Encrypted backup over WAN

pheidrich

ADSM.ORG Member
Joined
Apr 24, 2012
Messages
16
Reaction score
2
Points
0
PREDATAR Control23

Hello,

I've currently had a customer who does TSM backup over WAN link with backup-archive client encryption enabled. They are simply sending plain TSM communication through internet, just securing the data with "include.encryption" rule.

Is it a pure madness or a minor security risk? When I saw such configuration I couldn't believe it.

I have never used encryption in TSM though, so maybe when it is enabled, the control information is secured too, but I wouldn't guess so...

Thanks for any comments.

Pavel
 
PREDATAR Control23

Sure, there is some risk. IMHO there is always a risk when dealing with WAN and machines that can be accessed from the WAN, whether you have safegaurds in place or not. You might consider using SSL communication too, which is a relatevely newer feature that should provide some more protection. Toss in some client side deduplication too and make it really fun for someone to try and make sense out of the data :D
 
PREDATAR Control23

If indeed encryption has been enabled, it would take a long time to decrypt 128 bit AES. Sure, you can decrypt the data but at what expense.

Also, sending over the WAN does not necessarily mean data is open to everyone. If they have secure WAN links - at a high cost, of course - the risk is low but the impact is high should data be breeched.
 
PREDATAR Control23

I don't administer the environmnet, the customer is supposed to do it, but apparently the system hasn't been touched for years... :) Now, they asked us to analyze it and suggest a plan for future.

The data is encrypted at the client, because the sever and its storage are placed in a hosting center and they want the data to be completely secure.

I understand that 128 bit AES is fine, but what I am not sure about is the cotrol information that flows through the same open channel. They don't have any dedicated WAN link, both machines are connected to the internet (behind firewall with ports forwarded).

To conclude my doubts:
1) Are the TSM ports secure enough to be exposed to the internet?
2) Is there a potential risk with the control traffic?

Actually, my personal answer to both doubts is almost clear - it is not secure at all. Do you agree? One could attack public ports of a software which is primarilly designed to sit on local network. Am I wrong? At the same time tha attacker could potentially falsify control packets in name of others and gain information from the server, coudn't he?

Thanks for you opinion.

I know a VPN is an obvious solution and that's what I probably will recommend to them, but I would like to have some arguments.
 
PREDATAR Control23

I will answer the question #2 myself. I did some packet capturing and it seems to be very clear:

If you encrypt data by "include.encryption" rule, what you actually encrypt is the file contents. The control packets and metadata travel unprotected through the network. One can capture your file names, directory structure, and potentially attack the backup process as an insider.
 
PREDATAR Control23

I will answer the question #2 myself. I did some packet capturing and it seems to be very clear:

If you encrypt data by "include.encryption" rule, what you actually encrypt is the file contents. The control packets and metadata travel unprotected through the network. One can capture your file names, directory structure, and potentially attack the backup process as an insider.

Even if they capture the metadata, what good will this be? Metadata points to basically store location and data name.
 
Top