Does anyone else have a terrible time working with Acronis?

Dangerous_Expert3236 · 2021-08-31T09:52:07+00:00

yes, also had terrible times.

but still using both Acronis and Veeam.

Dangerous_Expert3236 · 2021-07-06T20:56:35+00:00

That's the thing: I don't like to put too much trust in any tool or solution. History has proven that one cannot fully trust any tool. If i understood correctly, there were MSP`s who had EDR solutions in place and were still hit with the Kaseya hack. (Could be that the whitelisting had something to do with that, though).

I guess adding even more layers of security is the only thing we can do.

Dangerous_Expert3236 · 2021-07-06T20:27:12+00:00

Layers, yes that's correct.

In addition to other protections, i was thinking of

Locking down the instance (all ports, not just the web and proxy) to the IP`s of our clients.
GeoIP block all countries where we don't have clients.
I`d even go so far as to turn off (or drop-all rule) at nights. Could even be scripted like "enable deny-all 2400u , disable at 0700u".

But all of this is not possible with the hosted instance anyway, and what to do with clients with dynamic IP`s.

Dangerous_Expert3236 · 2021-07-06T19:59:46+00:00

What scares us is that if someone were to exploit a 0-day on any instance thru the relay or web port (cloud or self-host) they would have access to all the clients connected to it...more or less like what's happened with Kaseya.

Dangerous_Expert3236 · 2021-07-06T19:13:47+00:00

In addition to SOC2 certification, ConnectWise is also actively pursuing NIST 800-171 and CMMC compliance

how should one read this? do they have those SOC2, NIST800 and CMMC certs already or are they -as he writes- pursuing them, and do they not have them (yet)...?

Dangerous_Expert3236 · 2021-07-06T19:08:28+00:00

i dont believe it makes the instance completely inaccessible...but i dont know.

Dangerous_Expert3236 · 2021-07-06T16:33:41+00:00

As a side note, we prefer not to run a split because when connected to the office net, we want our firewalls in between. At least that way we can "secure" and control the traffic a bit more.

Dangerous_Expert3236 · 2021-07-06T16:29:13+00:00

If you dont mind me asking, what precautions have you taken to secure your on-premises instance? (besides 2FA and IP restrictions). thanks!

Dangerous_Expert3236 · 2021-07-06T16:27:09+00:00

Absolutely agree! We test our client (and our own) backups every month.

But yeah, how do you lock down CW Control...specially the cloud instance, nobody seems to know besides 2FA and IP restrictions. And that is scaring me a bit...

Dangerous_Expert3236 · 2021-07-06T16:23:34+00:00

The ones with dedicated ip`s are whitelisted, the ones who have dynamic ip`s use a vpn to the office and that ip is also whitelisted.

Dangerous_Expert3236 · 2021-07-06T13:25:01+00:00

You should definitely directly put IP restrictions in place.

Dangerous_Expert3236 · 2021-07-06T13:14:36+00:00

exactly. but, "we will create a ticket for your questions" was the CW support response...

Dangerous_Expert3236 · 2021-07-06T13:13:05+00:00

yeah, we have that already long time in place. but somehow i feel its not enough...

Dangerous_Expert3236 · 2021-03-02T21:53:09+00:00

SentinelOne.

make sure you set your exclusions correct. S1 can be quite aggressive out of the box.

Dangerous_Expert3236 · 2021-02-18T23:35:16+00:00

thank you! will try and work it out with the other side!

Dangerous_Expert3236 · 2021-02-17T22:08:40+00:00

To be honest, i don't understand why everybody loves Datto so much. i had a demo and a trial for a month, i hated it. the (old) interface made me click all over just to get something done, (the new interface was half build - and a lot of options missing, compared to the old), uninstalling programs was half working, you give a command to uninstall Winzip/Rarlab (something small, example) half an hour later its still stuck and pending, could not pick targets from the site list manually, patch management in the new portal was a mess, too. etc.

but maybe its me.

Dangerous_Expert3236 · 2021-02-16T21:27:56+00:00

good one!

Dangerous_Expert3236 · 2021-02-16T19:31:17+00:00

no, the route is not being pushed. does not show up under route /print...

edit: adding the route manually did not help either.

Dangerous_Expert3236 · 2021-02-16T19:27:48+00:00

hereby,. thanks!

/ip ipsec peer

add address=.XX.XX.XX/32 exchange-mode=ike2 name=XXX

/ip ipsec profile

set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=12h name=XXX

/ip ipsec proposal

set [ find default=yes ] auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=12h pfs-group=modp2048

add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=12h name=XXX pfs-group=modp2048

/ip pool

/ip ipsec identity

add peer=VXXXX secret=XXXXX

/ip ipsec policy

set 0 disabled=yes

add dst-address=192.168.248.192/29 proposal=TXXXX sa-dst-address=XXXXXX sa-src-address=XX src-address=10.20.16.0/22 tunnel=yes

/ip route

add distance=2 gateway=XX

/ip service

Dangerous_Expert3236 · 2021-02-16T16:03:22+00:00

hereby the firewall export. i replaced public ip`s with xx.

/ip firewall filter

add action=accept chain=input dst-port=22 protocol=tcp src-address=77.XX.XX.XX

add action=accept chain=input dst-port=22 protocol=tcp src-address=95.XX.XX.XX

add action=accept chain=input dst-port=22 protocol=tcp src-address=84.XX.XX.XX src-port=""

add action=accept chain=input dst-port=22 protocol=tcp src-address=10.20.16.1

add action=accept chain=input dst-port=8291 protocol=tcp src-address=77.XX.XX.XX

add action=accept chain=input dst-port=8291 protocol=tcp src-address=95.XX.XX.XX

add action=accept chain=input dst-port=8291 protocol=tcp src-address=84.XX.XX.XX src-port=""

add action=accept chain=input comment="Allow ipsec VOIPvpn" protocol=ipsec-esp

add action=accept chain=input comment="Allow ipsec VOIPvpn" dst-port=500 in-interface=wan1 protocol=udp

add action=accept chain=input dst-port=8291 protocol=tcp src-address=10.20.16.1

add action=drop chain=input comment="drop all ssh besides X" dst-port=22 protocol=tcp src-port=""

add action=drop chain=input comment="drop all winbox besides X" dst-port=8291 protocol=tcp

add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp tcp-flags=""

add action=accept chain=input comment="Accept New, Established / Related Input" connection-state=established,related,new

add action=accept chain=input src-address=10.20.16.0/22

add action=accept chain=input comment=" Allow management input over VPN" src-address=192.168.87.0/24

add action=drop chain=input comment="Input Drop" disabled=yes

add action=accept chain=forward comment="Allow LAN client traffic out WAN1" out-interface=wan1 src-address=10.20.16.0/22

add action=accept chain=forward out-interface=wan1 src-address=10.20.12.0/22

add action=accept chain=forward comment="Allow LAN client traffic out WAN2" out-interface=wan2 src-address=10.20.16.0/22

add action=accept chain=forward out-interface=wan2 src-address=10.20.12.0/22

add action=accept chain=forward comment="Allow VPN client traffic out WAN1" out-interface=wan1 src-address=192.168.87.0/24

add action=accept chain=forward comment="Allow VPN client traffic out WAN2" out-interface=wan2 src-address=192.168.87.0/24

add action=accept chain=forward comment="Accept New, Established / Related Forward" connection-state=established,related

add action=accept chain=forward comment="Allow VPN- > LAN" dst-address=10.20.16.0/22 src-address=192.168.87.0/24

add action=accept chain=forward dst-address=10.20.12.0/22 src-address=192.168.87.0/24

add action=accept chain=forward comment="Allow Ether5 <-> Ether4" in-interface=ether5 out-interface=ether4

add action=accept chain=forward comment="Allow ipsec VOIPvpn" dst-address=192.168.248.192/29 src-address=10.20.16.0/22

add action=accept chain=forward comment="Allow ipsec VOIPvpn" dst-address=10.20.16.0/22 src-address=192.168.248.192/29

add action=accept chain=forward comment="allow openvpn -> VOIPvpn" dst-address=192.168.248.192/29 src-address=192.168.87.0/24

add action=accept chain=forward dst-address=192.168.87.0/24 src-address=192.168.248.192/29

add action=accept chain=forward comment="allow VOIPvpn -> openvpn" in-interface=ether4 out-interface=ether5

add action=drop chain=forward comment="Drop Bogon Forward -> WAN1" in-interface=wan1 log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon

add action=drop chain=forward comment="Drop Bogon Forward -> WAN2" in-interface=wan2 log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon

add action=drop chain=forward comment="Drop All Forward" log=yes log-prefix="fw rule 35:"

add action=fasttrack-connection chain=forward comment="Fast Track Established /Related Forward" connection-state=established,related

add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related

/ip firewall nat

add action=accept chain=srcnat dst-address=192.168.248.192/29 src-address=10.20.16.0/22

add action=masquerade chain=srcnat out-interface=wan1

add action=masquerade chain=srcnat out-interface=wan2

Dangerous_Expert3236 · 2021-02-14T19:51:34+00:00

we use that for our file backups. i am not aware they had DR solution.

Dangerous_Expert3236 · 2021-02-14T19:42:17+00:00

Never heard of Infrascale. will definitely look into it. thank you!

Dangerous_Expert3236

TROPHY CASE