Secure Deployment Best Practices for Datto Appliances

Follow

Scope

This article discusses best practices for secure configuration and deployment of Datto SIRIS, ALTO, and DNAS devices.

Overview

Datto BDR appliances ship with inherent and configurable security features and functionality to support a secure deployment. MSPs and end users must ensure the use of those features and deploy the Datto appliance into the end user environment in a way that meets their network and security architecture requirements. In addition to end user requirements, Datto expects that BDR appliances will be deployed in a secure LAN environment with no inbound Internet access, and that appropriate network access control exists in the LAN to limit the accessibility of appliance network daemons and services.

Access Control Objectives

Datto strongly recommends implementing least privilege access controls, such as the following:

  • Never allow inbound access from the internet to the appliance.
  • Deploy the appliance in line with the SIRIS, Alto & DNAS Networking and Bandwidth Requirements Knowledge Base article.
  • Only permit access OUTBOUND, as inbound access is not needed for the appliance to function.
  • Restrict outbound communications from the Datto appliance to only the networks in the knowledge base, and deny all other communications.
  • Limit access to the appliance's management end user network Web UI to only trusted network
    management workstations, or jump hosts that need access for BDR workflow purposes.
  • Allow only the systems being protected to communicate with the appliance.
  • Implement strong identity and access management practices for Web UI and IPMI login.

Limiting Accessibility:

Deployment in line with the above best practices can be achieved with technology in a number of ways including, but not limited to:

  • Placing the appliance in a protected backup network requiring L2 adjacency.
  • Limiting the backup network's reachability through network routing restrictions.
  • Employing a network firewall to implement network access control lists.
  • Deploying port-based access control lists (pACLs) on network switchports.

Secure Configuration Best Practices

The Datto BDR appliance offers a range of configuration options to help MSPs and End Users manage BDR workflows in a manner that best suits their environment. MSPs should always deploy the Datto in a secure LAN environment, and enable more secure configuration options when available and appropriate for the end user.

  • Perform Device Updates frequently
    • This ensures appliances are running the latest Datto-published IRIS software and operating system packages, and that the system is upgraded, patched and hardened to Datto's most recent standards.
    • Review device updates by navigating to Configure > Device Updates in the device GUI.
    • See the GUI: Device Settings knowledge base article for details.

  • Enable HTTPS for Web UI
    • HTTPS protects Web UI login and session information as it traverses the LAN.
    • Enable HTTPS in the device GUI by navigating to Configure > Device Settings and clicking Enable HTTPS.
    • See the GUI: Device Settings knowledge base article for details.

  • Deploy Encrypted Agents
    • Agent level encryption assures backup data written to the appliance's ZFS filesystem, and ultimately replicated to the Datto Cloud, is encrypted at rest, using a unique key that can only be generated with knowledge of the passphrase held by the MSP or end user.
    • This feature is available on certain appliance platforms, such as the SIRIS family of appliances and Alto XL appliances.
    • See the How to Encrypt Backups on a Datto Appliance and Properly Sizing a Datto Appliance knowledge base articles for details.

  • Configure File Shares with secure protocols and settings
    • Understand the policy and compliance requirements of the environment within which the Datto device is deployed, as selecting insecure file share options can jeopardize compliance.
    • Whenever end user business requirements allow, do not permit anonymous or public access to any file share.
    • Leverage CHAP authentication with iSCSI file shares, as this requires authentication to access the file share.
    • Enable SFTP instead of FTP, as SFTP requires authentication AND encrypts data in transit across your network.
    • See the iSCSI Share Settings knowledge base article for details.

  •  Enable Relay Forced Login
    • This requires all users to enter their login credentials when navigating from the Partner Portal to the Device UI via the Datto Relay remote web system.
    • Enable Relay Forced Login in the device web UI by navigating to Configure > Device Settings > Datto Relay Forced Login and clicking Enable Forced Login.
    • See the GUI: Device Settings knowledge base article for details.

  • Unmount File Recoveries and Local Virtualizations when no longer required
    • Do not make file restore data or local virtualizations on supported platforms available for longer than is necessary to complete the required BDR workflow.
    • After confirming mounted file restores and local virtualizations are no longer needed, unmount them.
    • Remove a File Restore by navigating to Restore > Active Recoveries, selecting the file restore or local virtualization, and clicking Remove Restore.

  • Enable Mounted Restore Alerts
    • This option displays an alert in the device web UI when a file restore or virtualization has been mounted for longer than the admin-specified period of time. This warns you of latent restores that may need removal.
    • Enable Mounted Restore Alerts in the device web UI by navigating to Configure > Device Settings > Mounted Restore Alert, selecting the number of days after which to alert from the drop-down menu, then clicking Apply. 

  • Configure local users with strong access credentials
    • Configure local user account usernames and passwords in accordance with the MSP or End User's identity and password management policies.
    • Where MSPs and End Users lack identity and password policies, Datto strongly recommends following password guidance in NIST SP 800-63: Digital Identity Guidelines.
    • Avoid using known weak or compromised passwords (i.e. 123456, password, admin, etc.)
    • Create local users in the device web UI by navigating to Configure > Local Users / Contact > Add a New Account, inputting the new account information, then clicking Create Account. 
    • See the Local User and Contacts knowledge base article for details.

  • Update Local User credentials as required
    • Local User access credentials for MSP Techs and end user employees should be updated when those employees leave their respective organizations.
    • Update Local User passwords when required in the device web UI, by navigating to Configure > Local Users  / Contact > Local Accounts >and clicking Change Password.
    • See the Local User and Contacts knowledge base article for details.

  • Enable Remote Logging
    • For end users with logging and auditing requirements, you can configure the ability to send device logs to an off-box syslog server for later analysis.
    • Enable Remote Logging in the device web UI by navigating to Configure > Device Settings > Remote Logging, clicking Enable Remote Logging, then entering the IP address and port of the syslog server and clicking Add Remote Server.
    • See the GUI: Device Settings knowledge base article for details.

  • Configure IPMI with strong access credentials
    • IPMI interfaces are optionally used to interact with unresponsive appliances over the local LAN, and when enabled should be configured with a strong non-default user password that avoids known weak or breached credentials.
    • Update IPMI passwords in the device web UI by navigating to Configure > Networking > IPMI Settings. Then select Admin, enter a strong password, and click Change Admin Password.
    • See the IPMI Username, Password, New Profile Creation knowledge base article for details.

Datto is committed to providing a backup and disaster recovery solution with security features that aid customers in meeting their security policy and compliance requirements. Should you have any questions or concerns relating to topics covered in this article please reach out to Datto Technical Support.


Was this article helpful?

4 out of 4 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!