NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Configure the DTE mode on a client
- How DTE configuration settings work in various NetBackup operations
- Modify the DTE mode on a backup image
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuration options for external CA-signed certificates for a virtual name
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
MSDP backup, restore, and optimized duplication
Data-in-transit encryption (DTE) feature is now integrated with MSDP storage server for backup and restore workflows.
For backup on MSDP disk pool, the encryption of data path from client to media server is controlled by the NetBackup DTE settings (global and client DTE modes).
If the MSDP storage server has multiple load balancing media servers attached to it and if the selected media server is 10.0.0.1 or later, the storage server must be 10.0.0.1 or later. Else, backup job fails. You must upgrade the 10.0 storage server to 10.0.0.1. If the load balancing media server is 10.0 or earlier, the data may be transferred in plain text and job is always successful, even if DTE was to be honored.
Ideally, you must have load balancing media servers and storage servers with 10.0.0.1 or later when DTE is enabled.
These given conditions are also valid for the optimized duplication workflow.
In case of mixed environment, where either storage server or one of the load balancing media servers is earlier than 10.0, the following configuration will be required in order to honor an end-to-end encryption:
DTE should be enabled from NetBackup side based on DTE configurations i.e. Global/Media Server/Client Settings
Encryption should be enabled from MSDP side using ENCRYPTION flag in pd.conf
See the NetBackup Deduplication Guide for details on enabling the encryption using MSDP.
If data-in-transit encryption is enabled in NetBackup and the ENCRYPTION flag in pd.conf is also enabled, MSDP encryption takes the precedence over NetBackup DTE. It results into data-at-rest encryption and not in data-in-transit encryption.