Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (4.0)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authentication using smart cards and digital certificates
    6.  
      About authenticating Kerberos-NIS users
    7.  
      About the appliance login banner
    8. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
    5.  
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
    4.  
      Disable user access to the NetBackup appliance operating system
    5.  
      Manage support access to the maintenance shell
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
    3.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliance
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliance
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content
  14.  
    Index

About the NetBackup Appliance firewall

Starting with NetBackup Appliance release 3.1.2, a firewall policy provides added network security for the appliance. This feature changes the firewall default zone from "trusted" to "public". To provide maximum security, specific incoming connections are opened automatically while others are blocked automatically during the following operations:

  • Initial configuration

  • Role configuration (part of the initial configuration)

  • Add node or remove node (high availability configuration)

  • Upgrades

Exception rules help to ensure that connections between primary and media servers remain open during the described operations and keep unnecessary ports blocked.

The following tables describe the open ports on the appliance before and after the initial configuration takes place.

Table: Factory default open NetBackup Appliance ports (before appliance initial configuration) shows the NetBackup Appliance ports that are open by default, before the appliance initial configuration has been completed.

Table: Factory default open NetBackup Appliance ports (before appliance initial configuration)

Port

Protocol

Usage

22

TCP

SSH

111

TCP/UDP

Sunrpc, Portmapper

137

UDP

NetBIOS Name Service (Samba)

138

UDP

NetBIOS Datagram Service (Samba)

139

TCP

NetBIOS Session Service (Samba)

162

TCP/UDP

SNMP

443

TCP

HTTPS

445

TCP

Samba

867

TCP

NFS mount

2049

TCP/UDP

NFS

20048

UDP

mountd

27017

TCP/UDP

Mongo

Note:

This port opens only when you add the partner node to complete the high availability (HA) setup or when you remove a node from the HA setup. After a node is added or removed, the port is closed.

Table: Open NetBackup ports on NetBackup Appliances (after appliance initial configuration) shows the NetBackup ports that are open by default, after the appliance initial configuration has been completed.

Table: Open NetBackup ports on NetBackup Appliances (after appliance initial configuration)

1025-5000

TCP

Veritas NDMP, SERVER_PORT_WINDOW

1556

TCP

Veritas PBX

5637

TCP/UDP

NetBackup Cloud Storage Server Configuration, Deduplication to Cloud

7394

TCP

Veritas Granular Restore Technology (GRT)

8443

TCP

NetBackup VMware

10000

TCP/UDP

Veritas NDMP agent

10082

TCP/UDP

MSDP, Deduplication Engine (spoold), HA, Migration

10102

TCP/UDP

MSDP, Deduplication Manager (spad), HA, Migration

13701-13723

TCP

Veritas Granular Restore Technology (GRT)

13720

TCP

Support for 271 media role configuration

13724

TCP

vnetd

13782

TCP

Veritas vnet_async

Synchronize or view the open NetBackup ports on the appliance

The following commands have been added to let you synchronize or view the current open NetBackup ports on the appliance:

Main > Settings > Security > Ports > ModifyNBUPortRange

Note the following about using this command:

  • Before you can run this command, the appliance must be configured with the primary server or the media server role.

  • Before you run this command, you must first modify the open NetBackup ports using the SERVER_PORT_WINDOW option in the NetBackup Java console. Then, run this command to synchronize the appliance ports with the open NetBackup ports.

    Note:

    The ModifyNBUPortRange command does not let you change the default NetBackup VMware port assignment of 8443. VMware requires the use of port 8443 by default for both the appliance and NetBackup.

Main > Settings > Security > Ports > Show

For more information about these commands, see the NetBackup Appliance Commands Reference Guide.