Solved

Encrypting network traffic between CS/MA and clients.


Userlevel 2
Badge +7

Hello team,

 

Customer asks if we can encrypt network traffic when communicates in a commcell.

customer doesn’t want to encrypt the backup data but configure to be encrypted for all traffic/packet among tiers. (CS, MA, client)

 

for instance

when try to do a push installation from CS to client.

when request some tasks like backup, restore job.

 

They need to encrypt all the packet due to security requirement.

I searched and reviewed these BOLs but not sure if it will work for this customer.

Could you happen to give me any advice?

 

Encrypting Network Traffic at CommCell Level (commvault.com)

Enforcing and Encrypting Automatic Tunneling (commvault.com)

 

Which one is more recommended option for this customer?

 

Thanks.

icon

Best answer by Jos Meijer 11 August 2022, 19:47

View original

10 replies

Userlevel 7
Badge +16

Both settings are, as far as I know, only for when agent based communication is performed.

General non agent based activities like push install are not performed via this tunnel as there is no fwconfig file to populate. In addition you use WMI combined with SMB or SSH to perform the push install.

Only when the installer is running and communication with the commserve is started the temporary setup tunnel settings will kick in and after installation the final network topology settings will be adopted to replace the setup tunnel settings.

For agent traffic I tend to use a perimeter construct, isolating the backup environment and use at least 2 dual nic gateway proxies as a bridge between the general infrastructure and the backup environment.
This combined with all clients in a Gateway network topology with encryption enabled and force thru tunnel enabled will ensure all agent data to be transported via an encrypted tunnel.
Commvault's proprietary TLS will prevent impersonation of clients. Ideally you should enforce client certificates, but even without this enabled I have had several hack tests performed and all environments passed the tests.
Command line (qlogin) will be performed over this tunnel as well.

If you have a separate management vlan you can do the same here, deploy gateway proxies and have the Command Center package installed. Then they can connect via 443 to the Command Center and Rest API. If you want to use the Java GUI you can add a TPPM for tcp 8401 so people can connect there, they need to fill in the proxy details within the use firewall section of the GUI login.

Userlevel 2
Badge +7

@Jos Meijer 

According to their rule, all client agents are installed by push install and it’s also triggered by REST API.

 

Based on your description seems no way to encrypt the network traffic for push install.

Customer is concerning  the exposure of sensitive information such as user id and password while doing a push install so seeking for the way to encrypt all the communication network traffic/packet except backup data.

Thanks.

Userlevel 7
Badge +16

A way around this user credentials issue is to either:

  • use a limited user with installation rights only on the Commserve, or
  • use an authcode which can only be used for installations.

Regarding the push install they could include a restore only agent in their OS template which is configured to connect to the Commserve after installation, when the OS comes online this will register itself on the Commserve. this prevents the need to perform a clean push install. Then the fwconfig is already provided with the necessary network topology and they can push additional agents via the encrypted tunnel.

This way they can also close ports for SSH, SMB and WMI in the firewall which is a plus looking at hardening. Depending on the OS they use and other applications not needing these ports.
They only need port 8403 for the tunnel, 8400 isn't even necessary anymore.

Let me know if this could be an option, otherwise I will have to think about other solutions.


Edit: If we are talking about Unix, take a look at @BrianHavens response here.
SFTP is being used to transfer the packages during a push install, so that should be safe already looking at encrypting traffic.

Only additional mitigation I can think of is to allow incoming SSH from specific servers.

Userlevel 7
Badge +23

Both settings are, as far as I know, only for when agent based communication is performed.

General non agent based activities like push install are not performed via this tunnel as there is no fwconfig file to populate. In addition you use WMI combined with SMB or SSH to perform the push install.

 

That is partially true, however even with a push install, only the base client or minimal communication services are pushed and deployed initially over SMB and remotely started with remote registry / RPC. If you have a network topology / configuration after that, the rest of the install is done over the encrypted tunnel (i.e push of the remaining filesystem or VSA components or whatever you chose to install).

Userlevel 7
Badge +16

@Damian Andre can you elaborate which part isn't true so I can adjust my view on this matter?

Both settings are managed via the fwconfig method as far as I know. Or are we talking about specific non agent activities which are performed while using encrypted traffic via another method? Or are we talking about ntlm/kerberos/rpc where authentication and remote installation procedures are secured?

 

Userlevel 7
Badge +23

@Damian Andre can you elaborate which part isn't true so I can adjust my view on this matter?

Both settings are managed via the fwconfig method as far as I know. Or are we talking about specific non agent activities which are performed while using encrypted traffic via another method? Or are we talking about ntlm/kerberos/rpc where authentication and remote installation procedures are secured?

 

Hey Jos,

I was just clarifying that only a minimalist portion of a push install happens over SMB - after the CVD service is installed everything else communicates via the Commvault services which is automatically secured/encrypted if you have the correct network topology settings configured. i.e Any agent options you pick will then be transferred over the built-in file transfer service as part of CVD and not over SMB/SSH - like how updates work.

Userlevel 7
Badge +16

Ah ok, thanks for your response. 👍

I misinterpreted "however" to indicate that this was a different subject following up on the partially true statement. #languagebarrier

 

Userlevel 7
Badge +23

@Jos Meijer , your English is better than most native speakers!!

Userlevel 7
Badge +16

Thanks @Mike Struening ☺️☺️

Userlevel 2
Badge +12

Hi, enabling network encryption between CS ↔ MAs following the guides, is there any way to calculate the extra CPU overhead to MAs, after enabling encryption?

 

Encrypting Network Traffic at CommCell Level (commvault.com)

Enforcing and Encrypting Automatic Tunneling (commvault.com)

Reply