Ferro Backup System - The best Backup Software
Network Backup & Restore Software Solution for SMBs
 
  EN EN   PL PL  


Article reference number: FS-FBS-20140220-I01
Last review: 20 February 2014
Version: 1.0


Securing network connections in data backup systems

Each type of network communication brings risk of revealing confidential data, and the network infrastructure is exposed to attacks. In the case of backup solutions, this risk is higher because during backup large amounts of data, essential for a company, are sent. If an attacker accesses unsecured backup solution, they may also access confidential information.

Use of data backup solutions without appropriate computer network security may lead to the disclosure of confidential data or to facilitating attacks and blocking the possibility of backup. The attacker may gain access to confidential information by connecting to the computers being backed up, reading back up files on the backup server or by sniffing data traffic. DDoS attacks may, in turn, lead to blocking backup server services. In order to eliminate these risks, you should apply safeguards described in this article, regardless of the security features built in the application layer, that is in the backup solution. The security features built in the Ferro Backup System:

Risks

Network connections may include the following risks:
  1. client connection with an unauthorized server,
  2. reception of a connection by the server from an unauthorized client,
  3. sniffing data traffic between the client and the server.
The first of these situations may occur if a computer (e.g. a company laptop) is connected to a foreign computer network, where a fake backup server is launched, with the same IP address as the authorized backup server. Such situation may also occur if an attacker manages to switch off the real backup server in your local network and to substitute it with their own computer with the same IP address.

The second situation is not that dangerous (it does not allow to steal data) but it exposes the system to DDoS attacks. This risk occurs when an attacker has access to the backup server network.

The third situation may lead to the disclosure of data transmitted between a workstation and the backup server. Eliminating this risk is particularly important if the communication between the client and the server is carried out via a public network (e.g. the Internet) without a bundled virtual private network (VPN).


Security

Security measures against these risks may be implemented in many ways. Below, we present the IPSec security, which enables both authentication of computers and encryption of transmissions.

The objectives of IPSec rules in data backup systems:
  1. blocking backup client connections with an unauthorized server,
  2. blocking incoming connections to the backup server from an unauthorized client,
  3. preventing sniffing data of the client-server transmission (optional) by encryption.
IPSec security is built in Windows system. The configuration is based on rules. The rules are composed of filters and actions. In our scenario of security, we have to create two rules: the first one for the backup server and the second one for all workstations belonging to the backup system. Ferro Backup System bases on the client-server architecture. The client (FBS Worker) connects to the specified backup server (FBS server) by TCP protocol on 4531 port. This is the only connection between a workstation and the backup server by which backup tasks and data recovery are carried out. Below, you can find the rules securing this connection.

The configuration below may be performed by using the Local Security Settings (secpol.msc) or by GPO.


Implementation of securities on backup server

The objective is to create an IPSec rule which would limit incoming connections to TCP4531 port only to trusted computers and which would encrypt the entire transmission (optionally); connections from unauthenticated computers will be rejected.
  1. On the MMC control panel "Local security settings", choose the branch "IP security rules in the Local Computer" and next choose the action "Manage lists of IP filters and filter actions".
    1. In the tab "Manage lists of IP filters", click "Add..." and create a filter with the following parameters:
      1. name: e.g. "FBS incoming connections",
      2. description: e.g. "Incoming connections from workstations",
      3. duplicating/mirroring: Yes,
      4. protocol: TCP,
      5. source port: ANY,
      6. target port: 4531,
      7. DNS source name: ANY,
      8. source address: ANY,
      9. source mask: 0.0.0.0.,
      10. target name: My IP address,
      11. target address: My IP address,
      12. target mask: 255.255.255.255.,
    2. In the tab "Manage filter actions", click "Add..." and create an action with the following parameters:
      1. name: Require security,
      2. security method: "Negotiate security protocol:",
      3. type: Non-standard,
      4. AH integrity: None,
      5. ESP confidentiality: 3DES,
      6. ESP integrity: SHA1,
      7. existence period: 0/0,
      8. accept non-secured communication: NO,
      9. permit non-secured communication: NO,
      10. perfect forward secrecy of the session key: NO.
  2. On the MMC control panel "Local security settings", choose the branch "IP security rules in the Local Computer" and next choose the action "Create a security rule".
    1. Provide a name in the creator of a new rule (e.g. "FBS secure connection"), disable the option "Enable default response rule" and then finish it by editing the newly created rule.
    2. In the window: "FBS secure connection", click "Add..." and then configure the settings as follows:
      1. in the tab "List of IP filters", choose "Incoming connections from workstations",
      2. in the tab "Filter action" choose "Require security",
      3. in the tab "Authentication methods" add a method "Pre-shared key" of the value e.g. "My secret password".
  3. On the MMC control panel "Local security settings", choose the branch "IP security rules in the Local Computer", then the rule "FBS secure connection" and then choose the action "Assign".
In the case of the backup server, apart from the security described above and which concerns the backup system itself, it is also very important to secure access to backup files, which may be read by other protocols, such as SMB/CIFS, FTP, iSCSI or RDP.


Implementation of securities on workstations

The objective is to create an IPSec rule which would limit outgoing connections to TCP4531 port only to a trusted backup server and which would encrypt the entire transmission (optionally); connections with an unauthenticated backup server will be rejected.
  1. On the MMC control panel "Local security settings", choose the branch "IP security rules in the Local Computer" and next choose the action "Manage lists of IP filters and filter actions".
    1. In the tab "Manage lists of IP filters", click "Add..." and create a filter with the following parameters:
      1. name: e.g. "FBS outgoing connection",
      2. description: e.g. "Outgoing connection to backup server",
      3. duplicating/mirroring: Yes,
      4. protocol: TCP,
      5. source port: ANY,
      6. target port: 4531,
      7. DNS source name: My IP address,
      8. source address: My IP address,
      9. source mask: 255.255.255.255.,
      10. target name: ANY,
      11. target address: ANY,
      12. target mask: 0.0.0.0.
All the other steps are the same as in the example for the backup server.

The IPSec rules above should be treated as examples which may be used during tests. In a production environment, it is advisable to clarify the IP address ranges by entering appropriate masks. It is also necessary to change the method of authentication from the pre-shared key to certificates or Kerberos. If the computers are in a domain, the best authentication method would be Kerberos.


Conclusions

The implementation of the IPSec securities, described here, will ensure that workstation will connect only with your authenticated backup server. Connections with a substituted backup server will be blocked. Our backup server will only accept connections from authenticated workstations and the connections from an attacker's computer will be blocked. Additionally, the entire transmission between clients and the server may be encrypted.


References



Home   Help   Where to Buy    Download    Contact Us   Partners   |  Printable version  |  Language: EN EN   PL PL

Securing network connections in data backup systems
All rights reserved.
Copyright © 2000-2015 FERRO Software