Should a backup server be on a separate subnet / vlan from other machines on the network?

Question

Should a backup server be on a separate VLAN/subnet from the systems it backs up? And should the routes only go one way from inside the VLAN/subnet of the backup server out to the clients and subnets that it backs up? So that the clients can't get to the backup server?

Answer 1

The reason for backups is to add redundancy, allow for business continuity and disaster recovery. Having the backup server on a separate VLAN and having access controls around it is also a good idea. From a network and security architecture point of view all servers should be on separate VLAN from clients ideally with a Firewall in between, it makes sense to take this a step further and give your ‘crown jewels’ (i.e. potentially valuable, business critical data) an extra layer of protection.

Network segmentation could potentially contain malware outbreaks and/or limit how far an attacker can pivot around the network. From this point of view alone it is sensible to contain your backup server.

You should only allow exactly what traffic is required, no more or no less. This goes for protocols, routes etc. In the same vein you should only allow the for the minimum administrative controls as well, for example any users that look after the backups should only have backup rights rather than full domain rights.

Remember however that is the fact that clients are backing up to the server in the first place means that there is some kind of communication between clients and the server. This maybe via CIFS, SMB, a management protocol etc. So there is still a residual risk if even if configured or protected correctly.

Ideally you want to go further than this and have off-site backups if possible as well as offline backups stored in a secure location with appropriate controls protecting against physical destruction.