Fork me on GitHub

Push and Pull Network Backup Strategies

There are a variety of network backup approaches. These backup approaches fall into two primary categories: pull or push.




Pull Backups

A pull backup is the recommended network backup strategy when using LBackup.

During a pull backup, data on the the backup client is requested by the backup server; when such request is received by the backup client the files (if accessible) are sent to the backup server which initiated this request.

It is important to think about both physical and network security on a backup server which is performing pull backups regardless of whether the data is encrypted. This is because a backup server performing automated pull backups will contain private keys which allow read access to the files on the systems being backed up.

The way pull backups are implemented in LBackup reduces the risk of integrity damage to any previous backups stored on any of the backup servers.

In conclusion, a pull backup may be easily configured so that no external network connections are allowed. Disallowing network access to the backup server may be extreme. However, if you want to keep the data secure then disallowing network access is a procedure which is worth consideration.



Push Backups

Although it is possible to configure LBackup to push data to a backup server across the network, such a configuration should be avoided if possible. This is primarily due to the fact that the machine pushing the data will require write access to an area on the backup server in order to backup the files.

The risks associated with this configuration may be minimized with additional configuration on the backup server. However, such precautions complicate the backup setup.

If you are determined to implement the push backup system then a combination of LBackup and LSync may be worth considering. A combination of LSync and LBackup will allow you to specify a single writable directory into which the latest backup may be uploaded. Then LBackup may be used to stage the latest backup into a non-writable directory on the same system or onto a entirely different system.

The advantage of these additional steps results in the backup machine not having write access to the backup directory. This means that should the machine you are backing up, be compromised your backups will still be safely isolated either in a non-writable directory on the backup server on an entirely different system.

In conclusion, a pull backup with a server which has no services exposed to the network is a simpler and ultimately more secure approach to backups.



Using MacFUSE for Network Backup

It is possible to use MacFUSE and the SFTPFS system to mount a remote directory into the local file system via SFTP. Once a remote directory has been mounted it is possible to use LBackup to push files to the remote directory. However, it is recommend that you create an HFS+ disk image and then mount this when you push files. This will allow extended attributes such as resource forks to be backed up.

An other alternative worth considering is pushing a local sparse bundle backup disk image to a remote server (when the backup completes) via SSH as a post action script.



LBackup Example Scripts

Below are some example scripts to assist with the automation of mounting remote SFTP directories and disk images. Thesse scripts are also included as example configurations within the LBackup distribution.