Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- User authorization
- Intrusion prevention and intrusion detection systems
- About Symantec Data Center Security on the NetBackup appliance
- About the NetBackup appliance intrusion prevention system
- About the NetBackup appliance intrusion detection system
- Reviewing SDCS events on the NetBackup appliance
- Running SDCS in unmanaged mode on the NetBackup appliance
- Running SDCS in managed mode on the NetBackup appliance
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
FIPS 140-2 conformance for NetBackup appliances
The Federal Information Processing Standards (FIPS) define U.S. and Canadian Government security and interoperability requirements for computer systems. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for validating cryptography modules. The FIPS 140-2 standard specifies the security requirements for cryptographic modules and applies to both the hardware and the software components. It also describes the approved security functions for symmetric and asymmetric key encryption, message authentication, and hashing.
For more information about the FIPS 140-2 standard and its validation program, click on the following links:
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf
https://csrc.nist.gov/projects/cryptographic-module-validation-program
The NetBackup Cryptographic Module is FIPS validated. NetBackup MSDP and VxOS (Veritas Operating System) use this module and starting with NetBackup Appliance release 3.1.1, you can enable the FIPS 140-2 standard for NetBackup MSDP. Starting with NetBackup Appliance release 3.1.2, you can enable the FIPS 140-2 standard for VxOS.
Once FIPS for VxOS is enabled, the sshd uses the following FIPS approved ciphers:
aes128-ctr
aes192-ctr
aes256-ctr
Older SSH Clients are likely to prevent access to the appliance after FIPS for VxOS is enabled. Check to make sure that your SSH client supports the listed ciphers, and upgrade to the latest version if necessary. Default cipher settings are not typically FIPS-compliant, which means you may need to select them manually in your SSH client configuration.
You can enable the FIPS 140-2 standard for NetBackup MSDP and VxOS with the following commands:
Main Menu > Settings > Security > FIPS Enable MSDP, followed by the maintenance password.
Enabling or disabling the MSDP option terminates all jobs that are currently in progress and restarts the NetBackup services. As a best practice, it is recommended that you first stop all jobs manually before you enable or disable this feature.
Main Menu > Settings > Security > FIPS Enable VxOS, followed by the maintenance password.
Enabling or disabling the VxOS option reboots the appliance and disconnects all logged in users from their sessions. As a best practice, it is recommended that you provide advanced notice to all users before you enable or disable this feature.
Main Menu > Settings > Security > FIPS Enable All, followed by the maintenance password.
Enabling or disabling the All option reboots the appliance and disconnects all logged in users from their sessions. As a best practice, it is recommended that you provide advanced notice to all users before you enable or disable this feature.
Note:
In a NetBackup Appliance high availability (HA) setup, you must configure the FIPS options on both nodes and the configurations must match.
For complete information about FIPS commands, see the NetBackup Appliance Commands Reference Guide.