deploying secure backup over aws cloud

Download Deploying Secure Backup Over AWS Cloud

Post on 31-Oct-2014

1.112 views

Category:

Technology

1 download

Embed Size (px)

DESCRIPTION

A global organization providing software solutions and technology for the travel industry handles huge volumes of near real-time transactions and reservations. The company was struggling with an inefficient and costly offsite backup infrastructure that was meant to manage an incrementally expanding database of more than 2.8 TB of storage. Regulatory compliance requires that the previous six months material must be readily available in a systematized fashion with cross-platform search functionality. Emind have implemented its set of tools and methodology to implement a secure cloud backup. These slides describe Emind solution based on AWS technologies such as S3 storage and EBS volumes explaining how to deal with great chunks of data in a secure manner while leveraging Porticor, cloud security solution. The presentation brought to you by Lahav Savir, Emind CEO

TRANSCRIPT

1. Deploying secure backup to the Cloud Lahav Savir, lahavs@emind.co lahavsavir 2. Lahav Savir 15 years in on-line industry Architect and CEO @ Emind Systems (est. 2006) AWS solution provider Over 30 AWS customersHobbies (thats the . . .) MTB cycling Mountain hiking 3. Backup scenariosOn Premises to off-site On the cloud to other site File servers File servers Backup files Large data volumes Data base dumps Data base dumps archiving Large S3 beckets Disaster recovery 4. Storage scenariosStorage appliances Disks & Servers NFS Windows shares CIFS Linux exports Linux servers Sun exports 5. RequirementsBackup Keep a replica of the data off-site Keep history of the data for X month back Secure transfer Encrypt data sets Large files Delta transferDeployment Dont impact existing setup Dont install any SW on servers No additional hardware 6. Few more . . . Control bandwidth throughput Visibility and monitoring Simplicity Dont pay much License Traffic Storage 7. Alternatives Windows Storage built-in Virtual drive to s3 No monitoring Sync application No visibility to status Cygwin / delta copy No feedback Linux s3fs (fuse) s3cmd 8. Simple solution Sync Manager Linux appliance cifs-utils rsync s3cmd tc (traffic controller) net-snmp curl 9. Sync Configuration rsync (filer to filer)rsync;/filer/data1/; sync@192.168.61.130:/data1/{A}rsync;/filer/data2/; sync@porticor_vpd:/data2 s3 (filer to s3 with / without VPD)s3;/var/www/wordpress/;s3://bucket1/wordpress-{d}/;--no-delete-removeds3;/mnt/srv1/;s3://bucket2/ 10. Bandwidth control Tag user trafficiptables -t mangle -A OUTPUT -m owner --uid-owner $SYNCMGR_UID -j MARK--set-mark 0x1 Create root qdisc for eth0$TC qdisc add dev $IF root handle 1: htb default 30 Add a class (bucket) with bandwidth restrictions$TC class add dev $IF parent 1: classid 1:2 htb rate $MAXRATE Then add a filter to force packets through the class$TC filter add dev $IF protocol ip parent 1:0 prio 1 handle 1 fwclassid 1:2Tip: use iftop to see it in action 11. Monitoring## SNMP paramsSNMPTRAP=trueSNMPTRAP_HOST=nms_serverSNMPTRAP_PORT=162SNMPTRAP_COMMUNITY=publicSNMPTRAP_OID=.1.3.6.1.4.1.39731.2101## support_routerSUPPRTR_NOTIF=trueSUPPRTR_PROJECT="SupportDispatcherSUPPRTR_SYNCMGR_CLIENT=EmindSUPPRTR_BASEURL=https://support.emind.co/support_router/public/api.php## snmpd.confrocommunity public# send all Emind Enterprise ID requests to the subagentpass .1.3.6.1.4.1.39731 /usr/local/emind/snmp_subagent 12. Cloud backup hosts ec2 instance (Linux server) EBS volumes s3 buckets Porticor VPB EBS volumes S3 proxy 13. Hosting on the cloud Public cloud Instance behind security groups with SSH keys VPC Instance behind VPN AWS VPN Gateway IPSec with CheckPoint in the VPC IPSec with Swan in the VPC SSL VPN with OpenVPN in the VPC 14. Restoring Dont be shocked rsync back from storagersync ; sync@192.168.61.130:/data1/{A} ; /filer/data1/ 3scmds3cmd get s3://bucket2/file /path/to/restore/file 15. Summary Simple & open solution No impact to customer infrastructure No additional HW Control & visible Fully integrated to NMS Reliable Secure 16. AWS Tips Dont forget to set AWS console MFA Setup a VPN to your AWS server No public SSH Monitor traffic coming into your servers Multi region / AZ for high availability Use ec2 tools Backup backup backup . . . 17. Questions ??? Thank you, Mail me: lahavs@emind.co Lahav SavirLinkedIn / Twitter / Facebook