Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] New libraries with LTO-4 & encryption

2008-07-24 14:13:59
Subject: Re: [Networker] New libraries with LTO-4 & encryption
From: Bruce Breidall <Bruce.Breidall AT CONCUR DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 24 Jul 2008 11:11:31 -0700 
Some additional comments.

I am not familiar with 7.4, so I don't know what has changed with
regards to encryption, but there is no key management. There is one
place to configure "a" key in the NW server properties, and that is it. 

Encryption is controlled as an aes directive, so it is extremely
difficult to be selective without having a configuration that is
impossible to maintain and support. There is no way that I know of to
tell if a saveset is encrypted via mminfo.
 
As mentioned, NW encryption is not any kind of standard like Kerberos,
and it is completely proprietary, and not strong at all from what I
hear.



-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
Behalf Of George Sinclair
Sent: Thursday, July 24, 2008 12:59 PM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: Re: [Networker] New libraries with LTO-4 & encryption

Clark, Patti wrote:
> Hi, all.
> 
> Some $$ have come our way and management made the decision that we are
> going to LTO-4 and encryption.  That being said, we've moved forward
on
> the research and pricing.  Before we actually place the order I want
to
> see if anyone else has had [b]leading edge experience in this area
that
> might provide me with questions that I haven't thought to ask or
> suggestions on how to handle some of the aspects that are new with the
> technology.  We've looked at appliances and have decided not to go
that
> way. 
> 
> The current system is RHEL4, NWv7.3.3 (server and clients) with a mix
of
> RHEL, Solaris, OSX, and Win clients, 
> 1 - SCSI attached library with 3 LTO-2 drives.
> 
> The new system will be RHEL4 or 5 (updated with new HBAs), NWv7.4.2
same
> client mix
> 1 - FC attached library (Quantum i500) with 3 LTO-4 drives (IBM) - at
> least 2 drives will have encryption enabled.

Just out of curiosity, how will you control what data gets encrypted and

what data doesn't? Seems you'd have to specify or hard code those 
specific devices in the pools? Not sure how easy that would be to 
manage. If you're encrypting on the NW end of things - I've heard it 
supports encryption but not sure how strong it is - then I would think 
you would have better control as far as which groups encrypt, etc. Seems

you could fine tune it better, but I've not played with NW 7.4 so not 
sure about that. However, it's my understanding that if encryption is 
turned on for a given drive then everything that goes to that drive will

be encrypted. In some cases, there might be certain data you might not 
want encrypted??? Then again, maybe it's carte blanche on everything?

Because NW is already writing the data in proprietary format, it doesn't

seem so bad to have it encrypt it also. Otherwise, you have the data in 
one format and the encryption in another. Two hurdles to clear there, 
but again, I have no idea how similar or strong NW encryption is versus 
the drive manufacturer's encryption. Not sure what standards the drive 
encryption uses either?

I'm not really answering your questions, but your post just go me 
thinking of more.

George

> Software to perform encryption key management
> 
> I've kept track of the HBA discussions, IBM drive info, Networker
> upgrade threads, and anything else related.  I expect to upgrade
> Networker and then the OS prior to the HW switch.  Not much has been
> said about encryption.  Does it work as advertised?  Is it fairly
> seamless?  Networker doesn't really see any difference and it's
business
> as usual?  How about key management?  Do I believe the sales
materials?
> 
> Patti Clark
> Sr. Unix System Administrator - RHCT, GSEC
> Office of Scientific and Technical Information
> 
> 
> 
> 
> To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 


-- 
George Sinclair
NOAA/NESDIS/National Oceanographic Data Center
SSMC3 E/OC3 Room 4145         | Voice: (301) 713-3284 x210
1315 East West Highway        | Fax:   (301) 713-3301
Silver Spring, MD 20910-3282  | Web Site:  http://www.nodc.noaa.gov/
- Any opinions expressed in this message are NOT those of the US Govt. -

To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] New libraries with LTO-4 & encryption, George Sinclair
Next by Date:  Re: [Networker] Backup stuck "Waiting to run", Clark, Patti
Previous by Thread:  Re: [Networker] New libraries with LTO-4 & encryption, George Sinclair
Next by Thread:  Re: [Networker] New libraries with LTO-4 & encryption, Clark, Patti
Indexes:  [Date] [Thread] [Top] [All Lists]