Hide NBU listening ports to external network

kkhoo · ‎04-28-2016

Hi,

Recently gotten security advisory, CVE-2015-6550/51/52.

One of the recommendation is to hide NBU listening ports to external network.

Question is do we apply on clients or both server and client?

Please advise.

Master/Media server: Ver 7.6.0.4

Some clients: Ver 7.6.0.4

Some clients: Ver 6.x (this is why we want to hide the listening ports..)

Thanks in advance.

kkhoo · ‎04-29-2016

By the way.. our backup is running on a separate lan. We have backup lan which is not able to communicate to external network.

So can i say, that given this statement... we dont have to hide listening ports to external lan? please please enlighten me. Thanks.

Nicolai · ‎04-29-2016

The official patch has to be installed on both server and client side - see the faq for the EEB.

https://www.veritas.com/support/en_US/article.000108248

Use e.g windows firewall to disallow any traffic than to/from Netbackup master and media servers. On Linux use ipchains or similar

Even if the client has a backup network, bpcd will still listen for traffic from the production network and be a target for malicious traffic. So no - you are not secure.

kkhoo · ‎05-02-2016

Hi Nicolai, thanks for your reply.

We can apply hotfixes to master/media and clients servers with nbu 7.6.x.x version.

For clients with ver 6.x, please advise how we can hide nbu listening ports, is it done on network, or client firewall setting?

Nicolai · ‎05-03-2016

Lot of firewalls, either network or local software firewalls.

But do remember to mention management that NBU 6.5 is now insecure by default and all systems running 6.5 should be either upgraded or decommissioned.

VOX

Hide NBU listening ports to external network