Many companies have been doing network backup (aka network share backup) the same way for ages (to be clear, ‘ages’ means something around 5 years in IT). An SMB share on Windows Server? An always-on NAS device on a local network? Sounds familiar? Read on to learn why these approaches are no longer enough and, most importantly, secure.

The Problem of Not 100% Safe Network Protocols (SMB/CIFS, NFS, and iSCSI)

There are several network protocols that you can use to communicate with network backup storages, such as SMB/CIFS, NFS, or iSCSI. While they can be quite secure per se, their incorrect use or the way they make backup data available through network shares makes it easy for attackers to access backups. Let’s discuss it in a little more detail.

SMB/CIFS: Little Stability and Focus on Sharing, Not Data Protection

The SMB/CIFS protocol was introduced in 1980’s with the purpose of file/printer sharing over a local area network (LAN). In contrast to its legacy versions, the latest one, SMB 3.X, supports end-to-end encryption and safe authentication (through integration with Kerberos). Another advantage is that SMB/CIFS is widely supported across different OSes and allows for easy permission management (for example, through Active Directory).

On the downside, SMB/CIFS is a chatty protocol that offers poor performance when processing large volumes of data. It’s also prone to any kinds of latency and LAN connectivity issues. To achieve an optimum level of security, it requires integration with Kerberos, which might be complex and require regular maintenance to ensure maximum protection at all points in the organization’s network. Finally, a storage mapped through SMB/CIFS is an easy target for the lateral movement / ransomware attacks that usually involve scanning network shares on an infected endpoint.

The problem is also that in practice, many organizations implement SMB/CIFS in an unsafe way, either sticking to legacy versions (e.g., for compatibility-related reasons) or failing to take care of and maintain an optimally secure configuration.

In short: Why is SMB/CIFS not the best idea for network backup in 2025?

  • Poor mass data transfer performance
  • Stability issues
  • No granular access controls, so greater attack surface
  • Easy infiltration through scanning and accessing shares
  • The risk of potentially vulnerable configurations (old versions, no Kerberos integration, etc.)
  • No support for modern & ransomware-resistant backup protection features, e.g., immutable backup, logical separation, etc.

NFS: Complex Security Configuration

This Unix/Linux network communication standard offers better performance than its competitor, and is often chosen for virtual machine backup

When it comes to cons, NFS’s main issue is complex configuration. First, special detailed care must be taken to set up the mapping of UID/GID (numerical user identifiers). Second, Kerberos integration (to use best-in-class authentication) is fairly complex.

Similar to SMB/CIFS, NFS, as a file sharing protocol, allows for easy infiltration of locally mounted shares/disks. It also doesn’t support modern backup security features such as logical separation or immutability.

In short: Why is NFS not the best idea for network share backup in 2025?

  • Difficult access control and authentication configuration
  • Easy infiltration through scanning and accessing shares
  • The risk of potentially vulnerable configurations (old versions without encryption, no Kerberos integration, etc.)
  • No support for modern & ransomware-resistant backup protection features, e.g., immutability, logical separation, etc.

iSCSI: Efficient, But Not Perfect Security for Critical Data

iSCSI is a younger standard, established officially in 2003. It offers great performance for transferring large files or databases, and is commonly used with virtual environments like VMware vCenter Server. It’s also end-user friendly—a user sees a remote disk (target) as a standard local disk on their device (initiator).

Speaking of disadvantages, iSCSI is more complex to deploy. You need to configure a dedicated SAN/VLAN network, target server with physical disk(s), and initiators (clients that access the iSCSI storage in target).

In terms of using iSCSI as a backup storage, an infection of a client usually follows with infection of the target where backups are likely to be kept. There’s no full logical separation, either.

In short: Why is iSCSI not the best idea for network backup in 2025?

  • Difficult initial and ongoing setup
  • Easy infiltration through scanning and accessing target storage
  • Partial support for modern backup protection features like logical separation; however, immutability can be achieved through the snapshot feature

The General-Purpose Hardware Trap (NAS Devices and Physical Servers)

It’s a common practice to combine the above-mentioned protocols with a NAS device / physical server (by the way, often a decommissioned one) and a backup & recovery software to create a network backup system for an organization.

Unfortunately, though pretty cheap, such a solution usually only increases the attack surface. Unless you decide to keep the NAS/server powered off outside the backup creation window, achieving a kind of ‘manual’ physical isolation of backups.

Modern NAS Devices: Functionality above All

Contemporary network attached storage (NAS) devices try to lure users with rich functionality. Media server? Webcam monitoring? Www server? Or Docker containers support? No problem! But the problem is that these are extra surfaces to introduce ransomware or other types of modern threats. A tiny vulnerability in a photo gallery app or an outdated Docker container is enough for an attacker to take control of the entire device and, consequently, critical data of your organization.

Windows Server: A Regular OS with All Its Painpoints

It’s not a secret that Windows is the most common target of cyberattacks. It’s also true that a fully-fledged OS offers multiple ways to interact and connect with it (like AD domain, RDP, PowerShell). This, again, increases the attack surface, making the use of Windows Server as a backup storage a risky undertaking.

At the same time, a general-purpose OS gives you multiple ways to harden its security. Still, it requires careful and rigorous configuration (disable RDP, disconnect server from domain, etc.) and maintenance. Not to mention an ongoing engagement on the IT administrator’s part. In reality, the gap between theoretical security and practical maintenance is often too wide.

Linux-Based Servers: Secure Yet More Complex to Configure

A Linux-based backup server is possibly the best idea out of the ones presented so far; yet it’s not the perfect solution.

A Ubuntu, Debian, or RHEL-based server is much less likely to be affected because there are simply fewer threats targeted at Linux OS. The security level is also quite good—you can transmit all the data with SSH or set an immutability flag on backup files (which takes a combination of the service mode and the root account to remove).

On the downside, Linux is more complex to configure, requiring the knowledge of CLI, permissions, kernel management. Also, similar to Windows, it’s a general purpose OS that requires regular updates, strict configuration, and hardening. And missing just one aspect might produce a tiny vulnerability that cybercriminals will readily exploit.

Ransomware-Free Data Backup: The Quest for a Secure Protocol and Storage

So, can network share backup efficiently protect your valuable data against contemporary, sneaky threats, ensuring reliable disaster recovery and business continuity? Yes. But to set up a bunker for an organization’s critical data for the coming years, you need to do away with DIY and half-measures.

Xopero Unified Protection (XUP) is an all-in-one (software & hardware) backup appliance that combines the most secure protocols with a dedicated, air-gapped backup solution. Let’s have a closer look.

XUP implements the most modern transmission and storage protocols: HTTPS and Amazon Web Services’s proprietary S3 Local Object Storage. In other words, with XUP, you can enjoy the same most secure, state-of-the-art technologies as used by public cloud vendors, like Amazon, Microsoft, or Google. But instead of backing up your organization’s data in the cloud (which you can also do with XUP to ensure the 3-2-1 backup rule, for example), you can keep it on-premises, close to you.

In technical terms, this means:

  • End-to-end AES256 data encryption in transit and at storage, using your own encryption key, so data is available to you only.
  • Secure access through S3 API using access key and secret key—much more difficult to compromise than, for example, a domain password.
  • Backup-dedicated appliance with a closed Linux-based custom OS for minimal attack surface.
  • Data immutability by design with the native support for Object Lock (aka Single Write Repository (SWR)).
  • Maximum scalability and performance of an object-based system that bypasses limitations of traditional file-based systems.
  • Fast recovery time (even when compared to cloud, where internet connectivity can be the bottleneck) with minimized Recovery Time Objective (RTO)

This is not the end of benefits, so let me mention just a few more of them: plug and play deployment (no complex and time-consuming upfront hardware configuration); multi source and storage support; intuitive central management; backup automation; test, granular, full or instant restore; quick single-vendor support (in case of an issue, you avoid the common back-and-forth between backup software and NAS/server vendors).

Summarizing, if you’re taking security and network backup of your critical business data seriously, and want to repel modern threats like ransomware, Xopero Unified Protection can be your best, highly secure, and virtually maintenance-free ally. Just schedule a demo with our specialist to see it in action.

Schedule demo

How did you like the article?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

You may also like

Comments are closed.