thanks for sharing this information here. I agree that this is a major security threat. Did you contact EMC or your support on this issue? I'd like to know if it will be fixed in future Networker releases or how the vendor thinks about handling this problem...
Yes, I had opened a support case with EMC support regarding this. Below is their final response on this issue:
"In reference to RFE LGTsc06934 ¿ bootstrap not encrypted, I heard back from the engineer. The reason that the bootstrap isn¿t encrypted is because if you are doing a mmrecov to recover your Networker server, it is assumed that there isn¿t a NetWorker server available to confirm the credentials. It is assumed that you would be running in Evaluation mode which has no restrictions."
This doesn't make a lot of sense to me as in order to run mmrecov you need to first do an install of NetWorker server to start with! At any rate, it would still be an easy fix to just not inculde the Datazone Phass Phrase in the bootstrap.
But based on their response, it doesn't sound like they are going to change anything unless more of the user community brings up the issue.
I had the same thought. I think getting some more publicity is the only way they will change this behavior. Any ideas on which one(s) would be most interested in something like this? You can e-mail me at JFuller@ibew110.org if you don't want to post publicly.
Hm, to me that explanation from engineering does make sense. And besides, if you have situation where someone can restore your bootstrap then you have far bigger problem I think.
I think it is much bigger problem that datazone key itself is not encrypted:
Since datazone is part of resource db it makes sense to have it in bootstrap backup. However if EMC is using weak and cracked years ago XORing of password filed they could at least XOR this too.
Now to get this info you need: - root (aka evil admin) - access to your bootstrap records
I think it is slightly unfair to blame application for security breach in case someone can get root or access to your bootstrap data. I think best solution would be for EMC to come up with some algorithm to encrypt data like passwords or datazone pass phrase (instead of hacked XORing) and that would make everyone happy.
AFAIK nothing has been done, and I don't think anything will change until maybe whatever version comes out after 7.4 (7.5?).
I've done a bit of research on this, as we are just about to enable encryption for a number of our sites, it occured to me that this might be an issue so I had a look around and found others had come to the same conclusion.
Although, its not all bad. If your backups consume multiple tapes then a thief will need the tape that the bootstap is on before he could recover anything.
You could also work around this problem by deliberatly having the bootstrap go to seperate tapes and keeping them in storage seperatly, but in our case, this would not be practical, as some of our sites only have a single tape drive with no auto-changer.
I am using v7.4.2.... and we have implemented AES Encryption ... but now I come to know that bootstrap backup contains the passphrase in clear text.... it a big problem...
How to remove bootstrap backup from groups and schedules.... pls help ... as I don't want bootstrap backup...
AFAIK nothing has been done, and I don't think anything will change until maybe whatever version comes out after 7.4 (7.5?).
I've done a bit of research on this, as we are just about to enable encryption for a number of our sites, it occured to me that this might be an issue so I had a look around and found others had come to the same conclusion.
Although, its not all bad. If your backups consume multiple tapes then a thief will need the tape that the bootstap is on before he could recover anything.
You could also work around this problem by deliberatly having the bootstrap go to seperate tapes and keeping them in storage seperatly, but in our case, this would not be practical, as some of our sites only have a single tape drive with no auto-changer.
If I'm reading right, it wouldn't matter if the thief got your tape even with the bootstrap on it, since the tape is itself encrypted.
They would need access to your server and the bootstrap printout.
If that happens, they deserve whatever they get for poor security on the server box.
Thanks... but I believe bootstrap backup is for NetWorker Server recovery..
If you don't recover NW db how do you plan to recover data? With uasm? Good luck to you
And if the bootstrap backup is for other client recovery also... we don¿t want to take any risk with data.
I just want this bootstrap backup to be stopped for all clients...
In your case I believe bootstrap might be running for each group you have. Without getting into details why is so as this subject has already been discussed here, if you really wish to separate bootstrap from data simply create so called index pool where bootstrap would be written and thus you separate it.
Based on your response I would say you do not know about bootstrap and its importance thus I would suggest you keep it running all the time.
dk3
163 Posts
0
July 9th, 2007 12:00
thanks for sharing this information here. I agree that this is a major security threat. Did you contact EMC or your support on this issue? I'd like to know if it will be fixed in future Networker releases or how the vendor thinks about handling this problem...
jfuller5
3 Posts
0
July 10th, 2007 08:00
Yes, I had opened a support case with EMC support regarding this. Below is their final response on this issue:
"In reference to RFE LGTsc06934 ¿ bootstrap not encrypted, I heard back from the engineer. The reason that the bootstrap isn¿t encrypted is because if you are doing a mmrecov to recover your Networker server, it is assumed that there isn¿t a NetWorker server available to confirm the credentials. It is assumed that you would be running in Evaluation mode which has no restrictions."
This doesn't make a lot of sense to me as in order to run mmrecov you need to first do an install of NetWorker server to start with! At any rate, it would still be an easy fix to just not inculde the Datazone Phass Phrase in the bootstrap.
But based on their response, it doesn't sound like they are going to change anything unless more of the user community brings up the issue.
Joel
dk3
163 Posts
0
July 10th, 2007 12:00
jfuller5
3 Posts
0
July 10th, 2007 12:00
dk3
163 Posts
0
July 10th, 2007 12:00
Perhaps publishing this issue one of the major security mailing lists would assert Networker the publicity EMC is looking for
ble1
4 Operator
•
14.4K Posts
0
July 16th, 2007 12:00
I think it is much bigger problem that datazone key itself is not encrypted:
Since datazone is part of resource db it makes sense to have it in bootstrap backup. However if EMC is using weak and cracked years ago XORing of password filed they could at least XOR this too.
Now to get this info you need:
- root (aka evil admin)
- access to your bootstrap records
I think it is slightly unfair to blame application for security breach in case someone can get root or access to your bootstrap data. I think best solution would be for EMC to come up with some algorithm to encrypt data like passwords or datazone pass phrase (instead of hacked XORing) and that would make everyone happy.
snewton1
19 Posts
0
December 17th, 2007 09:00
jsperanz
13 Posts
0
December 20th, 2007 17:00
I've done a bit of research on this, as we are just about to enable encryption for a number of our sites, it occured to me that this might be an issue so I had a look around and found others had come to the same conclusion.
Although, its not all bad. If your backups consume multiple tapes then a thief will need the tape that the bootstap is on before he could recover anything.
You could also work around this problem by deliberatly having the bootstrap go to seperate tapes and keeping them in storage seperatly, but in our case, this would not be practical, as some of our sites only have a single tape drive with no auto-changer.
shali021
6 Posts
0
September 14th, 2008 16:00
I am using v7.4.2.... and we have implemented AES Encryption ... but now I come to know that bootstrap backup contains the passphrase in clear text.... it a big problem...
How to remove bootstrap backup from groups and schedules.... pls help ... as I don't want bootstrap backup...
DeaconZ28-2015
252 Posts
0
September 15th, 2008 10:00
AFAIK nothing has been done, and I don't think anything will change until maybe whatever version comes out after 7.4 (7.5?).
I've done a bit of research on this, as we are just about to enable encryption for a number of our sites, it occured to me that this might be an issue so I had a look around and found others had come to the same conclusion.
Although, its not all bad. If your backups consume multiple tapes then a thief will need the tape that the bootstap is on before he could recover anything.
You could also work around this problem by deliberatly having the bootstrap go to seperate tapes and keeping them in storage seperatly, but in our case, this would not be practical, as some of our sites only have a single tape drive with no auto-changer.
If I'm reading right, it wouldn't matter if the thief got your tape even with the bootstrap on it, since the tape is itself encrypted.
They would need access to your server and the bootstrap printout.
If that happens, they deserve whatever they get for poor security on the server box.
DeaconZ28-2015
252 Posts
0
September 15th, 2008 10:00
shali021
6 Posts
0
September 15th, 2008 14:00
And if the bootstrap backup is for other client recovery also... we don¿t want to take any risk with data.
I just want this bootstrap backup to be stopped for all clients...
ble1
4 Operator
•
14.4K Posts
0
September 24th, 2008 04:00
NetWorker Server recovery..
If you don't recover NW db how do you plan to recover data? With uasm? Good luck to you
recovery also... we don¿t want to take any risk with
data.
I just want this bootstrap backup to be stopped for
all clients...
In your case I believe bootstrap might be running for each group you have. Without getting into details why is so as this subject has already been discussed here, if you really wish to separate bootstrap from data simply create so called index pool where bootstrap would be written and thus you separate it.
Based on your response I would say you do not know about bootstrap and its importance thus I would suggest you keep it running all the time.
ble1
4 Operator
•
14.4K Posts
0
September 24th, 2008 04:00
got your tape even with the bootstrap on it, since
the tape is itself encrypted.
I don't think it's tape, but rather ssid written.
bootstrap printout.
No, all I need is scanner command
poor security on the server box.
What if I have evil ex NW admin working in facility where tapes are kept? This means (s)he might have knowledge to play with this.
shali021
6 Posts
0
September 24th, 2008 10:00
For my understanding.. if we backup group which consist backup server, then only the bootstrap will be backed-up.
And if we backup any group which consist any other client but not backup server, then the bootstrap will be backup or not.