The term "bastion server" is usually used to describe an intermediate network security device. The concept is the secured network (usually an internal network) is not directly connected to the unsecured network (think Internet). The bastion server sits in the middle and marshalls the desired traffic between the two networks. Sounds kindof like a firewall, but it is not the same thing. If someone penetrates your perimeter defenses, they would be in the bastion server or bastion network and not have direct access to the secured network.
How does this relate to backups? A comment on a previous post, "Pull Rather than Push Your Offsite Backups", suggested that an intermediate server can be used to add additional protection to your backups. The intermediate server is something I have used for many years to ensure that backups are protected from ransomware. In this post, I am going to elaborate on the value of the Bastion backup server as an additional security measure to thwart hackers and sophisticated ransomware which may target your backups.
Keep in mind that one of the primary success factors for ransomware is the ability to destroy backups. Otherwise, the victim can easily recover without paying the ransom. Hackers and ransomware developers are well aware. Their first objective is to get the ransomware onto machines with high-value data or systems; their next objective is to deny the victims the opportunity to restore from backups. With that said, it is imperative that your backups be stored so that they cannot be destroyed or modified by anything that may occur on the primary system. There are many ways to accomplish this, but fundamentally, the more disconnected the backups are from the primary system, the better the protection from ransomware or other threats that may occur on the primary system.
Simply having a backup in the cloud doesn't necessarily mean it has a high degree of disconnectivity from the primary. For example, consider a system in New York that is backing up to a remote server in Texas. Sounds pretty good from a geographic perspective, but if the New York system can read and write backups to the Texas system, then ransomware on the New York system probably has the means to destroy your backups. In this case, I would say the Texas system is not disconnected from the New York system in a meaningful way.
This is where a bastion server adds tremendous value. Let's say the production system has no connectivity to the backup location at any time. Then how will the backup files ever get to the backup location? One very good answer is to set up a bastion backup server that has read-only access to the production system. The bastion backup server then pulls the data over its read-only connection to local storage. Next, your offsite backup system pulls the backups from the bastion backup server over a read-only connection.
Not only does this configuration prevent ransomware on your production server from affecting your backups, but it also prevents the reverse. Sometimes ransomware will infect the backup system first, and then use the connection to the production system to install itself there. This is why those read-only connections are very important. In this case, any event that occurs on the production server, the bastion backup server, or the offsite backup server, is unlikely to affect any of the other systems.
Secure your bastion backup server. The term "bastion server" by definition usually means a "secure" server. So if you are implementing a bastion backup server, place a priority on the security of that server. Use basic security principles, like run only the necessary services to reduce the attack footprint, allow minimal network connectivity, inbound and outbound. Especially limit or block internet access to and from the bastion backup server. It is also advised to install minimal software, no email programs, no browsers, ... Most of these security approaches can be applied to your offsite backup server as well, but the bastion backup server, can be almost completely locked down.
Should you leave a copy of your backup files on the bastion backup server? The answer depends on the nature of the data and your application and needs. There is a tradeoff to be considered. Ransomware is not the only concern. You've seen many high-profile cases where data breaches of sensitive information have caused expensive and embarrassing consequences for large companies. An argument can be made that having an extra copy of those sensitive files on your bastion backup server is one more place where a breach could occur and expose sensitive data. In fact, many of the big breaches involved hackers or malware accessing backup files. In my personal opinion, the bastion server, if properly secured is the last place where hackers or malware are going to get access to your data. Your production system is probably much more vulnerable because it must be accessible using certain services, otherwise the data is useless to everyone including you, your company, and your customers.
One last thought. It is extremely important to monitor your backups to make sure they are working. The Bastion backup server is an interesting place to setup monitoring. But be careful not to create additional exposure for the Bastion backup server by installing untrusted software and giving it access to your backups and your network. You may want to consider only monitoring the final destination for your backups.