NetBackup and Veritas Appliances Hardening Guide

Last Published:
Product(s): Appliances (10.3, 5.3, 4.0), NetBackup & Alta Data Protection (10.3, 5.3, 4.0)
Platform: Flex Appliance OS,NetBackup Appliance OS,Linux,Windows,UNIX
  1. Top recommendations to improve your NetBackup and Veritas appliances security posture
    1.  
      Introduction
    2.  
      Keeping all systems and software updated
    3.  
      Enabling multifactor authentication
    4.  
      Enabling multiperson authorization
    5.  
      Increasing the security level
    6.  
      Implementing an immutable data vault
    7.  
      Securing credentials
    8.  
      Reducing network exposure
    9.  
      Enabling encryption
    10.  
      Enabling catalog protection
    11.  
      Enabling malware scanning and anomaly detection
    12.  
      Enabling security observability
    13.  
      Restricting user access
    14.  
      Configuring a sign-in banner
  2. Steps to protect Flex Appliance
    1.  
      About Flex Appliance hardening
    2. Managing multifactor authentication
      1.  
        Configuring or reconfiguring multifactor authentication
      2.  
        Enforcing multifactor authentication
    3.  
      Configuring the multi-factor authentication on NetBackup primary and media server instance
    4.  
      Configuring the multi-factor authentication on NetBackup WORM storage server instance
    5. Managing single sign-on (SSO)
      1.  
        Managing identity providers (IDPs)
      2.  
        Importing single sign-on (SSO) users
    6.  
      Managing user authentication with smart cards or digital certificates
    7. About lockdown mode
      1.  
        Changing the lockdown mode
    8.  
      Using network access control
    9.  
      Using an external certificate
    10.  
      Forwarding logs
    11.  
      Creating a NetBackup WORM storage server instance
    12. Configuring an isolated recovery environment using the web UI
      1.  
        Configuring the allowed subnets
      2.  
        Configuring the reverse connections
      3.  
        Configuring the reverse replication schedule
      4.  
        Adding a replication operation to SLP at the production primary server
    13.  
      Protecting the NetBackup catalog on a WORM storage server
    14.  
      Using a sign-in banner
  3. Steps to protect NetBackup Appliance
    1.  
      About NetBackup Appliance hardening
    2.  
      About multifactor authentication
    3. About single sign-on (SSO) authentication and authorization
      1.  
        Configure single sign-on (SSO) for a NetBackup Appliance
    4. About authentication using smart cards and digital certificates
      1.  
        2FA
      2.  
        Smart card Authentication for NetBackup Web UI
      3.  
        Smart card authentication for NetBackup Appliance Web UI
      4.  
        Smart card authentication for NetBackup Appliance Shell Menu
      5.  
        Configure role-based access control
      6.  
        Configure authentication for a smart card or digital certificate for the NetBackup Web UI
    5.  
      Disable user access to the NetBackup appliance operating system
    6.  
      About Network Access Control
    7. About data encryption
      1.  
        KMS support
    8.  
      FIPS 140-2 conformance for NetBackup Appliance
    9.  
      About implementing external certificates
    10.  
      About antimalware protection
    11. About forwarding logs to an external server
      1.  
        Uploading certificates for TLS
      2.  
        Enabling log forwarding
    12.  
      Creating the appliance login banner
  4. Steps to protect NetBackup
    1.  
      About NetBackup hardening
    2. About multifactor authentication
      1.  
        Configure multi-factor authentication for your user account
      2.  
        Enforce multi-factor authentication for all users
    3. Configure NetBackup for single sign-on (SSO)
      1.  
        Configure the SAML KeyStore
      2.  
        Configure the SAML keystore and add and enable the IDP configuration
      3.  
        Enroll the NetBackup primary server with the IDP
    4. Configure user authentication with smart cards or digital certificates
      1.  
        Configure smart card authentication with a domain
      2.  
        Configure smart card authentication without a domain
    5. Workflow to configure multi-person authorization for NetBackup operations
      1.  
        NetBackup operations that need multi-person authorization
      2.  
        RBAC roles and permissions for multi-person authorization
      3.  
        Configure multi-person authorization
    6. Access codes
      1.  
        Request CLI access through web UI authentication
      2.  
        Approve the CLI access request of another user
    7. Workflow to configure immutable and indelible data
      1.  
        About configuring disk pool storage
      2.  
        Use WORM setting
      3.  
        Creating a backup policy
    8. Add a configuration for an external CMS server
      1.  
        Add a credential for CyberArk
    9. Configuring an isolated recovery environment on a NetBackup BYO media server
      1.  
        Configuring A.I.R. for replicating backup images from production environment to IRE BYO environment
    10. About FIPS support in NetBackup
      1.  
        Enable FIPS mode on NetBackup during installation
      2.  
        Enable FIPS mode on a NetBackup host after installation
      3.  
        Enable FIPS mode for the NetBackup Authentication Broker service
      4.  
        Enable FIPS mode for the NetBackup Administration Console
      5.  
        NB_FIPS_MODE option for NetBackup servers and clients
    11.  
      Installing KMS
    12. Workflow for external KMS configuration
      1.  
        Validating KMS credentials
      2.  
        Configuring KMS credentials
      3.  
        Configuring KMS
      4.  
        Creating keys in an external KMS
      5. Workflow to configure data-in-transit encryption
        1.  
          Configure the global data-in-transit encryption setting
        2. Configure the DTE mode on a client
          1.  
            DTE_CLIENT_MODE for clients
        3. How DTE configuration settings work in various NetBackup operations
          1.  
            Backup
          2.  
            Restore
          3.  
            MSDP backup, restore, and optimized duplication
          4.  
            Universal-Share policy backup
          5.  
            Catalog backup and recovery
          6.  
            Duplication
          7.  
            Synthetic backup
          8.  
            Verify
          9.  
            Import
          10.  
            Replication
        4.  
          Configure the DTE mode on the media server
        5. Modify the DTE mode on a backup image
          1.  
            DTE_IGNORE_IMAGE_MODE for NetBackup servers
    13. Workflow to use external certificates for NetBackup host communication
      1. About certificate revocation lists for external CA
        1.  
          How CRLs from ECA_CRL_PATH are used
        2.  
          How CRLs from CDP URLs are used
      2.  
        Configure an external certificate for the NetBackup web server
      3.  
        Configuring the primary server to use an external CA-signed certificate
      4. Configuring an external certificate for a clustered primary server
        1. Configuration options for external CA-signed certificates for a virtual name
          1.  
            CLUSTER_ECA_CERT_PATH for clustered primary server
          2.  
            CLUSTER_ECA_TRUST_STORE_PATH for clustered primary server
          3.  
            CLUSTER_ECA_PRIVATE_KEY_PATH for clustered primary server
          4.  
            CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered primary server
      5. Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
        1.  
          Enrolling an external certificate for a remote host
      6. Configuration options for external CA-signed certificates
        1. ECA_CERT_PATH for NetBackup servers and clients
          1.  
            Specifying Windows certificate store for ECA_CERT_PATH
        2.  
          ECA_TRUST_STORE_PATH for NetBackup servers and clients
        3.  
          ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
        4.  
          ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
        5.  
          ECA_CRL_CHECK for NetBackup servers and clients
        6.  
          ECA_CRL_PATH for NetBackup servers and clients
        7.  
          ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
        8.  
          ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
        9.  
          ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
        10.  
          ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
        11.  
          MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
    14.  
      Guidelines for managing the primary server NetBackup catalog
    15. About protecting the MSDP catalog
      1. About the MSDP shadow catalog
        1.  
          Changing the MSDP shadow catalog path
        2.  
          Changing the MSDP shadow catalog schedule
        3.  
          Changing the number of MSDP catalog shadow copies
      2.  
        About the MSDP catalog backup policy
    16. How to set up malware scanning
      1.  
        Prerequisites for a scan host
      2.  
        Configuring a new scan host pool
    17. About backup anomaly detection
      1.  
        Detecting backup anomalies on the primary server
      2.  
        Detecting backup anomalies on the media server
      3.  
        Configure backup anomaly detection settings
      4.  
        View backup anomalies
    18.  
      Send audit events to system logs
    19.  
      Send audit events to log forwarding endpoints
    20.  
      Display a banner to users when they sign in

Creating a NetBackup WORM storage server instance

NetBackup WORM (Write Once Read Many) storage server instances prevent your data from being encrypted, modified, or deleted. Any data that is saved on these instances is protected with the following security measures:

  • Immutability

    This protection ensures that the backup image is read-only and cannot be modified, corrupted, or encrypted after backup.

  • Indelibility

    This property protects the backup image from being deleted before it expires. The data is protected from malicious deletion.

See the NetBackup Administrator's Guide, Volume I for more information about WORM storage.

Use the following procedure to create a NetBackup WORM storage server instance on Flex Appliance.

Note:

Your appliance must be in lockdown mode before you can create a WORM storage instance.

See the topic "Changing the lockdown mode" in the Flex Appliance Getting Started and Administration Guide for the steps to enable lockdown mode.

To create a NetBackup WORM storage server instance

  1. Make sure that the NetBackup WORM storage server application you want to use is located in the repository.
  2. Perform the following tasks if you have not already:

    • Configure at least one network interface. You can configure a physical interface, add a VLAN tag, or create a bond.

    • Add at least one tenant.

    • Verify that the appliance is in lockdown mode. You can check or change the lockdown mode from the Lockdown mode page on the Flex Appliance Console. See the topic "Changing the lockdown mode" in the Flex Appliance Getting Started and Administration Guide for details.

  3. Gather the following information for the new instance:

    Note:

    The hostname and IP address must not be in use anywhere else in your domain.

    • Tenant that you want to assign it to

    • Hostname (maximum of 63 characters including the domain name)

    • IP address

    • Network interface

    • Domain name

    • Name servers

    • Search domains

    • Primary server hostname (must be version 8.3.0.1 or later)

    • Media server hostname if applicable (must be version 8.3.0.1 or later)

    • Username for storage

      NetBackup requires this username to connect to the deduplication storage. The username must be between 4 and 30 characters and can include uppercase letters, lowercase letters, and numbers.

    • Password for storage

      NetBackup requires this password to connect to the deduplication storage. The password must be between 15 and 32 characters and must include at least one uppercase letter, one lowercase letter, one number, and one special character (_.+~={}?!).

    • KMS key group

    • KMS passphrase

    • Certificate Authority (CA) information for one of the following:

      For a NetBackup CA:

      • CA SHA-1 or SHA-256 certificate fingerprint

        If the primary server is a Flex instance, you can locate this information from the instance details page of the primary server instance. Click on the instance name under Application instances on the System topology page.

        If the primary server is not a Flex instance, see the NetBackup Security and Encryption Guide for the steps to locate this information from NetBackup.

      • (Optional) Token for host ID-based certificate

        Depending on the primary server security level, the host may require an authorization or a reissue token. If you do not specify a token when you create the instance, the wizard attempts to automatically obtain the certificate.

      For an external CA:

      • Trust store, in PEM format

      • Host certificate, in PEM format

      • Private key, in PEM format

      • (Optional) Passphrase of the private key

        A passphrase is required if the key is encrypted.

    • (Optional) Password for host name-based certificate

      A host name-based certificate is mandatory if Enhanced Auditing is enabled on the primary server. You can specify the password when you create the instance, or you can deploy the certificate from the primary server later.

  4. On the primary server, use the nbsetconfig command or manually edit the NetBackup backup configuration file (bp.conf on Linux and UNIX, or the Windows registry) to add the following entry:

    MSDP_SERVER=<MSDP hostname>

    Where <MSDP hostname> is the hostname of the new WORM storage server instance.

  5. If a firewall exists between the primary server and the new instance, open the following ports on the primary server to allow communication:

    • vnetd: 13724

    • bprd: 13720

    • PBX: 1556

    • If the primary server is a NetBackup appliance that uses TCP, open the following ports:

      443, 5900, and 7578.

  6. From the System topology page of the Flex Appliance Console, navigate to the Application instances section.
    Application instances page
  7. Click Create instance.
  8. Select the appropriate storage server application from the repository list that appears, making sure to verify the version number. Click Next.
  9. Follow the prompts to create the instance. When you are done, you can view the progress in the Activity Monitor, which is accessible from the left pane of the Flex Appliance Console.

    Note:

    If you use DNS and the DNS server includes both IPv4 and IPv6 addresses, the instance must be configured with both as well.

    If you do not want to use DNS or want to bypass DNS for certain hosts, verify that the hostname resolution information is included in the Hosts file entries field. You must include entries for the primary server and any other NetBackup hosts that you want to communicate with the instance.

  10. Once the instance has been created successfully, you must change the password from the known default password. To change the password, open an SSH session to the instance and log in with the following credentials:

    • Username: msdpadm

    • Password: P@ssw0rd

    Follow the prompt to enter a new password. When the password change is complete, you are logged out. You can log back in with the new password.

  11. If you plan to create or already have multiple instances with deduplication storage, you must adjust the deduplication cache sizes so that the total memory of all instances does not exceed 75% of the physical RAM on the appliance.

    The default cache sizes are as follows:

    • MaxCacheSize: 512 MiB

    • MaxPredictiveCacheSize: 40%

    • MaxSamplingCacheSize: 20%

    To tune the cache sizes on this instance:

    • Run the following command to tune the MaxCacheSize:

      setting set-MSDP-param max-cache-size value=<value>

      Where <value> is the amount of the appliance RAM to use for the cache on the instance, as MiB, GiB, or a percent. For example, value=1GiB or value=39%.

    • Run the following command to tune the MaxPredictiveCacheSize:

      setting set-MSDP-param max-predictive-cache-size value=<value>

      Where <value> is the amount of the appliance RAM to use for the predictive cache, as MiB, GiB, or a percent. For example, value=1GiB or value=39%.

    • Run the following command to tune the MaxSamplingCacheSize:

      setting set-MSDP-param max-sampling-cache-size value=<value>

      Where <value> is the amount of the appliance RAM to use for the sampling cache, as MiB, GiB, or a percent. For example, value=1GiB or value=39%.

    • Restart the pdde-storage process with the following commands:

      sudo /etc/init.d/pdde-storage force-stop

      sudo /etc/init.d/pdde-storage start

  12. The appliance automatically creates a PureDisk storage server for the WORM storage instance that has the same name as the instance. Use the following steps to create a disk pool on that storage server:

    From the NetBackup web UI, click Storage, click the Disk pools tab, and then click Add. Follow the prompts to configure the disk pool.

  13. Use the following steps to create a deduplication storage unit for your instance:

    From the NetBackup web UI, click Storage, navigate to the Storage Units tab, and then click Add. Follow the prompts and make sure that the Enable WORM option is activated.

You are ready to create a backup policy and start using your WORM storage instance. See the NetBackup documentation for more information.