1. Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING) Click the link to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This message will disappear after you have made at least 12 posts. Thank you for your cooperation.

Encrypted backup over WAN

Discussion in 'Networking' started by pheidrich, Sep 1, 2012.

  1. pheidrich

    pheidrich New Member

    Joined:
    Apr 24, 2012
    Messages:
    16
    Likes Received:
    2
    Hello,

    I've currently had a customer who does TSM backup over WAN link with backup-archive client encryption enabled. They are simply sending plain TSM communication through internet, just securing the data with "include.encryption" rule.

    Is it a pure madness or a minor security risk? When I saw such configuration I couldn't believe it.

    I have never used encryption in TSM though, so maybe when it is enabled, the control information is secured too, but I wouldn't guess so...

    Thanks for any comments.

    Pavel
     
  2.  
  3. rgg

    rgg Member

    Joined:
    Apr 17, 2009
    Messages:
    126
    Likes Received:
    19
    Sure, there is some risk. IMHO there is always a risk when dealing with WAN and machines that can be accessed from the WAN, whether you have safegaurds in place or not. You might consider using SSL communication too, which is a relatevely newer feature that should provide some more protection. Toss in some client side deduplication too and make it really fun for someone to try and make sense out of the data :D
     
  4. moon-buddy

    moon-buddy Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,149
    Likes Received:
    275
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    If indeed encryption has been enabled, it would take a long time to decrypt 128 bit AES. Sure, you can decrypt the data but at what expense.

    Also, sending over the WAN does not necessarily mean data is open to everyone. If they have secure WAN links - at a high cost, of course - the risk is low but the impact is high should data be breeched.
     
  5. pheidrich

    pheidrich New Member

    Joined:
    Apr 24, 2012
    Messages:
    16
    Likes Received:
    2
    I don't administer the environmnet, the customer is supposed to do it, but apparently the system hasn't been touched for years... :) Now, they asked us to analyze it and suggest a plan for future.

    The data is encrypted at the client, because the sever and its storage are placed in a hosting center and they want the data to be completely secure.

    I understand that 128 bit AES is fine, but what I am not sure about is the cotrol information that flows through the same open channel. They don't have any dedicated WAN link, both machines are connected to the internet (behind firewall with ports forwarded).

    To conclude my doubts:
    1) Are the TSM ports secure enough to be exposed to the internet?
    2) Is there a potential risk with the control traffic?

    Actually, my personal answer to both doubts is almost clear - it is not secure at all. Do you agree? One could attack public ports of a software which is primarilly designed to sit on local network. Am I wrong? At the same time tha attacker could potentially falsify control packets in name of others and gain information from the server, coudn't he?

    Thanks for you opinion.

    I know a VPN is an obvious solution and that's what I probably will recommend to them, but I would like to have some arguments.
     
  6. pheidrich

    pheidrich New Member

    Joined:
    Apr 24, 2012
    Messages:
    16
    Likes Received:
    2
    I will answer the question #2 myself. I did some packet capturing and it seems to be very clear:

    If you encrypt data by "include.encryption" rule, what you actually encrypt is the file contents. The control packets and metadata travel unprotected through the network. One can capture your file names, directory structure, and potentially attack the backup process as an insider.
     
  7. moon-buddy

    moon-buddy Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,149
    Likes Received:
    275
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Even if they capture the metadata, what good will this be? Metadata points to basically store location and data name.
     

Share This Page