• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Encrypted backup over WAN

pheidrich

ADSM.ORG Member
#1
Hello,

I've currently had a customer who does TSM backup over WAN link with backup-archive client encryption enabled. They are simply sending plain TSM communication through internet, just securing the data with "include.encryption" rule.

Is it a pure madness or a minor security risk? When I saw such configuration I couldn't believe it.

I have never used encryption in TSM though, so maybe when it is enabled, the control information is secured too, but I wouldn't guess so...

Thanks for any comments.

Pavel
 

rgg

ADSM.ORG Senior Member
#2
Sure, there is some risk. IMHO there is always a risk when dealing with WAN and machines that can be accessed from the WAN, whether you have safegaurds in place or not. You might consider using SSL communication too, which is a relatevely newer feature that should provide some more protection. Toss in some client side deduplication too and make it really fun for someone to try and make sense out of the data :D
 

moon-buddy

ADSM.ORG Moderator
#3
If indeed encryption has been enabled, it would take a long time to decrypt 128 bit AES. Sure, you can decrypt the data but at what expense.

Also, sending over the WAN does not necessarily mean data is open to everyone. If they have secure WAN links - at a high cost, of course - the risk is low but the impact is high should data be breeched.
 

pheidrich

ADSM.ORG Member
#4
I don't administer the environmnet, the customer is supposed to do it, but apparently the system hasn't been touched for years... :) Now, they asked us to analyze it and suggest a plan for future.

The data is encrypted at the client, because the sever and its storage are placed in a hosting center and they want the data to be completely secure.

I understand that 128 bit AES is fine, but what I am not sure about is the cotrol information that flows through the same open channel. They don't have any dedicated WAN link, both machines are connected to the internet (behind firewall with ports forwarded).

To conclude my doubts:
1) Are the TSM ports secure enough to be exposed to the internet?
2) Is there a potential risk with the control traffic?

Actually, my personal answer to both doubts is almost clear - it is not secure at all. Do you agree? One could attack public ports of a software which is primarilly designed to sit on local network. Am I wrong? At the same time tha attacker could potentially falsify control packets in name of others and gain information from the server, coudn't he?

Thanks for you opinion.

I know a VPN is an obvious solution and that's what I probably will recommend to them, but I would like to have some arguments.
 

pheidrich

ADSM.ORG Member
#5
I will answer the question #2 myself. I did some packet capturing and it seems to be very clear:

If you encrypt data by "include.encryption" rule, what you actually encrypt is the file contents. The control packets and metadata travel unprotected through the network. One can capture your file names, directory structure, and potentially attack the backup process as an insider.
 

moon-buddy

ADSM.ORG Moderator
#6
I will answer the question #2 myself. I did some packet capturing and it seems to be very clear:

If you encrypt data by "include.encryption" rule, what you actually encrypt is the file contents. The control packets and metadata travel unprotected through the network. One can capture your file names, directory structure, and potentially attack the backup process as an insider.
Even if they capture the metadata, what good will this be? Metadata points to basically store location and data name.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 7 23.3%
  • Keep using TSM for Spectrum Protect.

    Votes: 16 53.3%
  • Let's be formal and just say Spectrum Protect

    Votes: 4 13.3%
  • Other (please comement)

    Votes: 3 10.0%

Forum statistics

Threads
30,889
Messages
131,422
Members
21,194
Latest member
jamesmacd40