Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (3.1.2)
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authenticating Kerberos-NIS users
    6.  
      About the appliance login banner
    7. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
    3.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) I security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliances
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliances
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content

About IPsec Channel Configuration

The NetBackup appliance uses IPsec channels to secure communication between two appliances, thus helping to secure data in transit. All other communication between NetBackup appliance and non-appliance, like the NetBackup master servers, would be non-IPsec.

IPsec security works at IP level and allows securing IP traffic between two hosts. Device certificates are provisioned to the Master and Media appliances, these certificates are then enabled for configuring IPsec channels. This enables a secure interaction of the master and media servers. The device certificates used are x509 certificates issued by Verisign CA.

The appliance performs the following validation checks before establishing IPsec channel:

  • Validate the authenticity of the certificates using the x509 cert validate.

  • Validate whether the device certificate corresponds to the IP.

  • Validate and update security associations in both directions of the communication.

The hosts are detected after the device certificates are recognized. Only after this is IPsec channel is configured and enabled.

Managing IPsec configuration

You can use the following commands from the NetBackup Appliance Shell Menu to manage IPsec channel:

Table: IPsec commands

Command

Description

Network > Security > Configure

You can use this command to configure IPsec between any two hosts. You can define the hosts by the host name. You can also identify them by the user ID and password.

Network > Security > Delete

You can use this command to remove IPsec policies for a list of remote hosts on a local system. You can use this command to remove IPsec policies for a list of remote hosts on a local system. Remove IPsec policies for a list of remote hosts on a local system. Use the Hosts variable to define one or more host names. Use a comma to separate multiple host names.

Network > Security > Export

Use this command to export the IPsec credentials. The EnterPasswd field is used to answer the question, "Do you want to enter a password?". You must enter a value of yes or no in this field. In addition, you must specify a path that defines where you want to place the exported credentials.

Note:

The IPsec credentials are removed during a reimage process. The credentials are unique for each appliance and are included as part of the original factory image. The IPsec credentials are not included on the USB drive that is used to reimage the appliance.

Network > Security > Import

Use this command to import the IPsec credentials.

The EnterPasswd field is used to answer the question, "Do you want to enter a password?". You must enter a value of yes or no in this field. In addition, you must specify a path that defines where you want to place the imported credentials.

Network > Security > Provision

Use this command to provision IPsec policies for a list of remote hosts on a local system. Use the Hosts variable to define one or more host names. Use a comma to separate multiple host names.

Network > Security (IPsec) > Refresh

Use this command to reload the IPsec configuration. The [Auto] option defines whether the configurations on all referenced hosts are refreshed or not. You can enter [Auto] or [NoAuto]. The default value is [NoAuto].

Network > Security > Show

Display the IPsec policies for a local host or a provided host. The [[Verbose]] option is used to define whether the output is verbose or not. The values that you can enter in this field are [VERBOSE] or [NoVERBOSE]. The default value is [NoVERBOSE]. The [[HostInfo] ]option can contain the following information that is separated by a comma. The host name, the user ID (optional), and the password (optional).

Network > Security > Unconfigure

Use this command to unconfigure IPsec between any two hosts. The Host1Info variable can contain the following information that is separated by a comma. The host name, the user ID (optional), and the password (optional). The [Host2info] variable can contain the host name, the user ID (optional), and the password (optional).

You can use the Main > Network > Security command from the NetBackup Appliance Shell Menu to configure the IPSec channel between two hosts. For more information of configuring IPsec channels, refer to the NetBackup Appliance Command Reference Guide.