NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
FIPS 140-2 conformance for NetBackup Appliance
The Federal Information Processing Standards (FIPS) define U.S. and Canadian Government security and interoperability requirements for computer systems. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for validating cryptography modules. The FIPS 140-2 standard specifies the security requirements for cryptographic modules and applies to both the hardware and the software components. It also describes the approved security functions for symmetric and asymmetric key encryption, message authentication, and hashing.
Note:
For more information about the FIPS 140-2 standard and its validation program, click on the following links:
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf
https://csrc.nist.gov/projects/cryptographic-module-validation-program
Starting with NetBackup Appliance 4.1, the FIPS 140-2 standard is enabled by default for all Java-based services. The FIPS validation is achieved by using SafeLogic's CryptoComply modules.
Starting with NetBackup Appliance release 5.0, you can enable the FIPS 140-2 standard for MSDP, NetBackup and VxOS. The NetBackup Cryptographic Module, which is used by MSDP, NetBackup and VxOS, is FIPS validated.
Once FIPS for VxOS is enabled, the sshd
uses the following FIPS approved ciphers:
aes256-ctr
aes256-gcm@openssh.com
Older SSH Clients are likely to prevent access to the appliance after FIPS for VxOS is enabled. Check to make sure that your SSH client supports the listed ciphers, and upgrade to the latest version if necessary. Default cipher settings are not typically FIPS-compliant, which means you may need to select them manually in your SSH client configuration.
You can enable the FIPS 140-2 standard for NetBackup MSDP, NetBackup and VxOS with the following commands:
Main Menu > Settings > Security > FIPS Enable MSDP, followed by the maintenance password.
Enabling or disabling the MSDP option terminates all jobs that are currently in progress and restarts the NetBackup services. As a best practice, it is recommended that you first stop all jobs manually before you enable or disable this feature.
Note:
If you have upgraded from a previous version of NetBackup Appliance, ensure that you enable MSDP only after your existing data has been converted to use FIPS compliant algorithms. To check the current status of the data conversion use the crcontrol --dataconvertstate command. Enabling MSDP before the status is set to Finished can cause data restoration failures.
Main Menu > Settings > Security > FIPS Enable NetBackup, followed by the maintenance password.
Enabling or disabling the NetBackup option terminates all jobs that are currently in progress and restarts the NetBackup services. As a best practice, it is recommended that you first stop all jobs manually before you enable or disable this feature.
Main Menu > Settings > Security > FIPS Enable VxOS, followed by the maintenance password.
Enabling or disabling the VxOS option reboots the appliance and disconnects all logged in users from their sessions. As a best practice, it is recommended that you provide advanced notice to all users before you enable or disable this feature.
Main Menu > Settings > Security > FIPS Enable All, followed by the maintenance password.
Enabling or disabling the All option reboots the appliance and disconnects all logged in users from their sessions. As a best practice, it is recommended that you provide advanced notice to all users before you enable or disable this feature.
Note:
In a NetBackup Appliance high availability (HA) setup, you can enable the FIPS feature on both nodes only after you have completed configuration of the HA setup. The FIPS configuration must match on both the nodes. If FIPS is enabled on either node before the HA setup is completed, you must disable FIPS on that node before you complete the HA setup.
For complete information about FIPS commands, see the NetBackup Appliance Commands Reference Guide.
As FIPS security continues to increase, some older encryption methods can no longer be used.
When FIPS is enabled, appliance CIFS file share features work as follows: The appliance is added as a domain member in Active Directory (AD) environments with Kerberos authentication that uses AES ciphers.
CIFS shares opened by the following operations may not mount when using older authentication methods, like NTLM.
The following describes the impacted scenarios:
For the general share:
Settings> Share General Open
Settings> LogForwarding > Share Open
Manage> OpenStorage > Share Open
Security> Certificate Import
For incoming_patches:
Manage> Software > Share Open
To work around these limitations, do one of the following:
Disable the FIPS feature.
Configure Active Directory authentication on the appliance. This adds the appliance as a domain member in Active Directory (AD) environments with Kerberos authentication that uses AES ciphers.