)
Component | Network Type | Port Rate | IP Address |
|---|---|---|---|
Production host | Management network | One GE port: 1000 Mbit/s | Public IP address (Set this parameter based on the site requirements.) |
Backup service network (connected to the 10GE switch) | One 10GE port: 10 Gbit/s | 192.168.100.x | |
Data security appliance | Management network | One GE port: 1000 Mbit/s | Public IP address (Set this parameter based on the site requirements.) |
Detection and analysis service network (connected to the 10GE switch) | One 10GE port: 10 Gbit/s | 192.168.100.x | |
Backup server | Management network | One GE port: 1000 Mbit/s | Public IP address (Set this parameter based on the site requirements.) |
Backup service network (connected to the 10GE switch) | One 10GE port: 10 Gbit/s | 192.168.100.x | |
OceanProtect X8000 | Management network | One GE port per controller: 1000 Mbit/s | Public IP address (Set this parameter based on the site requirements.) |
Backup service network (connected to the 10GE switch) | Two 10GE ports per controller: 10 Gbit/s | Controller A: 192.168.100.x Controller B: 192.168.100.x | |
Replication link network (connected to the 10GE switch) | Two 10GE ports per controller: 10 Gbit/s | 192.168.101.x to 192.168.101.x | |
BCManager | Management network | One GE port: 1000 Mbit/s | Public IP address (Set this parameter based on the site requirements.) |
The IP address planning is for reference only. The actual configuration depends on the live network.
Figure 4-3 Networking for connecting OceanProtect X8000 to switches
4.2 Hardware and Software Configuration
4.2.1 Hardware Configuration
Table 4-2 Hardware configuration
Name | Description | Quantity | Function |
|---|---|---|---|
Production/Verification host |
| 2 | Data host running the SUSE Linux Enterprise Server 12 |
Backup server |
| 2 | Commvault master server, which runs the backup policy, starts backup and restoration, and runs the Windows operating system |
OceanStor BCManager server |
| 1 | Server where BCManager is installed in the isolation zone. The server management network can communicate with the storage management network in the isolation zone. |
Backup storage in the production zone/isolation zone | Huawei OceanProtect X8000, dual-controller, twelve 1.920 TB SSDs, and two 4-port FE 10GE I/O modules | 2 | Stores backup data. |
10GE switch | Huawei CE6850 | 5 | Used between replication links, between the backup media server and backup storage, and between the backup media server and host |
OceanCyber 300 Data Security Appliance |
| 1 | Used for storage backup data detection and analysis in the production zone. |
4.2.2 OceanProtect X8000 Configuration
Table 4-3 Configurations of OceanProtect X8000 in the production zone
Name | Description | Quantity |
|---|---|---|
OceanProtect engine | Huawei OceanProtect X8000 with two controllers | 2 |
10GE front-end interface module | 10 Gbit/s SmartIO interface module | 2 |
10GE interface module for replication between storage devices (If replication link encryption is required, an encryption module must be configured.) | 10 Gbit/s SmartIO interface module | 2 |
SSD | Huawei 1.920 TB SSDs | 12 |
If the production center is also used for backup and DR, you are advised to use two physical ports of each replication NIC for Air Gap replication and the other two physical ports for backup and DR. Each replication NIC has four physical ports. This is to prevent a single replication NIC from being faulty.
Table 4-4 Configurations of OceanProtect X8000 in the isolation zone
Name | Description | Quantity |
|---|---|---|
OceanProtect engine | Huawei OceanProtect X8000 with two controllers | 2 |
10GE front-end interface module | 10 Gbit/s SmartIO interface module | 2 |
10GE interface module for replication between storage devices (If replication link encryption is required, an encryption module must be configured.) | 10 Gbit/s SmartIO interface module | 2 |
SSD | Huawei 1.920 TB SSDs | 12 |
4.2.3 Software
Table 4-5 Software description
Software Name | Description |
|---|---|
OceanStor BCManager 8.6.0 | The OceanStor BCManager eReplication management software can be deployed on physical servers or mainstream VM platforms (such as VMware and Hyper-V). If the virtualization platform is VMware ESXi, the version must be 6.5 U1 or later to prevent VMs from restarting occasionally and unexpectedly due to compatibility issues. |
OceanCyber 300 1.2.0 | OceanCyber 300 uses the Huawei-developed ransomware detection algorithm and supports unified ransomware protection management for multiple devices of different types. It features accurate detection, high detection performance, comprehensive protection, and fast data restoration. |
Commvault 11.36 | It is deployed on physical servers or VMs for data backup and restoration in the virtualization environment. |
OceanProtect X8000 1.7.0 | OceanProtect X8000 is a high-performance backup storage solution developed by Huawei to meet enterprise-level data protection requirements. It integrates advanced backup technologies, efficient storage management, and flexible data restoration functions to help enterprises effectively cope with risks such as data loss and damage. |
OceanStor DataTurbo 1.5.0 | The SourceDedupe client is deployed on the backup server to perform source deduplication and compression on backup data, reducing the amount of physical data transmitted from the backup server to the storage and improving the overall bandwidth capability of backup services. |
4.3 Production Zone Protection
This section describes how to configure the production zone and verify the protection in the ransomware protection solution.
4.3.1 Installation and Configuration of the Production Zone
This section describes how to install the Commvault and OceanCyber 300 Data Security Appliance, configure the OceanProtect X8000 Backup Storage, configure the Commvault backup environment, configure WORM properties for Commvault, configure backup jobs (for files, VMware, and Oracle), and configure the OceanCyber 300 Data Security Appliance.
Figure 4-4 Process of configuring basic protection
4.3.1.1 Installing the Commvault Backup Software
In this backup solution, Commvault 11.36 is used. The Commvault software must be installed on the Commvault CommServe and Commvault MediaAgent. For details about the installation process of the Commvault software, see the official documentation.
4.3.1.2 Installing the OceanCyber 300 Data Security Appliance
This section describes how to manually install the OceanCyber 300 Data Security Appliance. For details, see the OceanCyber 300 1.2.0 Installation Guide.
Prerequisites
- The hardware is available.
- The OS has been installed.
- You have obtained the OceanCyber installation packages OceanCyber_1.2.0_chart_ARM_64.tgz, OceanCyber_1.2.0_image_ARM_64.tgz, and OceanCyber_1.2.0_SimbaOS_ARM_64.tar.gz.
Procedure
Step 1 Use PuTTY to log in to the server of the OceanCyber 300 Data Security Appliance as user kadmin. For the default password, see the OceanCyber 300 1.2.0 Account List.
Step 2 Use WinSCP to upload the OceanCyber_1.2.0_chart_ARM_64.tgz, OceanCyber_1.2.0_image_ARM_64.tgz, and OceanCyber_1.2.0_SimbaOS_ARM_64.tar.gz software packages to the /home/kadmin directory.
Step 3 Run the su root command to switch to user root.
Step 4 Run the chown kadmin:kgroup /home/kadmin/OceanCyber_1.2.0* command to change the permissions on the software packages.
Step 5 Run the mkdir /opt/k8s/chart command to create the /opt/k8s/chart directory for storing the software packages, and run the tar -zxvf /home/kadmin/OceanCyber_1.2.0_chart_ARM_64.tgz -C /opt/k8s/chart command to decompress the chart package to the directory.
Step 6 Run the sh /opt/k8s/chart/install_script/config_network.sh command to generate the network configuration.
Step 7 Change the IP address of the management network port by referring to steps 4 to 7 in Method 1: Logging In to the iBMC WebUI to Change the IP Address of the Management Network Port.
Step 8 Change the IP address of the service network port by referring to steps 3 to 6 in eth2 (10GE/25GE NIC).
Step 9 Run the reboot command to restart the system.
Step 10 After the system is restarted, perform the following operations:
- Run the following commands to decompress and distribute the container base packages:
- tar -zxvf /home/kadmin/OceanCyber_1.2.0_SimbaOS_ARM_64.tar.gz
- mv SimbaOS/* /opt/k8s/SimbaOS/package/
- chown -R kadmin:kgroup /opt/k8s/SimbaOS/package
2.Run the following command to install the smartkube tool:
- install /opt/k8s/SimbaOS/package/action/smartkube /usr/bin
3. Run the following commands to initialize the container platform. 172.16.128.101 is the IP address of the cluster node, that is, the IP address of NIC eth1. 192.168.145.165 is the new IP address of the management network port. 172.16.145.166 and 172.16.145.167 are the cluster floating IP addresses. They must be available and in the same network segment as the IP addresses of cluster nodes.
- su kadmin
- cd /opt
- /opt/k8s/SimbaOS/package/repo/conf/scripts/appctl.py install –managementIP=192.168.145.165 –nodeIP=172.16.128.101 –k8sVIP=172.16.145.166 –serviceVIP=172.16.145.167
Step 11 Run the following commands to install the OceanCyber 300 Data Security Appliance:
- su – root
- sh /opt/k8s/chart/install_script/install_oceancyber.sh
Step 12 After the installation is complete, run the kubectl get pod -n dpa command to query the pod information. If the installation is successful, the following information will be displayed.
—-End
4.3.1.3 Configuring Backup Storage
This section describes how to configure backup storage, including performing initial configurations, creating logical ports, creating DataTurbo administrators, and creating file systems and shares.
4.3.1.3.1 Performing Initial Configuration
Step 1 Configure the key service.
Log in to DeviceManager, choose Settings > Key Service > Modify, and select Enable the external key service or Enable the internal key service as required. This best practice uses the internal key service. If the external key service is enabled, an external key server must be configured.
Step 2 Create a storage pool.
Choose System > Storage Pools, and click Create.
Step 3 View the created storage pool.
Choose System > Storage Pools, select the created storage pool, and click its name to view Summary.
4.3.1.3.2 Creating a Logical Port on OceanProtect X8000
Select a physical port to configure a logical port for mounting a file system to Commvault. Select System_vStore to create a logical port, set Role to Service, and set Data Protocol to DataTurbo.
The following figure shows an example of logical port configuration.
Role
- Management: A port of this role is used by a vStore administrator to log in to the system for management.
- Service: A port of this role is used to access services, such as accessing CIFS shares of file systems.
- Management + service: A port of this role is used to access services or for a vStore administrator to log in to the storage system for management.
- Replication: A port of this role is used for connections of the replication links in remote replication.
- Client: used when the storage system functions as a client to establish link connections with remote devices in SmartMobility.
- Data backup: used for access to archive storage when the backup appliance functions as a client or for communication between nodes in a backup appliance cluster.
- System management: used by the system administrator to log in to the storage system for routine O&M operations, such as resource provisioning, alarm and performance management, and log collection.
- Data Protocol is available only if Role is set to Service or Management + service. The NFS, CIFS, and NFS+CIFS protocols apply to file service configuration. The iSCSI protocol applies to block service configuration. The DataTurbo protocol applies to DataTurbo client service configuration.
- DataTurbo can implement source deduplication from the Commvault Media Agent to the OceanProtect, further improving the backup performance. To use this function, you need to install the plug-in on the Commvault Media Agent. The compatibility requirements must be met. For details, see SourceDedupe Compatibility.
- Enabling DataTurbo is exclusive with pre-event blacklist, in-event I/O behavior detection, and honeyfile detection.
4.3.1.3.3 Creating a vStore DataTurbo Administrator
By creating a DataTurbo user, a client can access the shared file system over the network.
A DataTurbo administrator can be created only under vStore System_vStore.
A maximum of 16 DataTurbo users can be created.
Step 1 To create a DataTurbo user, choose Services > vStores, click System_vStore, click the User Management tab, and click Create.
Set related parameters as required and select vStore DataTurbo administrator for Role.
4.3.1.3.4 Creating a File System and a Share
Step 1 Create a file system, enter the file system name, and set Owning vStore and Owning Storage Pool. If the Commvault Media Agent runs the Windows OS, set Security Style of the file system to NTFS. If it runs the Linux OS, set Security Style of the file system to UNIX. (This document uses the Linux OS as an example.)
Step 2 Create a DataTurbo share and add a DataTurbo user.
Step 3 Enable Advanced, configure the WORM properties of the file system, set Min. Protection Period, Max. Protection Period, and Default Protection Period of the file system, and disable Automatic Lockout.
- Min. Protection Period: indicates the minimum protection period of a file in the WORM file system. The protection period of a file in the WORM file system cannot be shorter than the minimum protection period.
[Value range]
0 to 70 years or Indefinite.
- Max. Protection Period: indicates the maximum protection period of a file in the WORM file system. The protection period of a file in the WORM file system cannot be longer than the maximum protection period.
[Value range]
1 day to 70 years or Indefinite.
- The WORM storage lock set by Commvault takes effect only between the minimum and maximum protection periods of the WORM file system. Considering the wide range of the retention period in Commvault, you are advised to configure the WORM storage lock between the minimum and maximum protection periods of the WORM file system and use the Commvault WORM storage lock as the standard. For example, the minimum and maximum protection periods of the WORM file system are set to 1 day and 20 years, respectively.
—-End
4.3.1.4 Configuring the Commvault Environment
This section describes how to connect the file, VMware, and Oracle services to Commvault.
4.3.1.4.1 Starting Commvault
Open a browser, enter https://IP address of the Commvault server/commandcenter in the address box, and press Enter. On the displayed page, enter the username and password, and click OK.
4.3.1.4.2 Adding a File System Host
Step 1 Install the Commvault client software on each file system host.
Step 2 Log in to Commvault. On the Protect > File servers page, you can find the file system hosts connected to CommServe.
—-End
4.3.1.4.3Adding a vCenter
Step 1 Log in to Commvault, and choose Protect > Virtualization. On the displayed page, click Add hypervisor.
Select VMware vCenter and click NEXT.
Step 2 Set vCenter server name to an IP address or a host name that can be parsed, set Credential, and select a host that can communicate with the IP address from the Access nodes area. Generally, select the Commvault client host to be used.
Step 3 Configure Add VM Group. You can configure it immediately or click SKIP. (Commvault provides the Add VM Group operation. You are advised to click SKIP and create a VM group later as required.)
Step 4 View the configuration information and click FINISH.
—-End
4.3.1.4.4 Adding an Oracle Host
Step 1 Install the Commvault client software on the Oracle host.
Step 2 Log in to Commvault. On the Protect > Databases page, click Discover Instances. Commvault can discover the existing instances on the Oracle host.
Set Database engine to Oracle.
View the discovered instances.
—-End
4.3.1.5 Installing the OceanStor DataTurbo Client
This section describes how to manually install the OceanStor DataTurbo client. For details, see « Installing, Upgrading, and Uninstalling the DataTurbo Client » in the OceanProtect Backup Storage 1.6.0-1.7.0 SourceDedupe User Guide.
Prerequisites
- You have obtained the DataTurbo installation package.
- The OceanStor DataTurbo client must be deployed on the Commvault Media Agent if the DataTurbo protocol is used to connect with Commvault.
Procedure
Step 1 Run the unzip OceanStor_DataTurbo_X.X.X_Linux.zip command to decompress the OceanStor_DataTurbo_X.X.X_Linux.zip software package.
Step 2 Go to the OceanStor_DataTurbo_X.X.X_Linux directory and install the software.
Run the sh install.sh command to install the software as default user dataturbo and select a desired performance level as prompted.
Step 3 After the required performance level is selected, check that the installation is successful.
Step 4 After the installation is complete, run the systemctl start dataturbo.service command to start the dataturbo service.
Step 5 Run the systemctl status dataturbo.service command to check whether the service is started successfully.
If the command output contains Active: active (running), the service is started successfully.
—-End
4.3.1.6 Connecting Commvault to the OceanProtect
4.3.1.6.1 Configuring the OceanProtect Backup Storage to Connect to the OceanStor DataTurbo Client
Step 1 Run the dataturbo create storage_object storage_name=name ip_list=IP command (name indicates the user-defined storage name and IP indicates the IP address of the logical port created in 4.3.1.3.2 Creating a Logical Port on OceanProtect X8000) to establish a connection between OceanStor DataTurbo and the backup storage system. Enter the DataTurbo username and password set in 4.3.1.3.3 Creating a vStore DataTurbo Administrator as prompted.
In the following example, the storage name is storage1 and the logical port IP address is 10.10.10.10.
[root@host192 mnt]# dataturbo create storage_object storage_name=storage1 ip_list=10.10.10.10
Please input username:
dataturbo_user
Please input password:
**********
Create storage object successfully.
Step 2 Run the dataturbo show storage_object command to check whether the connection is successful.
If the following information is displayed and Status is Normal, the connection is successful:
[root@host192 mnt]# dataturbo show storage_object
Storage Name: huawei
User : dataturbo_user
Ips : 10.10.10.10
IpPair :
ID Local Address Remote Address Status
—————————————————————
1 10.10.10.101 10.10.10.10 Normal
Step 3 After the connection is established, log in to DeviceManager and choose Services > DataTurbo Clients to view the backup server information.
Step 4 Mount a file system.
Run the dataturbo mount storage_object storage_name=name filesystem_name=/fsname mount_dir=/mnt/test command to mount a file system created on the backup storage to a specified mount point.
name indicates the storage name defined in Step 1. fsname indicates the name of the file system created in 4.3.1.3.4 Creating a File System and a Share.
In the following example, the storage name is storage1, the file system name is testfile, and the mount point is /mnt/test.
[root@host192 mnt]# dataturbo mount storage_object storage_name=storage1 filesystem_name=/testfile mount_dir=/mnt/test
Command executed successfully.
Run the df -h command to check whether the mounting is successful.
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 45G 24G 21G 55% /
devtmpfs 4.8G 0 4.8G 0% /dev
tmpfs 4.9G 8.0K 4.9G 1% /dev/shm
tmpfs 4.9G 9.3M 4.8G 1% /run
tmpfs 4.9G 0 4.9G 0% /sys/fs/cgroup
/dev/sda1 1014M 179M 836M 18% /boot
tmpfs 984M 0 984M 0% /run/user/0
/testfile 80G 0 80G 0% /mnt/test
—-End
4.3.1.6.2 Creating a Disk Based on the Mounted File System Using Commvault
Step 1 Log in to Commvault. On the Storage > Disk page, click Add.
Step 2 Enter Name, disable Use deduplication, and click Add.
Step 3 Select MediaAgent and Backup location (Backup location is set to the path where the file system is mounted).
Step 4 View the created disk.
—-End
4.3.1.6.3 Configuring WORM properties for Commvault
Step 1On the Storage > Disk page, click the created disk.
Step 2 On the Disk page, click the Configuration tab and enable WORM.
Step 3 To enable WORM, select I agree to enable WORM storage lock on this storage, enter Confirm, and click CONFIRM.
Step 4 View the information after WORM is enabled.
4.3.1.6.4 Creating a Plan Based on the Created Disk in Commvault
Step 1 On the Manage > Plans page, choose Create plan > Server backup.
Step 2 Select Create a new plan, set Plan name, and click NEXT.
Step 3 Click ADD COPY.
Set Name, set Storage to the created storage, set Retention period to seven days (the retention period must be within the minimum and maximum protection periods of the WORM file system), and click SAVE.
After the setting is complete, click NEXT.
Step 4 On the RPO page, set Backup frequency. After the setting is complete, click SUBMIT.
—-End
4.3.1.7 Creating Backup Jobs Using Commvault
This section describes how to create backup jobs on Commvault, including file backup jobs, VMware backup jobs, and Oracle backup jobs.
4.3.1.7.1 Creating a Job for Backing Up Files Using Commvault
Step 1 Choose Protect > File servers. On the displayed File servers page, click the name of the file server on which a file needs to be backed up.
Step 2 On the Subclients tab page, click Add subclient.
Step 3 Set Subclient name and click NEXT.
Step 4 Select the plan created in 4.3.1.6.4 Creating a Plan Based on the Created Disk in Commvault and click NEXT.
Step 5 Click ADD and select BROWSE.
Step 6 Select the destination directory of the files to be backed up, and click SAVE.
After selecting the backup file directory, click NEXT.
Step 7 On the Pre-Process And Post-Process Commands page, click SUBMIT to complete the subclient configuration.
4.3.1.7.2 Creating a Job for Backing Up VMware VMs Using Commvault
Step 1 On the Protect > Virtualization > VM groups tab page, click Add VM group.
Step 2 On the Select Hypervisor page, select the registered vCenter.
Step 3 Select Plan. On the Select Plan page, select the plan created in 4.3.1.6.4 Creating a Plan Based on the Created Disk in Commvault and click NEXT.
Step 4 On the Add VM Group page, specify Name, and choose Add > Content.
Select the VMs to be backed up and click SAVE.
After the configuration is complete, click SUBMIT.
Step 5 Click the created backup task. On the Configuration page, configure Options.
Set Virtual machine backup type to Crash consistent and click SAVE.
—-End
4.3.1.7.3 Creating a Job for Backing Up Oracle Databases Using Commvault
Step 1 On the Protect > Databases > Instances tab page, click the name of a discovered instance.
Step 2 On the Subclients tab page, click Add subclient.
Step 3 Set Subclient name, select a plan, select Selective online full, and click SAVE.
Step 4 After the creation is complete, check the result.
—-End
4.3.1.8 Configuring the OceanCyber 300 Data Security Appliance
Prerequisites
The OceanCyber 300 Data Security Appliance has been installed.
4.3.1.8.1 Adding a Storage Device
Step 1 In the navigation pane, choose Storage Devices. On the Storage Devices page, click Add Device and select the detection type and device type. Detection Type can be OceanCyber Detection or In Device Detection. In this document, OceanCyber Detection is selected. Set other parameters as required and disable Certificate Verification.
A maximum of eight storage devices can be added to the system, and a maximum of 16 concurrent detection jobs are supported.
For details about how to obtain the verification certificate of a storage device, see How Do I Obtain the DeviceManager Certificate Using a Browser?.
Step 2 After a storage device is added, select it, and choose More > Resource Scan to scan the local file system of the storage device.
—-End
4.3.1.8.2 Creating and Associating an Intelligent Detection Policy
Step 1 Choose Data Security > Intelligent Detection. On the Intelligent Detection Policies tab page, click Create, and customize a policy name. Set Detection Method to Start detection upon ransomware detection snapshot generation, enable Backup Copy In-Depth Detection and Uninfected Snapshot Lock (after the function is enabled, uninfected snapshots will change to secure snapshots), and set parameters such as the execution period, retention period, and time window of the detection and analysis snapshot based on service requirements. (In this best practice, the data volume is less than 100 TB. Therefore, a snapshot is generated at the time from 22:00 to 22:10, and the snapshot is detected and analyzed. An uninfected snapshot is converted into a secure snapshot and retained for one month.)
Step 2 Choose Data Security > Intelligent Detection > File Systems. Select the file system to be protected and choose More > Protect to associate the file system with the created detection policy.
—-End
4.3.1.8.3 Creating an Air Gap Policy for the OceanCyber 300 Data Security Appliance and Associating the Policy with a Storage Device
Precautions
Replication jobs can be performed only if the Air Gap port is connected. Ensure that the Air Gap policy of the OceanCyber 300 Data Security Appliance does not conflict with that of the OceanStor BCManager. According to the ransomware protection solution, it is recommended that the Air Gap replication time window be the same as that of the OceanStor BCManager.
Procedure
Step 1 Log in to the OceanCyber 300 Data Security Appliance. On the Air Gap > Air Gap Policies tab page, click Create, and set related parameters.
Step 2 On the Storage Devices tab page, locate the row that contains the storage device for which you want to configure an Air Gap policy, and choose More > Associate Policy.
- The selected logical port is the same as the replication port of the storage device.
- Linked Detection: Intelligent detection and real-time detection are associated with the Air Gap policy. After this function is enabled, the system forcibly disconnects the replication link when detecting that the file system of the current device is infected. In this case, the original Air Gap policy becomes invalid. After confirming that the file system is secure, you can choose More > Enable Policy on the Storage Devices tab page to enable the policy again.
—-End
4.3.2 Verification of Production Zone Protection
This section describes how to verify that WORM takes effect after backup, how to verify the in-depth copy detection results after the OceanCyber 300 Data Security Appliance backs up files, VMware VMs, and Oracle databases using Commvault, as well as how to select uninfected copies that meet the requirements for data restoration.
4.3.2.1 Executing a Backup Job
Step 1 Select a created job and click Backup.
Step 2 On the Backup page, set Backup options to Full for initiating a full backup, and click SUBMIT.
Step 3 Choose Jobs from the left navigation pane. On the displayed page, view the jobs that are in progress.
—-End
4.3.2.2 Verifying the Anti-tampering Function of WORM
Step 1 Access the corresponding file system of OceanProtect X8000, view the attributes of copy files generated during backup, and run the stat file command to check that the copy expiration time (7 days for Commvault WORM in this best practice) meets the expectation.
Step 2 Delete a backup copy file. The following error message is displayed, indicating that the WORM-protected file cannot be deleted.
—-End
4.3.2.3 Verifying the Intelligent Detection Result of the OceanCyber Appliance for Backup of Files Using Commvault
Step 1 Run the for i in $(seq 1 10000); do yes « abc_$i » | dd of=$i.txt bs=10K count=1 ;done command to preset TXT data on the production host. (for test and verification only)
Step 2 Run the openssl enc -e -aes-256-cbc -in Source file -out Source file.ransomware suffix -pass pass:Password && rm -rf Source file command to infect the preset data on the production host. (for test and verification only)
Step 3 Back up data using Commvault by referring to 4.3.2.1 Executing a Backup Job.
Step 4 On the Data Security > Intelligent Detection page, select a target file system, and choose More > Manually Detect.
Step 5 On the Jobs page, view the real-time detection job progress.
Step 6 On the Snapshot Management and Restoration page, view the detection status of all copies.
Step 7 On the Snapshot Management and Restoration page, select a file system to view the latest detection result. Click the file system to view the in-depth detection result.
Viewing the detection report
Viewing the copy detection and infection information
Viewing the list of suspicious files
—-End
4.3.2.4 Verifying the Intelligent Detection Result of the OceanCyber Appliance for Backup of VMware VMs Using Commvault
Step 1 View data on a VM.
Step 2 On the VM, run the openssl enc -e -aes-256-cbc -in Source file -out Source file.Ransomware suffix -pass pass:Password && rm -rf Source file command to infect the data on the VM.
Step 3 Back up data using Commvault by referring to 4.3.2.1 Executing a Backup Job.
Step 4 On the Data Security > Intelligent Detection page, select a target file system, and choose More > Manually Detect.
Step 5 On the Jobs page, view the real-time detection job progress.
Step 6 On the Snapshot Management and Restoration page, view the detection status of all copies.
Step 7 On the Snapshot Management and Restoration page, select a file system to view the latest detection result. Click the file system to view the in-depth detection result.
Step 8 Viewing the detection report
Viewing the copy detection and infection information
—-End
4.3.2.5 Verifying the Intelligent Detection Result of the OceanCyber Appliance for Backup of Oracle Databases Using Commvault
Prerequisites
In this best practice, the DBMS_CRYPTO package of the database is used to encrypt the database.
The functions and stored procedures provided by the DBMS_CRYPTO package allow you to encrypt or decrypt RAW, BLOB, or CLOB data.
Precautions for using the DBMS_CRYPTO package to encrypt data:
- The DBMS_CRYPTO package is available only in Oracle 10g. If the version is earlier than Oracle 10g, use the DBMS_OBFUSCATION_TOOLKIT package.
- By default, only user SYSDBA can execute the DBMS_CRYPTO package. Therefore, any other user requires user SYSDBA to grant them permissions.
Run the sqlplus / as sysdba command to log in as user sysdba.
Run the grant execute on sys.dbms_crypto to username command to grant the execute permission on the DBMS_CRYPTO package to users using the DBMS_CRYPTO package.
Procedure
Step 1 Customize the encryption and decryption functions.
Encryption function:
Decryption function:
Step 2 Use the customized encryption function to encrypt data.
UPDATE « table_name » SET column1=FUN_ENCRYPT_AESCBC_DECODE(column1), column2=FUN_ENCRYPT_AESCBC_DECODE(column2), column3=FUN_ENCRYPT_AESCBC_DECODE(column3);
Step 3 Back up data using Commvault by referring to 4.3.2.1 Executing a Backup Job.
Step 4 On the Data Security > Intelligent Detection page, select a target file system, and choose More > Manually Detect.
Step 5 On the Jobs page, view the real-time detection job progress.
Step 6 On the Snapshot Management and Restoration page, view the detection status of all copies.
Step 7 On the Snapshot Management and Restoration page, select a file system to view the latest detection result. Click the file system to view the in-depth detection result.
Viewing the detection report
Viewing the copy detection and infection information
—-End
4.3.2.6 Verifying Proactive Air Gap Disconnection of the OceanCyber Appliance
Prerequisites
Infected file systems have been detected on the storage device.
Procedure
On the Storage Devices tab page, check that Air Gap Policy Status is Invalidated.
4.3.2.7 Verifying that Production Data Can Be Restored Using Qualified Backup Copies Based on the Detection Result of the OceanCyber 300 Data Security Appliance After the Production Data Is Encrypted and Infected with Ransomware
This best practice verifies that the OceanCyber 300 Data Security Appliance can detect infected copies and restore production data using qualified backup copies before the infection.
- To select uninfected copies for restoration, perform the following operations in sequence:
1. Perform full backup. Copy 1 is uninfected and can be used for restoration.
2. Perform incremental backup. Copy 2 is uninfected and can be used for restoration.
3. Add infected files for incremental backup. Copy 3 is infected and cannot be used for restoration.
4.Perform incremental backup. Copy 4 is uninfected but cannot be used for restoration because the infected data of copy 3 will be restored.
In conclusion, copies 1 and 2 can be used for restoration, but copies 3 and 4 cannot be used for restoration.
- For Commvault, you can determine the copies used for restoration based on the copy generation time, backup type, and job ID displayed in the copy detection result of the OceanCyber 300 Data Security Appliance.
4.3.2.7.1 Restoring File Data Using Uninfected Backup Copies
Step 1 Log in to the Commvault backup system, select the name of a subclient created in 4.3.1.7.1 Creating a Job for Backing Up Files Using Commvault on the Subclients tab page, and click the job.
Step 2 Select a recovery point and click RESTORE.
Step 3 Select the files to be restored and click RESTORE.
Confirm the destination path for restoration (redirection is recommended to prevent impact on the original environment) and click RESTORE.
Step 4 On the Jobs page, view the restoration progress.
Step 5 After the restoration job is complete, view that the infected data on the production host is successfully restored.
—-End
4.3.2.7.2 Restoring VMware VMs Using Uninfected Backup Copies
Step 1 Log in to the Commvault backup system, click the name of a job created in 4.3.1.7.2 Creating a Job for Backing Up VMware VMs Using Commvault, and select the required copy for restoration on the Overview tab page.
Step 2 Select the restore type. Full virtual machine is recommended.
Select a VM to be restored.
In place: restores data to the original host. Out of place: restores data to a different host (recommended).
Configure the new VM, including the VM name, destination host, and datastore.
Set Restore Options.
Check the restoration information. If the information is correct, click SUBMIT.
Step 3 View the restoration progress.
Step 4 After the restoration is complete, log in to vSphere Client to view the restored VM.
Check that the infected VM data is successfully restored.
—-End
4.3.2.7.3 Restoring an Oracle Database Using an Uninfected Backup Copy
Step 1 Log in to the Commvault backup system. On the Protect > Databases > Instances tab page, click the name of an Oracle instance.
Step 2 On the Overview tab page, select the required recovery point and click RESTORE.
Step 3 Select the data to be restored (you are advised to select all data to restore the entire Oracle database) and click RESTORE.
Step 4 Select In place to restore data to the original path, select SP file, set Recover to to Most recent backup, and set Advanced options to MediaAgent. After the configuration is complete, click SUBMIT. (If the customer has a recovery verification environment, you are advised to select Out of place. If no recovery environment is available, select In place recovery.)
Step 5 View the restoration progress.
Check that the restoration is completed.
Step 6 Log in to the Oracle database and check that the data has been restored.
4.4 Isolation Zone Protection
This section describes how to configure and verify the security isolation zone in the ransomware protection solution for the backup storage.
4.4.1 Installing and Configuring an Isolation Zone
This section describes how to configure storage and remote replication in the security isolation zone, and how to install and configure OceanStor BCManager eReplication.
Figure 4-5 Process for configuring isolation zone protection
4.4.1.1 Installing and Configuring the Security Isolation Zone
For the storage configuration of the isolation zone, you only need to create a storage pool. If storage pool encryption is required, see the configuration for the production zone. For details about how to install the backup software, see the official documentation.
4.4.1.2 Configuring Remote Replication
To implement remote replication, you need to create logical ports on both the backup storage in the production zone and that in the isolation zone. If replication link encryption is required, configure at least one encryption module on controllers A and B at both the production zone and the isolation zone. In addition, create a remote device administrator on the backup storage in the isolation zone.
Step 1 Create a remote device.
For details about how to configure remote replication for the OceanProtect, see the OceanProtect Backup Storage 1.6.0-1.7.0 HyperReplication Feature Guide for File.
Requirements on hardware: Encryption modules must be used at both the primary and secondary ends of remote replication.
After logical ports have been created for the encryption module ports, log in to DeviceManager, choose Services > Network > Logical Ports, select a created logical port, choose More > Manage IPsec Policy in the Operation column, and click Create to enter the page for creating an IPsec policy. Enter the IP address of the logical port corresponding to the remote device and set the pre-shared key. Perform the operations for all logical ports for replication encryption on the controllers and for both the primary and secondary devices.
Step 2 Create a file system remote replication pair, set Replication Mode to Asynchronous, set both Sync Type and Recovery Policy to Manual, and retain the default values for other parameters.
Step 3 After the remote replication pair is created, start initial synchronization.
—-End
4.4.1.3 Installing and Configuring OceanStor BCManager eReplication
The OceanStor BCManager eReplication software is configured in the isolation zone, and its management network must communicate with the storage device in the isolation zone. This section describes how to configure BCManager. For details about the installation, see « User Guide > Installation and Uninstallation » in the OceanStor BCManager 8.6.0 eReplication Product Documentation.
Step 1 Log in to OceanStor BCManager, choose Resources > Create Site, and select Air Gap Network Isolation Area.
Step 2 After the site is created, add a storage device to the site.
Step 3 Enter the IP address, username, and password for logging in to DeviceManager of the storage device in the isolation zone, and click Confirm. After the storage device is added, the corresponding ports in the Air Gap Port Group are in the Inactive state.
Step 4 Check the information of the Air Gap storage.
Step 5 Modify the time window. Click the Air Gap Port Group tab, select the corresponding remote device, and choose Operation > Modify Time Window. Set the time window based on your service requirements. You are advised to set the time window to off-peak hours. In this best practice, the time window is set to 00:00 to 06:00. (If replication is performed during full backup or incremental backup, the copies in the isolation zone may be incomplete and cannot be used for restoration.)
Step 6 View the modified time window on the Air Gap Port Group tab page.
Step 7 Choose Protection > Create to create protection.
Step 8 On the Protected Object page, set Protected Object Type to NAS File System, Production Site to the created site, and Storage Array to the isolation zone storage device added to the site. In the Available File System area, select vStore or File System, and select the file systems to be protected, click Next.
Step 9 On the Protection Policy page, click Set in the Quick Backup area, select Enable Quick Backup, and set a protection policy. You are advised to enable Security Snapshot. On the Scheduling Policy tab page, set the time policy to execute once every day at 00:00. On the Reservation Policy tab page, set Copy Validity Period to 30 days. Click OK.
Step 10 Confirm the quick backup policy.
Step 11 On the Confirm Information page, set Name, deselect Automatically create a recovery plan after creating protected groups, and click OK.
If Air Gap linked detection is configured for the OceanCyber 300 Data Security Appliance, the replication port in the production zone is automatically disconnected when an exception is detected, which indirectly interrupts the replication jobs on OceanStor BCManager.
- If proactive disconnection is triggered on the OceanCyber 300 Data Security Appliance when no replication job is being executed on OceanStor BCManager, the subsequent replication jobs on OceanStor BCManager will fail.
- If proactive disconnection is triggered on the OceanCyber 300 Data Security Appliance when a replication job is being executed on OceanStor BCManager, the replication job on OceanStor BCManager will be interrupted, and the subsequent replication jobs will fail.
—-End
4.4.2 Verifying Protection for the Isolation Zone
This section describes how to verify the protection of the Air Gap for the isolation zone and how to securely restore production data through the isolation zone after the isolation zone is configured in the ransomware protection solution for the backup storage.
- Restore secure copy data from the security isolation zone to the production zone, and then restore production data using the copy data restored to the production zone.
- Restore production data directly from the isolation zone.
4.4.2.1 Verifying Air Gap Management and Control on OceanStor BCManager eReplication
Step 1 Log in to OceanStor BCManager as an administrator and choose Resources.
Step 2 Click the corresponding resource and expand it.
Step 3 On the OceanStor BCManager eReplication WebUI, check the time window of the storage device. The port is in the Inactive state.
Step 4 Log in to DeviceManager of the storage devices in the production and isolation zones to view the corresponding remote devices.
View the details about the remote storage devices in the production and isolation zones. Air Gap link down is displayed, indicating that replication links are not connected.
Step 5 Run the nmap -p- IP address of the remote replication logical port in the isolation zone command to scan for ports. The ports are disabled and do not respond.
Step 6 Log in to the OceanStor BCManager eReplication WebUI as an administrator and verify that the ports are in the Active state during protection execution.
Step 7 Check the status of the remote device on the storage devices in the production and isolation zones. It is in the normal state.
Step 8 Run the nmap -p- IP address of the remote replication logical port command on the host to scan for the ports. The ports are enabled and respond.
—-End
4.4.2.2 Verifying that Production Data Can Be Restored Using a File System of Remote Replication in the Isolation Zone
- Scenario 1: After host services are infected by ransomware, you can use the backup software to restore the services based on backup copies. For details, see the verification of production zone protection.
- Scenario 2: If host services are infected by ransomware and copies in the storage device in the production zone are also infected, host data can be restored using secure snapshots at earlier time points in the isolation zone. This best practice focuses on the verification of scenario 2. Host data is encrypted by running an encryption command to simulate ransomware encryption, and is restored using secure snapshots at earlier time points in the isolation zone.
Step 1 Check the data before encryption. The host data has been backed up and synchronized to the isolation zone through remote replication at least once before being encrypted. That is, there is the host service data at a certain point in time in the isolation zone.
Step 2 Run the openssl enc -e -aes-256-cbc -in Source file -out Source file.Ransomware suffix -pass pass:Password &&rm -rf Source file command to simulate ransomware encryption of some files on the production host. Back up the infected files. No copy is available in the production zone to restore the host data. Use a secure snapshot of an earlier time point in the isolation zone to restore the host data.
Step 3 Log in to the OceanStor BCManager eReplication WebUI, choose Resources, select the specific site and click Storage. Click the Air Gap Port Group tab, and switch the mode to Maintenance Mode to connect the remote replication links.
Step 4 On the Air Gap Port Group tab page, check that the port status is Active.
Step 5 Log in to DeviceManager of the storage device in the isolation zone, choose Services > File Service > File Systems, select the file system corresponding to the remote replication pair of the file system whose data you want to restore, choose More > Create Clone, and select the latest secure snapshot that contains normal data to create a clone.
Step 6 After the clone is created, choose Data Protection > Clones, select the clone of the corresponding file system, and choose Split > Start.
Step 7 In the Start Splitting Clone File System dialog box, set Split Speed as required and click OK.
Step 8 After the splitting is complete, create a remote replication pair from the clone file system to the storage device in the production zone. Choose Services > File Service > File Systems, select the split file system, and choose More > Create Remote Replication. Retain the default parameter settings and click OK. After the remote replication pair is created, the initial synchronization is complete.
Step 9 Choose Data Protection > Remote Replication to view the status of the remote replication from the isolation zone to the production zone.
Step 10 Log in to DeviceManager of the backup storage in the production zone. Choose Data Protection > Remote Replication > File Systems, select the replication pair created for the clone file system in the isolation zone, and choose More > Split.
Step 11 After the splitting is complete, delete the remote replication pair. Select the remote replication pair and choose More > Delete. In the displayed warning information, select I have read and understand the consequences associated with performing this operation. and click OK.
Step 12 Create a share for the file system. Choose Services > File Service > File Systems, select the corresponding file system, choose More > Create DataTurbo Share, add the DataTurbo user, and click OK.
Step 13 Mount the file system to the Commvault MediaAgent. For details, see step 4 in 4.3.1.6.1 Configuring the OceanProtect Backup Storage to Connect to the OceanStor DataTurbo Client.
Step 14 Log in to Commvault in the production zone and change the disk path to the path of the mounted clone file system.
Step 15 Read the copy data from the newly mounted file system and select a point in time for restoration.
Step 16 Select the data to be restored and click Restore.
Restore data to the original location.
Step 17 After the restoration is complete, verify that the host file data is consistent with the data at the snapshot point in time in the isolation zone.
—-End
4.4.2.3 Verifying that Data Can Be Restored to a Different Host Using Copy Data in the Isolation Zone
In this scenario, a secure copy data in the isolation zone is used to restore data after the production zone is damaged by ransomware attacks.
Prerequisites
The Commvault system has been installed in the isolation zone, and the host name of the CommServe server is the same as that of the CommServe server in the production zone.
Procedure
Step 1 Create a file system named CVsystem on the production storage to store DR data generated when the CommVault software backs up files.
Step 2 Create a CIFS share for file system CVsystem.
Step 3 Create a remote device and create remote replication pairs for the two file systems with the storage device in the isolation zone. In the remote replication pairs, set Pair Creation to Automatic, Sync Type to Manual, and Recovery Policy to Manual.
Step 4 On BCManager, create a protection policy to synchronize data once a day, generate secure snapshots, and retain the snapshots for 30 days.
Step 5 On the Manager > System > Maintenance page, click DR backup (Daily).
Step 6 Click Edit and configure the DR backup path.
Step 7 Select Network share, change the Commvault DR backup path to the share path of CVsystem. After the configuration is complete, click SAVE.
Step 8 Click Run to back up DR data to file system CVsystem. You can view the backup progress in the Job Controller area.
Select a backup type (Full is recommended to ensure data integrity) and click RUN JOB.
View the backup progress.
Step 9 After the backup is complete, view the backup data in the share. The host service data and DR data have been backed up to corresponding file systems and replicated to the isolation zone.
Step 10 Use the DR file for restoration in the isolation zone.
- Method 1: Restoring data on the GUI
The same license has been imported to the Commvault system in the isolation zone as that in the production zone.
a.Verify data consistency in the isolation zone. Log in to DeviceManager of the storage device in the isolation zone and create clones for file systems FS and CVsystem using the latest secure snapshots that contain normal data.
b.Use the CSRecoveryAssistant software of the Commvault system in the isolation zone for data restoration based on the DR data.
The CSRecoveryAssistant software is delivered with the Commvault system. Double-click CSRecoveryAssistant in the Base directory of the Commvault installation path to open it, for example, C:\Program Files\Commvault\ContentStore\Base.
c.On the CommServe Recovery Assistant page, select Recovery / Production and click Next.
d.Type the displayed message and click Next.
e.Enter the share of the file system in the isolation zone and click Next.
f.After the DR file is imported, Commvault automatically identifies the paths of the database files and database log file. Click Next.
g.On the Summary page, confirm related information and click Start Recovery.
- Method 2: Using commands
Step 11 Restore host data using the file system in the isolation zone.
- Mount the file system used for backing up host data to the restored Commvault system.
2. Read the copy data from the newly mounted file system and select a point in time for restoration.
3.Select the data to be restored and click Restore.
Deselect Restore to original folder and click RESTORE.
—-End
5. Summary
The Commvault+OceanProtect X8000 ransomware protection storage solution uses the enterprise mission-critical service system model and adopts a secure architecture consisting of production and isolation zones. The WORM, secure snapshot, and Air Gap features are used to protect data from being tampered with. If service systems are encrypted by ransomware, management networks are intruded, or the production zone is attacked by ransomware, service data can be rapidly restored by using secure snapshots in the isolation zone and Air Gap, ensuring service continuity.
Based on the test configurations in this best practice, the Commvault+X8000 ransomware protection storage solution can implement multi-level protection for the production and isolation zones. Through ransomware drills and restoration of data at the customer side, the data in the production zone is successful recovered. The suggestions and guidance in this document provide reference for IT system solutions of customers and improve the O&M efficiency of data protection using the Commvault+OceanProtect X8000 ransomware protection storage solution.
