Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
NetBackup Access Control (NBAC)
The NetBackup Access Control (NBAC) functionality incorporates the NetBackup Product Authentication and Authorization into NetBackup, increasing security for the master servers, media servers, and clients.
Important points about NBAC include:
Authentication and Authorization are used together
NBAC uses authentication identities from a trusted source to reliably identify involved parties. Access decisions can then be made for manipulation of NetBackup based on those identities. Note that NetBackup Security Services are now embedded.
The NetBackup Product Authentication and Authorization consist of the root broker, authentication broker, authorization engine, and the graphical user interface.
Oracle, Oracle Archiver, DB2, Informix, Sybase, SQL Server, SAP and EV Migrator are not supported with NBAC.
NBAC is not supported on Appliances.
The NetBackup catalog backup is supported with NBAC.
The following table describes the NetBackup components that are used in security.
Table: NetBackup components used in security
The NetBackup master server is the root broker in a data center installation. There is no provision to use another root broker. The recommendation is to allow trust between root brokers.
The root broker authenticates the authentication broker. The root broker does not authenticate clients.
Authenticates the master server, media server, graphical user interface, and clients by establishing credentials with each one of them. The authentication broker also authenticates a user when operating a command prompt. There can be more than one authentication broker in a data center installation. The authentication broker can be combined with the root broker.
Communicates with the master server and the media server to determine the permissions of an authenticated user. These permissions determine the functionality available to a given server. The authorization engine also stores user groups and permissions. Only one authorization engine is required in a data center installation. The authorization engine also communicates over the WAN to authorize other media servers in a multi-datacenter environment.
graphical user interface
Specifies a Remote Administration Console that receives credentials from the authentication brokers. The graphical user interface then may use the credentials to gain access to functionality on the clients, media, and master servers.
Specifies the MSEO (media server Encryption Option) that is a software appliance that encrypts data written to tape by the media server (data at rest encryption). The MSEO is an alternative to the client side encryption that can reduce the CPU processing load on the client.
Communicates with the root broker and authentication broker, graphical user interface, authorization engine, media server, and clients.
Specifies a user who has been granted administrator permissions to access and manage the NetBackup functionality from within the data center.
Communicates with the master server, root broker and authentication broker, authorization engine, MSEO, and clients 1 through 6. The media server writes unencrypted data to tape for client 5 and encrypted data to tape for client 6.
Specifies that clients 1 through 4 are standard NetBackup types. Client 5 is a web server type located in the DMZ. Client 6 is a client side encrypted type also located in the DMZ. All client types are managed by the master server and have their data backed up to tape through the media server. Clients 5 and 6 communicate to NetBackup using NetBackup only ports through the internal firewall. Client 5 also receives connections from the Internet using HTTP only ports through the external firewall.
Specifies that the tape security in NetBackup can be increased by adding the following:
Unencrypted and encrypted data tapes are produced in the data center. The unencrypted tape data is written for clients 1 through 5 and stored on-site at the data center. The encrypted tapes are written for client 6 and are transported off-site to a vault for disaster recovery protection.
Specifies that NetBackup encryption can increase security by providing the following:
For more information about encryption:
Data over the wire security
Includes the communication between master servers, media servers, clients, and communication using ports through firewalls and over WANs.
For more information about ports:
The data over the wire part of NetBackup can help increase security in the following ways:
Specifies that the NetBackup firewall support can help increase security.
Important points about firewall security include the following:
Demilitarized zone (DMZ)
Specifies that the demilitarized zone (DMZ) increases security as follows:
The DMZ provides a "safe" area of operation for the web server client 5 and encrypted client 6 between the internal firewall and external firewall. The web server client 5 in the DMZ can communicate to NetBackup through the internal firewall using designated NetBackup ports. The web server client 5 can also communicate through the external firewall to the Internet using only HTTP ports.
Figure: Example firewalls and DMZ shows an example internal and external firewall with DMZ.
The following figure shows an example of the internal and the external firewall with DMZ.