Hi there, On Fri, 2 Sep 2022, tim.pennick--- via clamav-users wrote:
Apologies for the OT follow-up. I attempted to send this off list, but was rejected.
Sorry, my mail system is a bit picky about replies to mailing list posts. :)
Very many thanks for your extremely helpful response. I wonder if you could clear up a point you raise as I'm not a security expert, but am concerned that I might be adding unnecessarily to the risks of a security breach.
Concern about these things is good. :)
You say: "NAS devices respond to requests to read and write data which come from the other devices on the network. For backup, my own feeling is that I'd much rather have something which makes calls to the devices being backed up to ask for the data but does *not* respond to devices which try to command it. Effectively there's a firewall between the devices being backed up and the backup device. Then if ransomware or similar manages to compromise any of the devices being backed up, it can't get to the backup device to do any damage there and you have a much better situation to recover from." Do you have a product or type of product in mind which would satisfy your criteria?
Yes. Something like 'BackupPC'. It won't quite tick all the boxes without a bit of work on the box on which it runs, but a little bit of firewalling can go a long way. I'm sure there must be others but that's what I've been using for many years.
Wouldn't it be just as dangerous to allow a storage device to command a client device to perform a particular task, as vice versa?
No, absolutely not. The ideal would be to harden a backup device so that, even if the devices it's backing up are compromised, it can't itself be compromised. The backup device says in effect "Please send some data." and it doesn't care a hoot what data gets sent because its one and only job is to accept any amount of random data that anything on the network cares to send to it *after* receiving such a request. If a device tries to connect to the backup box to instruct it to do something, the backup box ignores it - and hopefully writes a warning in the logs somewhere, or sends mail, or whatever kind of alert the system administrator prefers. We're OT for this list so I won't go into more detail but if you do a bit of reading about firewalls you'll start to get the picture. You can have a firewall anywhere, it doesn't have to be just at a network perimeter like in your modem/router. It just seems like common sense to me to have at least a firewall between the backup and the things it backs up. An air gap is better, but more effort and less convenient. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
