+11Hi Team,
Is it recommended to use Linux Media agents instead of Windows media agent from ransomware protection and security perspective ?
Can we convert existing windows media agents to Linux easily ? If yes , what is the procedure .
We are using UNC sharing(double slashes or backslashes) of mount paths between windows media agents , How can we achieve such sharing of mount paths in case on Linux media agents ?
Regards, Mohit
Best answer by jgeorges
Move mount path is supported between OS as of more recent Service Packs.
However, you cannot move from CIFS to NFS.
Local Drive to NFS and vice versa is no issues.
However as yours using CIFS there is no need to move mountpaths, as the storage is not contained within 1 server.
I’ll also note that its important to understand how Ransomware Protection works within Commvault,. By running a filter driver at the OS of the machine hosting the mountpath (like Antivirus) we can inspect all processes accessing those shared mountpaths and stop those that should not be in there. If it is local disk, this works very well.
With CIFS however, if anything outside of the Media Agent has access, assuming that its presented from the network, we cannot protect the storage from outside of the Media Agent OS. You can limit access by restricted permissions however modern ransomware easily gets around this.
For this reason, its important that if you are using CIFs, that the storage network is isolated or at least not sitting on your production network and you implement any hardening you can.
Cheers,
Jase
+23One thing to consider for now (in 11.25) is that we automatically apply Ransomware Protection to all Windows Media Agents with Mount Paths:
However, we can do it via a script for Linux:
As for moving mount paths, you can move from Windows to Linux if you decide:
https://documentation.commvault.com/11.25/expert/9303_moving_mount_path_support.html
This should cover all of your concerns, though let me know if it doesn’t!
+11Thank you .
I understand that Move mount path is not supported from Windows to Linux and vice versa .
But one ques is still not answered , how UNC path sharing between media agents is handled in Linux media agents ?
Also , can i have both Linux as well as Windows media agent configured in one library ?
+18I would recommend we take a step by into why we’re asking this question.
Ransomware Protection is supported for both Linux and Windows MAs. I would suggest going with whatever OS you’re more comfortable administering and, especially, securing. We can protect the mount paths on both, but if the servers themselves are not secured well you have larger issues.
Thanks,
Scott
+11So we can not perform move mount path from Windows media agent to Linux ?
We have to wait for existing data on windows media agent to expire and then remove it from library before adding Linux MAs .
Do you have answers for below ques :
+23As long as the OS sees the Mount Path on the hosting server, sharing mount paths in the GUI is easy.
You can share between Linux and Windows as well, just be sure to enable Ransomware protection on BOTH Media Agents.
Here’s the instructions for sharing:
https://documentation.commvault.com/11.24/expert/9391_sharing_mount_path_using_dataserver_ip.html
Move mount path is supported between OS as of more recent Service Packs.
However, you cannot move from CIFS to NFS.
Local Drive to NFS and vice versa is no issues.
However as yours using CIFS there is no need to move mountpaths, as the storage is not contained within 1 server.
I’ll also note that its important to understand how Ransomware Protection works within Commvault,. By running a filter driver at the OS of the machine hosting the mountpath (like Antivirus) we can inspect all processes accessing those shared mountpaths and stop those that should not be in there. If it is local disk, this works very well.
With CIFS however, if anything outside of the Media Agent has access, assuming that its presented from the network, we cannot protect the storage from outside of the Media Agent OS. You can limit access by restricted permissions however modern ransomware easily gets around this.
For this reason, its important that if you are using CIFs, that the storage network is isolated or at least not sitting on your production network and you implement any hardening you can.
Cheers,
Jase
+13Here is an interesting article about “Choosing a Windows or Linux MediaAgent Host Operating System”
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
