cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

We can say that the NBU satisfies the following technical requirements?

Go to solution
Michele_Nicosia
Level 5

‎11-17-2015 10:03 AM

Hi all,

  I'm trying to answer some technical questions around the NBU service we manage internally.

Could you give me some answers on the below questions?

- The connection between the backup client and server pass through a firewall
- The connection will always have as source the customer's system (One-way) and then the firewall will accept only if open sessions from clients.
- The data will be encrypted both in transmission and on the server and the decryption key of the archived data will be stored only on the client system.
- The secret key is known only by the NBU Administrator (or person assigned to safe storage)
- The key will be inserted from the client system and must meet the following minimum criteria:
   Minimum length: 10 characters;
   Password must Contain 3 out of 4 characters from AZ, az, 0-9 and special characters $% ^ & * .;
   Password must be different from the previous 24.
   Expiration: 60 days.
- You can select two different data centers as media storage location in different country for high availability and DR.
- All transactions will be recorded and the log will be maintained for at least 6 months.
- Management of RMAN hot and native compatibility with RMAN.
- Compatibility with operating systems Red Hat Enterprise Linux 6.4, Windows Server 2012 R2, Windows Server 2008
 
Thank you.
 
Kind Regards,
 
Michele
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   

‎11-17-2015 12:31 PM

Good with that additional information - here are new answers.

 

The connection between the backup client and server pass through a firewall

Firewall are notorious slow and expensive, if they must handle backup traffic. Consider a router with access list to protect the Netbackup installation.


">- The connection will always have as source the customer's system (One-way) and then the firewall will accept only if open sessions from clients.

Port 1556 must be opened both way. Editing Netbackup setting on client from master server require opening to the client. Initiation restore from the client require opening to the master server.

">- The data will be encrypted both in transmission and on the server and the decryption key of the archived data will be stored only on the client system.

Consider to use KMS encryption for tape base backup. LTO4 and newer has this feature built in. Encryption take place in the tape drive hardware at wire-speed. You can enable MSDP encryption easily as well.

">- The secret key is known only by the NBU Administrator (or person assigned to safe storage)

Yes - KMS pass-phrases must be know by the NBU admin and stored in a safe place.

">- The key will be inserted from the client system and must meet the following minimum criteria:
">   Minimum length: 10 characters;
">   Password must Contain 3 out of 4 characters from AZ, az, 0-9 and special characters $% ^ & * .;
">   Password must be different from the previous 24.
">   Expiration: 60 days.

Netbackup uses paraphrases and not password for encryption. Else Netbackup reply on the OS authentication.


">- You can select two different data centers as media storage location in different country for high availability and DR.

Yes, this can be possible. But I suggest you consult a local Netbackup specialist for a design.

">- All transactions will be recorded and the log will be maintained for at least 6 months.

Somewhat possible - take a look at Netbackup 7.7 enhanced auditing feature. Enhanced auditing audit some actions (more and more being added for every release of Netbackup) but you avoid the fuss of NBAC

">- Management of RMAN hot and native compatibility with RMAN.

No problem

- Compatibility with operating systems Red Hat Enterprise Linux 6.4, Windows Server 2012 R2, Windows Server 2008

No problem

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   

‎11-17-2015 12:08 PM

To a certain degree, some of the descriptions are site specific configuration. 

 

The connection between the backup client and server pass through a firewall

Netbackup support backup thru a firewall, but if it does at your site I don't know.


">- The connection will always have as source the customer's system (One-way) and then the firewall will accept only if open sessions from clients.

Sound strange , this way only client initiated backup would be able to run. No automatic backup or is a 3rd part scheduler used for starting backup at the client ?


">- The data will be encrypted both in transmission and on the server and the decryption key of the archived data will be stored only on the client system.

All the way from the client is only possible using client side encryption. It's weak - only 40 bit. The encryption key is stored on the client however. Has the policies the client side encryption set ?

Media server encryption or KMS based encryption is better alternatives. But encryption does not happen on the clients.


">- The secret key is known only by the NBU Administrator (or person assigned to safe storage)
">- The key will be inserted from the client system and must meet the following minimum criteria:
">   Minimum length: 10 characters;
">   Password must Contain 3 out of 4 characters from AZ, az, 0-9 and special characters $% ^ & * .;
">   Password must be different from the previous 24.
">   Expiration: 60 days.

Sound all specific to the client side encryption setting - if used.


">- You can select two different data centers as media storage location in different country for high availability and DR.

Site specific - I can't tell

">- All transactions will be recorded and the log will be maintained for at least 6 months.

Unless NBAC is implemented, Netbackup will have no person referable logs. Is this requirement covered by a other tool ?


">- Management of RMAN hot and native compatibility with RMAN.

Covered.

- Compatibility with operating systems Red Hat Enterprise Linux 6.4, Windows Server 2012 R2, Windows Server 2008

Covered.

 

0 Kudos

Go to solution
Michele_Nicosia
Level 5

‎11-17-2015 12:21 PM

Hi Nicolai,

  thank you for answering.

I'm not in doubts: i'm not doing that for sure!

I don't encrypt, do not use any password or secret key and aging, not using multiple location backups with PureDisk media servers.

What i would like to know is this: can i do that things, using NBU?

THis is the question, if i can shift from the actual status, working all open , linear, to a more complex solution with that minimal set of requestes.

 

Thank you.

 

Kind Regards,

 

Michele

0 Kudos

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   

‎11-17-2015 12:31 PM

Good with that additional information - here are new answers.

 

The connection between the backup client and server pass through a firewall

Firewall are notorious slow and expensive, if they must handle backup traffic. Consider a router with access list to protect the Netbackup installation.


">- The connection will always have as source the customer's system (One-way) and then the firewall will accept only if open sessions from clients.

Port 1556 must be opened both way. Editing Netbackup setting on client from master server require opening to the client. Initiation restore from the client require opening to the master server.

">- The data will be encrypted both in transmission and on the server and the decryption key of the archived data will be stored only on the client system.

Consider to use KMS encryption for tape base backup. LTO4 and newer has this feature built in. Encryption take place in the tape drive hardware at wire-speed. You can enable MSDP encryption easily as well.

">- The secret key is known only by the NBU Administrator (or person assigned to safe storage)

Yes - KMS pass-phrases must be know by the NBU admin and stored in a safe place.

">- The key will be inserted from the client system and must meet the following minimum criteria:
">   Minimum length: 10 characters;
">   Password must Contain 3 out of 4 characters from AZ, az, 0-9 and special characters $% ^ & * .;
">   Password must be different from the previous 24.
">   Expiration: 60 days.

Netbackup uses paraphrases and not password for encryption. Else Netbackup reply on the OS authentication.


">- You can select two different data centers as media storage location in different country for high availability and DR.

Yes, this can be possible. But I suggest you consult a local Netbackup specialist for a design.

">- All transactions will be recorded and the log will be maintained for at least 6 months.

Somewhat possible - take a look at Netbackup 7.7 enhanced auditing feature. Enhanced auditing audit some actions (more and more being added for every release of Netbackup) but you avoid the fuss of NBAC

">- Management of RMAN hot and native compatibility with RMAN.

No problem

- Compatibility with operating systems Red Hat Enterprise Linux 6.4, Windows Server 2012 R2, Windows Server 2008

No problem

0 Kudos