A global organization providing software solutions and technology for the travel industry – handles huge volumes of near real-time transactions and reservations. The company was struggling with an inefficient and costly offsite backup infrastructure that was meant to manage an incrementally expanding database of more than 2.8 TB of storage. Regulatory compliance requires that the previous six months’ material must be readily available in a systematized fashion with cross-platform search functionality. Emind have implemented its set of tools and methodology to implement a secure cloud backup. These slides describe Emind solution based on AWS technologies such as S3 storage and EBS volumes explaining how to deal with great chunks of data in a secure manner while leveraging Porticor, cloud security solution. The presentation brought to you by Lahav Savir, Emind CEO

1. Deploying secure backup
to the Cloud
Lahav Savir, lahavs@emind.co
lahavsavir

2. Lahav Savir
• 15 years in on-line industry
• Architect and CEO @ Emind Systems (est. 2006)
• AWS solution provider
• Over 30 AWS customers
Hobbies (that’s the . . .)
• MTB cycling
• Mountain hiking

3. Backup scenarios
On Premises to off-site On the cloud to other site
• File servers • File servers
• Backup files • Large data volumes
• Data base dumps • Data base dumps
archiving • Large S3 beckets
• Disaster recovery

4. Storage scenarios
Storage appliances Disks & Servers
• NFS • Windows shares
• CIFS • Linux exports
• Linux servers
• Sun exports

5. Requirements
Backup
• Keep a replica of the data off-site
• Keep history of the data for X month back
• Secure transfer
• Encrypt data sets
• Large files
• Delta transfer
Deployment
• Don’t impact existing setup
• Don’t install any SW on servers
• No additional hardware

6. Few more . . .
• Control bandwidth throughput
• Visibility and monitoring
• Simplicity
• Don’t pay much
– License
– Traffic
– Storage

7. Alternatives
• Windows • Storage built-in
– Virtual drive to s3 – No monitoring
– Sync application – No visibility to status
– Cygwin / delta copy – No feedback
• Linux
– s3fs (fuse)
– s3cmd

8. Simple solution
• Sync Manager
– Linux appliance
– cifs-utils
– rsync
– s3cmd
– tc (traffic controller)
– net-snmp
– curl

9. Sync Configuration
• rsync (filer to filer)
rsync;/filer/data1/; sync@192.168.61.130:/data1/{A}
rsync;/filer/data2/; sync@porticor_vpd:/data2
• s3 (filer to s3 with / without VPD)
s3;/var/www/wordpress/;s3://bucket1/wordpress-{d}/;-
-no-delete-removed
s3;/mnt/srv1/;s3://bucket2/

10. Bandwidth control
• Tag user traffic
iptables -t mangle -A OUTPUT -m owner --uid-owner $SYNCMGR_UID -j MARK
--set-mark 0x1
• Create root qdisc for eth0
$TC qdisc add dev $IF root handle 1: htb default 30
• Add a class (bucket) with bandwidth restrictions
$TC class add dev $IF parent 1: classid 1:2 htb rate $MAXRATE
• Then add a filter to force packets through the class
$TC filter add dev $IF protocol ip parent 1:0 prio 1 handle 1 fw
classid 1:2
Tip: use iftop to see it in action

11. Monitoring
## SNMP params
SNMPTRAP=true
SNMPTRAP_HOST=nms_server
SNMPTRAP_PORT=162
SNMPTRAP_COMMUNITY=public
SNMPTRAP_OID=.1.3.6.1.4.1.39731.2101
## support_router
SUPPRTR_NOTIF=true
SUPPRTR_PROJECT="SupportDispatcher“
SUPPRTR_SYNCMGR_CLIENT=Emind
SUPPRTR_BASEURL=https://support.emind.co/support_router/public/api.php
## snmpd.conf
rocommunity public
# send all Emind Enterprise ID requests to the subagent
pass .1.3.6.1.4.1.39731 /usr/local/emind/snmp_subagent

12. Cloud backup hosts
• ec2 instance (Linux server)
– EBS volumes
• s3 buckets
• Porticor VPB
– EBS volumes
– S3 proxy

13. Hosting on the cloud
• Public cloud
– Instance behind security groups with SSH keys
• VPC
– Instance behind VPN
• AWS VPN Gateway
• IPSec with CheckPoint in the VPC
• IPSec with Swan in the VPC
• SSL VPN with OpenVPN in the VPC

14. Restoring
Don’t be shocked
• rsync back from storage
rsync ; sync@192.168.61.130:/data1/{A} ; /filer/data1/
• 3scmd
s3cmd get s3://bucket2/file /path/to/restore/file

15. Summary
• Simple & open solution
• No impact to customer infrastructure
• No additional HW
• Control & visible
• Fully integrated to NMS
• Reliable
• Secure

16. AWS Tips
• Don’t forget to set AWS console MFA
• Setup a VPN to your AWS server
• No public SSH
• Monitor traffic coming into your servers
• Multi region / AZ for high availability
• Use ec2 tools
• Backup backup backup . . .

17. Questions ???
Thank you,
Mail me: lahavs@emind.co
Lahav Savir
LinkedIn / Twitter / Facebook