Veritas NetBackup™ Appliance Security Guide Release 2.7.2 NetBackup 52xx and 5330 Veritas NetBackup™ Appliance Security Guide Documentationversion:2.7.2 Legal Notice Copyright©2016VeritasTechnologiesLLC.Allrightsreserved. Veritas,theVeritasLogo,NetBackup,andStorageFoundationaretrademarksorregistered trademarksofVeritasTechnologiesLLCoritsaffiliatesintheU.S.andothercountries.Other namesmaybetrademarksoftheirrespectiveowners. ThisproductmaycontainthirdpartysoftwareforwhichVeritasisrequiredtoprovideattribution tothethirdparty(“ThirdPartyPrograms”).SomeoftheThirdPartyProgramsareavailable underopensourceorfreesoftwarelicenses.TheLicenseAgreementaccompanyingthe Softwaredoesnotalteranyrightsorobligationsyoumayhaveunderthoseopensourceor freesoftwarelicenses.PleaseseetheThirdPartyLegalNoticeAppendixtothisDocumentation orTPIPReadMeFileaccompanyingthisproductformoreinformationontheThirdParty Programs. Theproductdescribedinthisdocumentisdistributedunderlicensesrestrictingitsuse,copying, distribution,anddecompilation/reverseengineering.Nopartofthisdocumentmaybe reproducedinanyformbyanymeanswithoutpriorwrittenauthorizationofVeritasTechnologies LLCanditslicensors,ifany. THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIED CONDITIONS,REPRESENTATIONSANDWARRANTIES,INCLUDINGANYIMPLIED WARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEOR NON-INFRINGEMENT,AREDISCLAIMED,EXCEPTTOTHEEXTENTTHATSUCH DISCLAIMERSAREHELDTOBELEGALLYINVALID.VERITASTECHNOLOGIESLLC SHALLNOTBELIABLEFORINCIDENTALORCONSEQUENTIALDAMAGESIN CONNECTIONWITHTHEFURNISHING,PERFORMANCE,ORUSEOFTHIS DOCUMENTATION.THEINFORMATIONCONTAINEDINTHISDOCUMENTATIONIS SUBJECTTOCHANGEWITHOUTNOTICE. TheLicensedSoftwareandDocumentationaredeemedtobecommercialcomputersoftware asdefinedinFAR12.212andsubjecttorestrictedrightsasdefinedinFARSection52.227-19 "CommercialComputerSoftware-RestrictedRights"andDFARS227.7202,etseq. "CommercialComputerSoftwareandCommercialComputerSoftwareDocumentation,"as applicable,andanysuccessorregulations,whetherdeliveredbyVeritasasonpremisesor hostedservices.Anyuse,modification,reproductionrelease,performance,displayordisclosure oftheLicensedSoftwareandDocumentationbytheU.S.Governmentshallbesolelyin accordancewiththetermsofthisAgreement. VeritasTechnologiesLLC 500EMiddlefieldRoad MountainView,CA94043 http://www.veritas.com Technical Support TechnicalSupportmaintainssupportcentersglobally.TechnicalSupport’sprimary roleistorespondtospecificqueriesaboutproductfeaturesandfunctionality.The TechnicalSupportgroupalsocreatescontentforouronlineKnowledgeBase.The TechnicalSupportgroupworkscollaborativelywiththeotherfunctionalareaswithin thecompanytoansweryourquestionsinatimelyfashion. Oursupportofferingsincludethefollowing: ■ Arangeofsupportoptionsthatgiveyoutheflexibilitytoselecttherightamount ofserviceforanysizeorganization ■ Telephoneand/orWeb-basedsupportthatprovidesrapidresponseand up-to-the-minuteinformation ■ Upgradeassurancethatdeliverssoftwareupgrades ■ Globalsupportpurchasedonaregionalbusinesshoursor24hoursaday,7 daysaweekbasis ■ PremiumserviceofferingsthatincludeAccountManagementServices Forinformationaboutoursupportofferings,youcanvisitourwebsiteatthefollowing URL: www.veritas.com/support Allsupportserviceswillbedeliveredinaccordancewithyoursupportagreement andthethen-currententerprisetechnicalsupportpolicy. Contacting Technical Support CustomerswithacurrentsupportagreementmayaccessTechnicalSupport informationatthefollowingURL: www.veritas.com/support BeforecontactingTechnicalSupport,makesureyouhavesatisfiedthesystem requirementsthatarelistedinyourproductdocumentation.Also,youshouldbeat thecomputeronwhichtheproblemoccurred,incaseitisnecessarytoreplicate theproblem. WhenyoucontactTechnicalSupport,pleasehavethefollowinginformation available: ■ Productreleaselevel ■ Hardwareinformation ■ Availablememory,diskspace,andNICinformation ■ Operatingsystem ■ Versionandpatchlevel ■ Networktopology ■ Router,gateway,andIPaddressinformation ■ Problemdescription: ■ Errormessagesandlogfiles ■ TroubleshootingthatwasperformedbeforecontactingTechnicalSupport ■ Recentsoftwareconfigurationchangesandnetworkchanges Licensing and registration Ifyourproductrequiresregistrationoralicensekey,accessourtechnicalsupport WebpageatthefollowingURL: www.veritas.com/support Customer service CustomerserviceinformationisavailableatthefollowingURL: www.veritas.com/support CustomerServiceisavailabletoassistwithnon-technicalquestions,suchasthe followingtypesofissues: ■ Questionsregardingproductlicensingorserialization ■ Productregistrationupdates,suchasaddressornamechanges ■ Generalproductinformation(features,languageavailability,localdealers) ■ Latestinformationaboutproductupdatesandupgrades ■ Informationaboutupgradeassuranceandsupportcontracts ■ Adviceabouttechnicalsupportoptions ■ Nontechnicalpresalesquestions ■ IssuesthatarerelatedtoCD-ROMs,DVDs,ormanuals Support agreement resources Ifyouwanttocontactusregardinganexistingsupportagreement,pleasecontact thesupportagreementadministrationteamforyourregionasfollows: Worldwide(exceptJapan) [email protected] Japan [email protected] Contents Technical Support ............................................................................................ 4 Chapter 1 About the NetBackup Appliance Security Guide .......................................................................................... 10 AbouttheNetBackupApplianceSecurityGuide.................................. 10 Chapter 2 User authentication ........................................................... 18 AboutuserauthenticationontheNetBackupappliance........................ 18 UsertypesthatcanauthenticateontheNetBackup appliance........................................................................ 20 Aboutconfiguringuserauthentication............................................... 23 Generic user authentication guidelines ....................................... 26 AboutauthenticatingLDAPusers.................................................... 26 AboutauthenticatingActiveDirectoryusers....................................... 27 AboutauthenticatingKerberos-NISusers.......................................... 28 Abouttheapplianceloginbanner..................................................... 29 Aboutusernameandpasswordspecifications................................... 30 Chapter 3 User authorization ............................................................. 35 AboutuserauthorizationontheNetBackupappliance.......................... 35 AboutauthorizingNetBackupapplianceusers.................................... 36 NetBackupapplianceuserroleprivileges.................................... 38 AbouttheAdministratoruserrole..................................................... 39 AbouttheNetBackupCLIuserrole................................................... 40 Chapter 4 Intrusion prevention and intrusion detection systems .......................................................................... 42 AboutSymantecDataCenterSecurityontheNetBackup appliance.............................................................................. 43 AbouttheNetBackupapplianceintrusionpreventionsystem................. 45 AbouttheNetBackupapplianceintrusiondetectionsystem................... 46 ReviewingSDCSeventsontheNetBackupappliance..........................47 Contents 8 RunningSDCSinunmanagedmodeontheNetBackup appliance.............................................................................. 50 RunningSDCSinmanagedmodeontheNetBackupappliance............. 50 OverridingtheNetBackupapplianceintrusionpreventionsystem policy................................................................................... 51 Re-enablingtheNetBackupapplianceintrusionpreventionsystem policy................................................................................... 54 Chapter 5 Log files ................................................................................ 57 AboutNetBackupappliancelogfiles.................................................57 AbouttheCollectLogfileswizard.................................................... 59 ViewinglogfilesusingtheSupportcommand..................................... 60 WheretofindNetBackupappliancelogfilesusingtheBrowse command ............................................................................. 61 GatheringdevicelogswiththeDataCollectcommand.......................... 62 Chapter 6 Operating system security .............................................. 66 AboutNetBackupapplianceoperatingsystemsecurity......................... 66 MajorcomponentsoftheNetBackupapplianceOS............................. 67 DisabledserviceaccountsontheNetBackupappliance....................... 68 VulnerabilityscanningoftheNetBackupappliance.............................. 69 Chapter 7 Data security ....................................................................... 70 AboutDataSecurity...................................................................... 70 AboutDataIntegrity...................................................................... 71 AboutDataClassification............................................................... 72 AboutDataEncryption .................................................................. 72 KMS support ........................................................................ 73 Chapter 8 Web security ....................................................................... 75 AboutSSLcertification.................................................................. 75 Implementingthird-partySSLcertificates........................................... 76 Chapter 9 Network security ................................................................ 78 AboutIPsecChannelConfiguration.................................................. 78 AbouttheNetBackupAppliance52xxports........................................80 Contents 9 Chapter 10 Call Home security ............................................................ 83 About AutoSupport ...................................................................... 83 AboutCallHome.......................................................................... 84 ConfiguringCallHomefromtheNetBackupApplianceShell Menu ............................................................................. 86 EnablinganddisablingCallHomefromtheNetBackupAppliance ShellMenu......................................................................87 ConfiguringaCallHomeproxyserverfromtheNetBackup ApplianceShellMenu........................................................87 UnderstandingtheCallHomeworkflow....................................... 88 About SNMP ............................................................................... 89 AbouttheManagementInformationBase(MIB)............................ 89 Chapter 11 IPMI security ....................................................................... 91 IntroductiontoIPMIconfiguration..................................................... 91 RecommendedIPMIsettings.......................................................... 91 ReplacingthedefaultIPMISSLcertificate......................................... 93 Appendix A Software packages included in the NetBackup appliance OS ................................................................ 98 ListofsoftwarepackagesincludedintheNetBackupappliance OS ...................................................................................... 98 Index .................................................................................................................. 104 1 Chapter About the NetBackup Appliance Security Guide Thischapterincludesthefollowingtopics: ■ AbouttheNetBackupApplianceSecurityGuide About the NetBackup Appliance Security Guide TheNetBackupappliancesaredevelopedfromtheirinceptionwithsecurityasa primaryneed.Eachelementoftheappliance,includingitsLinuxoperatingsystem andthecoreNetBackupapplication,istestedforvulnerabilitiesusingbothindustry standardsandadvancedsecurityproducts.Thesemeasuresensurethatexposure tounauthorizedaccessandresultingdatalossortheftisminimized. EachnewversionofNetBackupappliancesoftwareandhardwareisverifiedfor vulnerabilitiesbeforerelease.Dependingontheseverityofissuesfound,Veritas willaddressthemusingapatchorthroughascheduledmajorrelease.Toreduce theriskofunknownthreats,Veritasregularlyupdatesthethird-partypackagesand modulesthatareusedintheproductaspartofregularmaintenancereleasecycles. ThegoalofthisguideistodescribethesecurityfeaturesimplementedinNetBackup Appliance2.7.2andincludesthefollowingchaptersandsub-sections: NetBackup appliance user authentication ThischaptertalksabouttheauthenticationfeaturesoftheNetBackupappliance andincludesthefollowingsections: