NetBackup and Veritas Appliances Hardening Guide

Last Published:
Product(s): Appliances (10.2, 5.1.1, 3.0), NetBackup (10.2, 5.1.1, 3.0)
Platform: NetBackup Appliance OS,Flex Appliance OS,Linux,UNIX,Windows
  1. Top recommendations to improve your NetBackup and Veritas appliances security posture
    1.  
      Introduction
    2.  
      Keeping all systems and software updated
    3.  
      Enabling multifactor authentication
    4.  
      Increasing the appliance security level
    5.  
      Implementing an immutable data vault
    6.  
      Securing credentials
    7.  
      Reducing network exposure
    8.  
      Enabling encryption
    9.  
      Enabling catalog protection
    10.  
      Enabling malware scanning and anomaly detection
    11.  
      Enabling security observability
    12.  
      Restricting user access
    13.  
      Configuring a sign-in banner
  2. Steps to protect Flex Appliance
    1.  
      About Flex Appliance hardening
    2. Managing single sign-on (SSO)
      1.  
        Managing identity providers (IDPs)
      2.  
        Importing single sign-on (SSO) users
    3.  
      Managing user authentication with smart cards or digital certificates
    4. About lockdown mode
      1.  
        Changing the lockdown mode
    5.  
      Using network access control
    6.  
      Using an external certificate
    7.  
      Forwarding logs
    8.  
      Creating a NetBackup WORM storage server instance
    9. Configuring an isolated recovery environment on a WORM storage server
      1.  
        Configuring data transmission between a production environment and an IRE WORM storage server
    10.  
      Protecting the NetBackup catalog on a WORM storage server
    11.  
      Using a sign-in banner
  3. Steps to protect NetBackup Appliance
    1.  
      About NetBackup Appliance hardening
    2. About single sign-on (SSO) authentication and authorization
      1.  
        Configure single sign-on (SSO) for a NetBackup Appliance
    3. About authentication using smart cards and digital certificates
      1.  
        2FA
      2.  
        Smart card Authentication for NetBackup Web UI
      3.  
        Smart card authentication for NetBackup Appliance Web UI
      4.  
        Smart card authentication for NetBackup Appliance Shell Menu
      5.  
        Configure role-based access control
      6.  
        Configure authentication for a smart card or digital certificate for the NetBackup Web UI
    4.  
      Disable user access to the NetBackup appliance operating system
    5.  
      About Network Access Control
    6. About data encryption
      1.  
        KMS support
    7.  
      FIPS 140-2 conformance for NetBackup Appliance
    8.  
      About implementing external certificates
    9. About forwarding logs to an external server
      1.  
        Uploading certificates for TLS
      2.  
        Enabling log forwarding
    10.  
      Creating the appliance login banner
  4. Steps to protect NetBackup
    1.  
      About NetBackup hardening
    2. Configure NetBackup for single sign-on (SSO)
      1.  
        Configure the SAML KeyStore
      2.  
        Configure the SAML keystore and add and enable the IDP configuration
      3.  
        Enroll the NetBackup primary server with the IDP
    3. Configure user authentication with smart cards or digital certificates
      1.  
        Configure smart card authentication with a domain
      2.  
        Configure smart card authentication without a domain
    4. Access codes
      1.  
        Get CLI access through web UI authentication
      2.  
        Approve your CLI access request
      3.  
        Approve CLI access requests of other users
    5. Workflow to configure immutable and indelible data
      1.  
        About configuring disk pool storage
      2.  
        Use WORM setting
      3.  
        Creating a backup policy
    6. Add a configuration for an external CMS server
      1.  
        Add a credential for CyberArk
    7. Configuring an isolated recovery environment on a NetBackup BYO media server
      1.  
        Configuring AIR for replicating backup images from production environment to IRE BYO environment
    8. About FIPS support in NetBackup
      1.  
        Enable FIPS mode on NetBackup during installation
      2.  
        Enable FIPS mode on a NetBackup host after installation
      3.  
        Enable FIPS mode for the NetBackup Authentication Broker service
      4.  
        Enable FIPS mode for the NetBackup Administration Console
      5.  
        NB_FIPS_MODE option for NetBackup servers and clients
    9.  
      Installing KMS
    10. Workflow for external KMS configuration
      1.  
        Validating KMS credentials
      2.  
        Configuring KMS credentials
      3.  
        Configuring KMS
      4.  
        Creating keys in an external KMS
      5. Workflow to configure data-in-transit encryption
        1.  
          Configure the global data-in-transit encryption setting
        2. Configure the DTE mode on a client
          1.  
            DTE_CLIENT_MODE for clients
        3. How DTE configuration settings work in various NetBackup operations
          1.  
            Backup
          2.  
            Restore
          3.  
            MSDP backup, restore, and optimized duplication
          4.  
            Universal-Share policy backup
          5.  
            Catalog backup and recovery
          6.  
            Duplication
          7.  
            Synthetic backup
          8.  
            Verify
          9.  
            Import
          10.  
            Replication
        4.  
          Configure the DTE mode on the media server
        5. Modify the DTE mode on a backup image
          1.  
            DTE_IGNORE_IMAGE_MODE for NetBackup servers
    11. Workflow to use external certificates for NetBackup host communication
      1. About certificate revocation lists for external CA
        1.  
          How CRLs from ECA_CRL_PATH are used
        2.  
          How CRLs from CDP URLs are used
      2.  
        Configuring an external certificate for the NetBackup web server
      3.  
        Configuring the primary server to use an external CA-signed certificate
      4. Configuring an external certificate for a clustered primary server
        1. Configuration options for external CA-signed certificates for a virtual name
          1.  
            CLUSTER_ECA_CERT_PATH for clustered primary server
          2.  
            CLUSTER_ECA_TRUST_STORE_PATH for clustered primary server
          3.  
            CLUSTER_ECA_PRIVATE_KEY_PATH for clustered primary server
          4.  
            CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered primary server
      5. Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
        1.  
          Enrolling an external certificate for a remote host
      6. Configuration options for external CA-signed certificates
        1. ECA_CERT_PATH for NetBackup servers and clients
          1.  
            Specifying Windows certificate store for ECA_CERT_PATH
        2.  
          ECA_TRUST_STORE_PATH for NetBackup servers and clients
        3.  
          ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
        4.  
          ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
        5.  
          ECA_CRL_CHECK for NetBackup servers and clients
        6.  
          ECA_CRL_PATH for NetBackup servers and clients
        7.  
          ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
        8.  
          ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
        9.  
          ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
        10.  
          ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
        11.  
          MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
    12.  
      Guidelines for managing the primary server NetBackup catalog
    13. About protecting the MSDP catalog
      1. About the MSDP shadow catalog
        1.  
          Changing the MSDP shadow catalog path
        2.  
          Changing the MSDP shadow catalog schedule
        3.  
          Changing the number of MSDP catalog shadow copies
      2.  
        About the MSDP catalog backup policy
    14. How to set up malware scanning
      1.  
        Prerequisites for a scan host
      2.  
        Configuring a new scan host pool
    15. About backup anomaly detection
      1.  
        Detecting backup anomalies on the primary server
      2.  
        Detecting backup anomalies on the media server
      3.  
        Configure anomaly detection settings
      4.  
        View anomalies
    16.  
      Send audit events to system logs
    17.  
      Send audit events to log forwarding endpoints
    18.  
      Display a banner to users when they sign in

Creating a NetBackup WORM storage server instance

NetBackup WORM (Write Once Read Many) storage server instances prevent your data from being encrypted, modified, or deleted. Any data that is saved on these instances is protected with the following security measures:

  • Immutability

    This protection ensures that the backup image is read-only and cannot be modified, corrupted, or encrypted after backup.

  • Indelibility

    This property protects the backup image from being deleted before it expires. The data is protected from malicious deletion.

See the NetBackup Administrator's Guide, Volume I for more information about WORM storage.

Use the following procedure to create a NetBackup WORM storage server instance on Flex Appliance.

Note:

Your appliance must be in lockdown mode before you can create a WORM storage instance.

See the topic "Changing the lockdown mode" in the Flex Appliance Getting Started and Administration Guide for the steps to enable lockdown mode.

To create a NetBackup WORM storage server instance

  1. Make sure that the NetBackup WORM storage server application you want to use is located in the repository.
  2. Perform the following tasks if you have not already:

    • Configure at least one network interface. You can configure a physical interface, add a VLAN tag, or create a bond.

    • Add at least one tenant.

    • Verify that the appliance is in lockdown mode. You can check or change the lockdown mode from the Lockdown mode page on the Flex Appliance Console. See the topic "Changing the lockdown mode" in the Flex Appliance Getting Started and Administration Guide for details.

  3. Gather the following information for the new instance:

    Note:

    The hostname and IP address must not be in use anywhere else in your domain.

    • Tenant that you want to assign it to

    • Hostname (maximum of 63 characters including the domain name)

    • IP address

    • Network interface

    • Domain name

    • Name servers

    • Search domains

    • Primary server hostname (must be version 8.3.0.1 or later)

    • Media server hostname if applicable (must be version 8.3.0.1 or later)

    • Username for storage

      NetBackup requires this username to connect to the deduplication storage. The username must be between 4 and 30 characters and can include uppercase letters, lowercase letters, and numbers.

    • Password for storage

      NetBackup requires this password to connect to the deduplication storage. The password must be between 15 and 32 characters and must include at least one uppercase letter, one lowercase letter, one number, and one special character (_.+~={}?!).

    • KMS key group

    • KMS passphrase

    • Certificate Authority (CA) information for one of the following:

      For a NetBackup CA:

      • CA SHA-1 or SHA-256 certificate fingerprint

        If the primary server is a Flex instance, you can locate this information from the instance details page of the primary server instance. Click on the instance name under Application instances on the System topology page.

        If the primary server is not a Flex instance, see the NetBackup Security and Encryption Guide for the steps to locate this information from NetBackup.

      • (Optional) Token for host ID-based certificate

        Depending on the primary server security level, the host may require an authorization or a reissue token. If you do not specify a token when you create the instance, the wizard attempts to automatically obtain the certificate.

      For an external CA:

      • Trust store, in PEM format

      • Host certificate, in PEM format

      • Private key, in PEM format

      • (Optional) Passphrase of the private key

        A passphrase is required if the key is encrypted.

    • (Optional) Password for host name-based certificate

      A host name-based certificate is mandatory if Enhanced Auditing is enabled on the primary server. You can specify the password when you create the instance, or you can deploy the certificate from the primary server later.

  4. On the primary server, use the nbsetconfig command or manually edit the NetBackup backup configuration file (bp.conf on Linux and UNIX, or the Windows registry) to add the following entry:

    MSDP_SERVER=<MSDP hostname>

    Where <MSDP hostname> is the hostname of the new WORM storage server instance.

  5. If a firewall exists between the primary server and the new instance, open the following ports on the primary server to allow communication:

    • vnetd: 13724

    • bprd: 13720

    • PBX: 1556

    • If the primary server is a NetBackup appliance that uses TCP, open the following ports:

      443, 5900, and 7578.

  6. From the System topology page of the Flex Appliance Console, navigate to the Application instances section.
    Application instances page
  7. Click Create instance.
  8. Select the appropriate storage server application from the repository list that appears, making sure to verify the version number. Click Next.
  9. Follow the prompts to create the instance. When you are done, you can view the progress in the Activity Monitor, which is accessible from the left pane of the Flex Appliance Console.

    Note:

    If you use DNS and the DNS server includes both IPv4 and IPv6 addresses, the instance must be configured with both as well.

    If you do not want to use DNS or want to bypass DNS for certain hosts, verify that the hostname resolution information is included in the Hosts file entries field. You must include entries for the primary server and any other NetBackup hosts that you want to communicate with the instance.

  10. Once the instance has been created successfully, you must change the password from the known default password. To change the password, open an SSH session to the instance and log in with the following credentials:

    • Username: msdpadm

    • Password: P@ssw0rd

    Follow the prompt to enter a new password. When the password change is complete, you are logged out. You can log back in with the new password.

  11. If you plan to create or already have multiple instances with deduplication storage, Veritas recommends that you tune the MaxCacheSize according to the following guidelines:

    • On each instance, allocate .75 GB to 1 GB of RAM for each TiB of storage that is allocated to deduplication on the instance. For example, if the storage pool has 80 TiB allocated, the MaxCacheSize should be 60 GB to 80 GB of RAM.

    • The sum of the MaxCacheSize for all instances with deduplication storage should not exceed 70% of the physical RAM on the appliance.

    To tune the deduplication MaxCacheSize on this instance:

    • From the SSH session, run the following command on the instance:

      setting set-MSDP-param max-fp-cache-size value=<percent%>

      Where <percent%> is the percentage of the appliance RAM to use for the cache on the instance.

    • Restart the dedupe process with the following commands:

      dedupe MSDP stop

      dedupe MSDP start

  12. The appliance automatically creates a PureDisk storage server for the WORM storage instance that has the same name as the instance. Use the following steps to create a disk pool on that storage server:

    From the NetBackup web UI, click Storage, click the Disk pools tab, and then click Add. Follow the prompts to configure the disk pool.

  13. Use the following steps to create a deduplication storage unit for your instance:

    From the NetBackup web UI, click Storage, navigate to the Storage Units tab, and then click Add. Follow the prompts and make sure that the Enable WORM option is activated.

You are ready to create a backup policy and start using your WORM storage instance. See the NetBackup documentation for more information.