Best Practices for air gapped M365 backup?

Velvis

Velvis

Well-Known Member
Reaction score
47
Location
Medfield, MA
A small non-profit is signing a new cyber insurance policy and they want an air gapped backup of the M365 environment.

What is the consensus on the best way to achieve that?
 
That's fundamentally impossible. Air gapped means offline, and permanently so. But you can't generate the backup without a device being online.

You cannot have both...

Now if you want ownership of the data, install a Synology and use their tool to suck up the tenant into the box locally. That box should be on its own VLAN, and only admin accessible from a trusted device that's also on premise. That's as isolated as it can be. But it's still not "air gapped".
 
Air gapped means they will have to have local storage. And that local storage will have to be removable so that a copy is kept offsite.

But what I don't understand is how can they have M365, which implies email, and still be air gapped.
 
Sky-Knight said:
That's fundamentally impossible. Air gapped means offline, and permanently so. But you can't generate the backup without a device being online.

You cannot have both...

Now if you want ownership of the data, install a Synology and use their tool to suck up the tenant into the box locally. That box should be on its own VLAN, and only admin accessible from a trusted device that's also on premise. That's as isolated as it can be. But it's still not "air gapped".
Click to expand...
But you CAN take that one step further and backup the NAS to a set of rotating USB drives that are taken off-site or placed into a fireproof vault. That gets you a 321 backup scheme.
 
Only "airgap" would be a rotating backup, with what has been described, but by definition, still not "airgapped"

The one thing I did for a "hardened" backup on a budget was using dual-bay synology. Backup to the synology, and instead of RAIDing the drives, have the second drive only accessible by the synology and backup into itself from the backups on the primary drive. If you wait RAID, you could use a 4-bay and do the same thing.

(This set up has actually saved the butts of two business clients so far) - Still not truly airgapped, but puts the pressure on a hacker to penetrate another device.
 
Velvis said:
What is the best ransomware protection solution for M365?
Click to expand...
Layers of defense. You need a good firewall at the edge of the network. Good antivirus on all the devices. Good backups. Good spam protection (built into M365 Business Premium) and proper training for end-users to not open phishing emails. MFA everything and it is better to have only business-owned devices, not BYOD.
 
nlinecomputers said:
Layers of defense. You need a good firewall at the edge of the network. Good antivirus on all the devices. Good backups. Good spam protection (built into M365 Business Premium) and proper training for end-users to not open phishing emails. MFA everything and it is better to have only business-owned devices, not BYOD.
Click to expand...
They do a lot of work outside of the office so I am not sure how effective the hardware firewall would be in addition to they use their own laptops.
 
Velvis said:
They do a lot of work outside of the office so I am not sure how effective the hardware firewall would be in addition to they use their own laptops.
Click to expand...

I'm starting to add "DNS Filter" to many of my clients. With so many businesses "working from home" now....those UTM firewalls at the office are just sitting there protecting an empty office. DNS filter...you install an agent on the PCs..so it goes with the computer.
 
YeOldeStonecat said:
I'm starting to add "DNS Filter" to many of my clients. With so many businesses "working from home" now....those UTM firewalls at the office are just sitting there protecting an empty office. DNS filter...you install an agent on the PCs..so it goes with the computer.
Click to expand...
Which service are you using? Quad9?
 
nlinecomputers said:
Which service are you using? Quad9?
Click to expand...

DNS Filter.
www.dnsfilter.com

DNS Filtering Services: Security & Website Blocking | DNSFilter

DNSFilter software delivers content filtering and website blocking solutions designed to enhance network security with protective DNS services.
www.dnsfilter.com www.dnsfilter.com

I started using Quad9 for all my clients years ago, such as, for "forwarders" for the DNS service on their domain controller. Or if just a workgroup, for their routers DNS forwarding. But, to the best of my knowledge, Quad9 does not have any "paid for service" that you can customize, get granular with, or utilize agents with. I focus on the "Pro" agent.

It's similar to Cisco Umbrella. ...which I'd never touch...cuz it's..Cisco.

For larger clients with a DC, you can spin up a virtual guest instance of a *nix powered DNS service...customizable to it can split the local AD requests, and the public side requests. And get deeper reporting than if you just leverage the DNS forwarders on the DC.

And the best approach, agents on each/every computer.

I also looked at Zorus, which was started by a couple of people from Datto. But...it's too pricey, and isn't as flexible.

IMO, UTM's are losing their advantage. Well over 50% of LAN/WAN and visa versa traffic is httpS/SSL now. Even malware! So...they won't sniff it. Yeah, there's SSL inspection which I've setup on a few clients, but it's not easy to deploy anymore and just isn't practical anymore..and getting worse. Handling stuff at the DNS/IP level with agents like this, esp with portable computers...it's the way to go lately.
 
nlinecomputers said:
Which service are you using? Quad9?
Click to expand...
DNS Filter is the actual formal name of a product... created by people that left Umbrella (OpenDNS) after Cisco really screwed things up.

I'm NOT a fan of either of these products, because they are utterly TRIVIAL to bypass. You don't need admin rights to use DoT or DoH and go straight through them.

BUT, they are one of the few functional options if you're doing a distributed workforce.
 
Sky-Knight said:
DNS Filter is the actual formal name of a product... created by people that left Umbrella (OpenDNS) after Cisco really screwed things up.

I'm NOT a fan of either of these products, because they are utterly TRIVIAL to bypass. You don't need admin rights to use DoT or DoH and go straight through them.

BUT, they are one of the few functional options if you're doing a distributed workforce.
Click to expand...
I started using DNSFilter. They have a "roaming client". So you're not relying on setting the DNS in Windows. All DNS is routed to their servers. I use the roaming client exclusively since it allows for per user policies and reporting. In my setup for these computers there are two accounts with different policies and neither have admin.
 
You could install the Stellar 365 to PST backup software, backup to external. But then for this, it only gets what you have downloaded. Most of my clients want their Outlook jam packed so it would be fine for them lol.
 
mikeroq said:
I started using DNSFilter. They have a "roaming client". So you're not relying on setting the DNS in Windows. All DNS is routed to their servers. I use the roaming client exclusively since it allows for per user policies and reporting. In my setup for these computers there are two accounts with different policies and neither have admin.
Click to expand...
I'm fully aware of the agent, and I'm telling you DoT and DoH requests from properly configured browsers go right past it.

Heck Firefox in particular loves to just ignore the configuration directives to tell it not to DOH and just does it to Cloudflare DNS all on its own at random. DNS Filter claims they're compatible... and they ARE. Firefox just doesn't care or listen. Mozilla as an entity is hostile to censorship in general, so there's no drive to fix this reality either.

It's THE security issue of the time to be honest.
 
Last edited:
For school 'n stuff...I can see trying to deal with evasive, sneaky end users, who try to duck/dodge/avoid any security steps put in place.

99 and 44/100% of my clients are small businesses made up of mature adults. It would take me quite a while to come with just a couple of end users who I'd deem to be "sneaky" and try to bypass things.....I don't think I could use all 5 fingers if I counted them, out of a couple of thousand end users total.

As a long time user, pusher, and fan of Untangle, this year I've actually started to pull back a couple of installs. I have an insurance client of mine where they've started having issues getting deep into pages of Hanovers policy website. I spent weeks troubleshooting it...starting at sessions, going bonkers wild with bypass rules in every app, and even global bypass rules up at the network config, starting at the end users workstations traffic in sessions and watching actions. Even replicated the issue in our office, since we're behind Untangle. tether my laptop to my cell phone, problem gone. Laptop back behind Untangle...problem returns. I finally said "f-it"...pulled Untangle, put a UXG-Pro in place, problem gone!

Early on, the Threat module was a big "false positive happy"...but it settled down in the past couple of years....however the past couple of months it's caused me to many phone calls and grief...getting "false positive happy" again.
 
Back to original topic, I've yet to see a cyber insurance policy that demands an air gapped backup of 365. However, most SaaS backups of 365 fully isolate their backups, they're immutable, not connected to the source of backup once the backup if complete, thus airgapped. The goal is to isolate the backups from being able to be "touched" by some bad actors action. Keeping backups local on the network, such as a plugged in external USB drive...well, we know how bad THAT an go.
 
@YeOldeStonecat It's not the sneaky users I'm worried about... it's malware.

DoH and DoT are a wide open gateway to bypass all DNS based filtration, all that's required is something running on the box. And that something can be as trivial as a powershell script. Then the entire security onion is unpeeled all at once!

Untangle always solved this, because it's a 3rd party observer managing the TCP sessions themselves. Obviously that solution isn't going to work anymore... but we need that 3rd part observer to be safe. We cannot ever trust software running on an endpoint. We've never been able to do so, and that reality hasn't changed regardless of what the business needs are.

It's a massive problem, and there simply isn't a good solution.

Threat Prevention is a powerful tool, but yes at times it can be a real pain in the rear. But NGFW itself is all but abandoned at this point, Arista seems to be correcting that.... but it's going to take time for "Untangle" to get back on track from the last half decade of poor decisions and atrophy. It's a serious testament to how well that software works to survive all that neglect and still be useful at all!
 
You must log in or register to reply here.

Similar threads

HCHTech
reading M365 encrypted email
Replies
1
Views
131
Sky-Knight
Sky-Knight
Velvis
Best way to facilitate roaming users for M365
2
Replies
23
Views
1K
Sky-Knight
Sky-Knight
HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
155
callthatgirl
callthatgirl
britechguy
Google Workspace Business Starter & possible move to M365 Business Standard
Replies
11
Views
1K
thecomputerguy
thecomputerguy
britechguy
Are you able to invoke free Outlook for Windows using a Windows Search for Mail?
Replies
2
Views
285
britechguy
britechguy
Back
Top