The NetBackup Flex 2 - Enhance NetBackup with Efficiency, Security, and Simplicity

Protection November 06, 2020

Today, Veritas released Flex 2.0, offering a comprehensive solution to address customers' security needs by providing a robust, hardened, and immutable platform to guard against ransomware attacks. To get more details on Flex Appliances Ransomware Resilience, read the Flex Security Paper

Backups are an organization’s key to recovery. To ensure your critical and most important asset—data—and your IT infrastructure is protected from an attack, Veritas focuses on data integrity to help backup files remain safe and untouched from malicious invaders.

Data Encryption

NetBackup software supports data encryption in-transit and at rest.

  • In-transit—Ensure your data is being sent to authenticated environments
    and is protected while in transit. This solution leverages Veritas or customer-provided TLS 1 .2 certificates, with 2048-bit key support to ensure data encryption during transit.
  • At-rest—If hackers are successful in getting to the data, having it encrypted protects it from being exploited. Veritas offers AES 256-bit, FIPS 140-2 cryptography with our own key management while allowing customers to leverage their preferred key management using the Key Management Interoperability Protocol (KMIP).

Immutable Storage

NetBackup and the Flex Appliance provide immutable and indelible storage that reduces the risk of malware or ransomware encrypting or deleting backup data, thereby making it unusable. Within the Flex Appliance, the NetBackup WORM storage server offers a secure, container-based MSDP solution. Flex Appliances offer Enterprise and Compliance lock-down modes, you can choose the right immutability strength. NetBackup and the Flex Appliance solution has completed a third-party Immutability Assessment from Cohasset Associates, an industry-recognized assessor of immutability controls, specifically SEC Rule 17a-4(f), FINRA Rule 4511(c) and the principles of Commodity Futures Trading Commission (CFTC) in regulation 17 CFR § 1 .31(c)-(d).

The Flex Appliance comes with a wide variety of security features (see the Flex Security document for details) that include:

  • OS security hardening, including Security-Enhanced Linux (SELinux).
  • Intrusion Detection System (IDS) / Intrusion Protection System (IPS).
  • Robust role-based authentication.
  • Locked down storage array.

NetBackup software 8.3 master server communicates with the storage unit to gather immutability and indelibility capability and WORM retention period (min/max) settings. Then the master server sets up immutability controls on the storage unit and applies the WORM retention period policy. NetBackup software provides backup image management with visual representation of immutable lock, image deletion after the WORM retention period (via CLI), and honor legal hold on the catalog. Flex Appliance runs immutable storage server to provide WORM capability, retention locks, and platform hardening against ransomware and malware threats. Compliance Clock is used for the retention period and is independent of OS time.  Flex Appliance has two lockdown immutability modes – Enterprise and Compliance. An appliance lockdown state can be enabled at any time. You can choose Compliance mode or Enterprise mode MSDP storage container but cannot be mixed.

Solution Hardening

Flex Appliances eliminate root account access to appliance OS & MSDP container, only host admin account can login to compute nodes. Account policies are used to allow elevated user certain administrative commands and access to shell and Web UI operations.

The following lists describe the firmware security hardening.   

  • Eliminate “single-user” mode / “rescue mode” boot options 
  • GRUB menu editing disabled 
  • No storage reset (factory reset/reimage allowed) 
  • Locked down storage array

To setup immutable storage is super easy. Seeing is believing. Watch Flex Appliance Immutable Storage server demo.

Rachel Zhu
Senior Principal Technical Marketing, SDS and Appliances
VOX Profile