SIRIS, ALTO, and NAS: Secure Deployment Best Practices for Datto Appliances

Follow

Topic

This article discusses best practices for secure configuration and deployment of Datto SIRIS, ALTO, and Datto NAS devices.

Environment

  • Datto SIRIS
  • Datto ALTO
  • Datto NAS

Description

Datto BDR appliances ship with inherent and configurable security features and functionality to support a secure deployment. MSPs and end-users must ensure the use of those features and deploy the Datto appliance into the end-user environment in a way that meets their network and security architecture requirements. In addition to end-user requirements, Datto expects that BDR appliances will be deployed in a secure LAN environment with no inbound Internet access, and that appropriate network access control exists in the LAN to limit the accessibility of appliance network daemons and services.

Access Control Objectives

Datto strongly recommends implementing least privilege access controls, such as the following:

  • Never allow inbound access from the internet to the appliance.
  • Deploy the appliance in line with the SIRIS, ALTO & Datto NAS Networking and Bandwidth Requirements article.
  • Only permit access OUTBOUND, as inbound access is not needed for the appliance to function.
  • Restrict outbound communications from the Datto appliance to only the networks in the Knowledge Base, and deny all other communications.
  • Limit access to the appliance's management end-user network Web UI to only trusted network
    management workstations, or jump hosts that need access for BDR workflow purposes.
  • Only allow protected systems to communicate with the appliance.
  • Implement strong identity and access management practices for Web UI and IPMI login.

Limiting Accessibility

Deployment in line with the above best practices can be achieved with technology in several ways, including, but not limited to:

  • Placing the appliance in a protected backup network requiring L2 adjacency.
  • Limiting the backup network's reachability through network routing restrictions.
  • Employing a network firewall to implement network access control lists.
  • Deploying port-based access control lists (ACLs) on network switch ports.

Secure Configuration Best Practices

The Datto BDR appliance offers a range of configuration options to help MSPs and End Users manage BDR workflows in a manner that best suits their environment. MSPs should always deploy the Datto in a secure LAN environment, and enable more secure configuration options when available and appropriate for the end-user.

  • Perform device updates frequently
    • Updates ensure that your device has the latest software and operating system packages. They also patch and harden the appliance to Datto's most recent standards.
    • You can review device updates by navigating to Configure → Device Updates in the device GUI.
    • See the GUI: Device Settings article for details.

  • Deploy Encrypted Agents
    • Agent level encryption assures backup data written to the appliance's ZFS filesystem and ultimately replicated to the Datto Cloud, is encrypted at rest, using a unique key that can only be generated with knowledge of the passphrase held by the MSP or end-user.
    • This feature is available on specific appliance platforms, such as the SIRIS family of appliances and ALTO XL appliances.
    • See the How to Encrypt Backups on a Datto Appliance and Properly Sizing a Datto Appliance Knowledge Base articles for details.

  • Configure File Shares with secure protocols and settings
    • Understand the policy and compliance requirements of the environment within which the Datto device is deployed, as selecting insecure file share options can jeopardize compliance.
    • Whenever end-user business requirements allow, do not permit anonymous or public access to any file share.
    • Leverage CHAP authentication with iSCSI file shares, as this requires authentication to access the file share.
    • Enable SFTP instead of FTP, as SFTP requires authentication AND encrypts data in transit across your network.
    • See the iSCSI Share Settings article for details.

  •  Enable Relay Forced Login
    • Relay Forced Login requires all users to enter their login credentials when navigating from the Partner Portal to the Device UI via the Datto Relay remote web system.
    • Enable Relay Forced Login in the device web UI by navigating to Configure → Device Settings → Datto Relay Forced Login and clicking Enable Forced Login.
    • See the GUI: Device Settings article for details.

  • Unmount File Recoveries and Local Virtualizations when no longer required
    • Do not make file restore data or local virtualizations on supported platforms available for longer than is necessary to complete the required BDR workflow.
    • After confirming mounted file restores and local virtualizations are no longer needed, unmount them.
    • Remove a File Restore by navigating to Restore  Active Recoveries, selecting the file restore or local virtualization, and clicking Remove Restore.

  • Enable Mounted Restore Alerts
    • This option displays an alert in the device web UI when a file restore or virtualization has been mounted for longer than the admin-specified period. It warns you of latent restores that may need removal.
    • Enable Mounted Restore Alerts in the device web UI by navigating to Configure  Device Settings  Mounted Restore Alert, selecting the number of days after which to alert from the drop-down menu, then clicking Apply. 

  • Configure local users with strong access credentials
    • Configure local user account usernames and passwords following the MSP or End User's identity and password management policies.
    • Where MSPs and End Users lack identity and password policies, Datto strongly recommends following password guidance in NIST SP 800-63: Digital Identity Guidelines.
    • Avoid using known weak or compromised passwords (i.e., 123456, password, admin, etc.). A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.
    • You can create local users in the Datto appliance GUI from the Local Users page. See the Local Users article for details.

  • Update Local User credentials as required
    • Local User access credentials for MSP Techs and end-user employees should be updated when those employees leave their respective organizations.
    • Update Local User passwords when required in the device web UI, by navigating to Configure → Device Settings Local Users and clicking Set Password.
    • See the Local User and Contacts article for details.

  • Enable Remote Logging
    • For end-users with logging and auditing requirements, you can configure the ability to send device logs to an off-box syslog server for later analysis.
    • Enable Remote Logging in the device web UI by navigating to Configure  Device Settings  Remote Logging, clicking Enable Remote Logging, then entering the IP address and port of the syslog server and clicking Add Remote Server.
    • See the GUI: Device Settings article for details.

  • Configure IPMI with strong access credentials
    • You have the option to use IPMI to interact with unresponsive appliances over the local LAN. When you enable this feature, configure it with a robust non-default user password that avoids known weak or breached credentials. A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.
    • Update IPMI passwords in the device web UI by navigating to Configure Networking IPMI Settings. Then select Admin, enter a secure password and click Change Admin Password.
    • See the GUI - Network Settings article for details.

  • Disable Local Access
    • Disabling local access will require all device access to originate from the Partner Portal, and leverages the security of Partner Portal two-factor authentication (2FA).
    • Note: If you have enabled Forced Login, you still need to manage local user credentials. 
    • Disable Local Access in the device web UI by navigating to Configure → Device Settings → Local Access Control.

  • Enable Secondary Replication
    • Available on all SIRIS products, Secondary Replication ensures that your data is available in the event of unintended deletion of backup data. 
    • Data remains available in the secondary site for a period of X days after deleted from the primary. 
    • Enable secondary replication in the device web UI by navigating to Configure → Device Settings → Secondary Replication.

Datto is committed to providing a backup and disaster recovery solution with security features that aid customers in meeting their security policy and compliance requirements. Should you have any questions or concerns relating to topics covered in this article, please reach out to Datto Technical Support.


Was this article helpful?

7 out of 7 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Community Forum or get live help.