Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] auth error after upgrade to 7.4.2

2009-02-25 14:51:28
Subject: Re: [Networker] auth error after upgrade to 7.4.2
From: Davina Treiber <Davina.Treiber AT PEEVRO.CO DOT UK>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Wed, 25 Feb 2009 19:48:00 +0000 
Matthew explained it pretty well.

NetWorker always had authentication, it originally worked by simply
verifying the IP address using DNS. This was considered weak, especially
when comparing the product to its competitors. To address this weakness
EMC introduced strong authentication. NetWorker has been the subject of
a number of CERT security advisories in the past, EMC would have been
foolish not to respond to these with improvements to security.

It used to be possible to impersonate another machine by setting an IP
address and a host name. You could potentially impersonate a client, and
steal its data from the server, or worse still you could impersonate the
NetWorker server, and have free reign on directed recoveries to any
client in the environment. You could pretty much take over a network if
you knew what you were doing. Perhaps not easily, but this would not
have been impossible. It is not usually difficult to find a network port
in most offices to connect a rogue machine to.

Many users underestimate the power (or risk) of NetWorker. I have lost
count of the number of times I have found *@* in a NetWorker server's
administrator list, or clients with a blank servers file. Both of these
are serious security risks.

As for this being naive, dictionary.com defines naive as: having or
showing a lack of experience, judgment, or information.  ;-)


Matthew Huff wrote:
> I'll hazard a guess that they added the strong authentication not for 
> backups, rather for restores. Being able to restore a file could easily be 
> used to assist in breaking into a machine/network. I assume that if stronger 
> authentication is needed for restores, it would be rendered less useful if 
> you can't trust the same method for it to be used for backups. For example, 
> if I can impersonate a machine and have the /etc/shadow file backed up, and 
> then restore it to a production server then I can break into it.
> 
> Some of these vulnerabilities they have fixed from 7.2 to 7.4 are based on 
> actual security incidents. None of this is an excuse for poor implementation, 
> documentation, support, or diagnostics.
> 
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
> 
> 
> 
>> -----Original Message-----
>> From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU]
>> On Behalf Of Goslin, Paul
>> Sent: Wednesday, February 25, 2009 1:17 PM
>> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
>> Subject: Re: [Networker] auth error after upgrade to 7.4.2
>>
>> Davina, Please excuse my ignorance ... WHY IS IT NECESSARY ?
>>
>> I understand why antivirus is needed, like a vaccination is needed to
>> keep things healthy and keep malicious software from infecting your
>> machine.
>>
>> Exactly how is questioning something you don't comprehend being naive ?
>>
>> I've been using/running Networker for about 10 years... Long before it
>> did any type of 'authentication' to the best of my knowledge ...
>> Since it's been introduced, I have only had problems with it... And no
>> one has pointed out the benefits or why it should be required to backup
>> a client machine... If you go to all the effort of installing Networker
>> client package on the client, specifying the server (or servers)
>> allowed
>> to back it up, and then configure it on the server to be backed up,
>> please explain in detail how the extra step of Authenticating the
>> client
>> before backing it up is a benefit ?
>> Where is the value added in this extra step ?
>> I would be amazed to see someone trying to have a machine masquerade as
>> an existing client in order to get their data backed up for whatever
>> reason.... Who would go to such effort ? Unless you have actually
>> attempted or seen this ?
>>
>>
>>> -----Original Message-----
>>> From: Davina Treiber [mailto:Davina.Treiber AT PeeVRo.co DOT uk]
>>> Sent: Wednesday, February 25, 2009 12:59 PM
>>> To: EMC NetWorker discussion; Goslin, Paul
>>> Subject: Re: [Networker] auth error after upgrade to 7.4.2
>>>
>>> Goslin, Paul wrote:
>>>   (I fail to
>>>> understand why Networker needs to authenticate a client in the
>> first
>>>> place?)
>>> That's a rather naive comment. Of course it is necessary to
>>> authenticate.
>>>
>>> It's a bit like saying that you fail to understand why it is
>>> necessary to run anti-virus on a Windows system.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Staging Question, Francis Swasey
Next by Date:  [Networker] Staging Question, psoni
Previous by Thread:  Re: [Networker] auth error after upgrade to 7.4.2, Matthew Huff
Next by Thread:  Re: [Networker] auth error after upgrade to 7.4.2, Preston de Guise
Indexes:  [Date] [Thread] [Top] [All Lists]