Backup Exec 2012 security improvements
Hello, my name is Bill Brown and I'm a software developer for the Backup Exec product team. I've been working on Backup Exec (and its progenitor, Maynard Electronics Maynstream) for nearly 21 years. Over the years I've spent time in just about every part of the product but lately I've been involved in improving the security of the product. In upcoming posts I hope to give some technical insight into the inner workings of Backup Exec as well as give a peek into ideas for future enhancements.
I thought as an introduction, I'd discuss some of the usability improvements for session security in Backup Exec for Windows Systems 2012. Last year, we introduced enhanced security between media servers and remote agents in Backup Exec 2010 R3. I realize that it has caused some consternation among users because additional security seems to always introduce inconvenience. In BE 2010 R3, we introduced the concept of a 'trust', which in our parlance means a trusted, encrypted connection between the media server and remote agent. The idea here is to restrict the window in which an attacker can insert himself into a conversation between the hosts. This is commonly known as a Man In The Middle (MITM) attack. In our case we've shrunk that window of opportunity to the very first conversation between any media server and remote agent through the use of TLS 1.0. Certificates are generated and exchanged at this time when the user responds affirmatively to the 'establish trust' prompt that BE presents when installing or browsing the agent for the first time. I'll go into the usability vs. security implications of this method in future posts.
One of the issues that arose from this approach is that because of the management model in BE 2010 R2, creating trusts for a large number of remote agents is challenging at best. We did add functionality in the BEMCMD application to create trusts for a list of agents as well as a context menu option after multi-selecting computers one of the domain views while browsing. In Backup Exec 2012, we took a fresh approach. Because the new UI is now server and application centric, the establishment of trusted sessions is now intrinsic to the 'Add Server' wizard. Using this functionalilty, you can choose a list of resources and the wizard will install the remote agent and then establish a trust from the current media server to all of the selected resources. In the case of the Central Administration Server Option, running this wizard from the CAS will establish trusts between the CAS and all managed media servers to the resources for centralized jobs. If you want to protect a list of resources already protected by another media server you can run the same wizard to trust these resources from a new media server. For those who are script driven, we do provide the same 'mass trust' functionality in our new BEMCLI PowerShell app as was present in BEMCMD.
I realize that this is a rather high level description of the secure session technology we use, but this is after all, an introduction. In future posts, I'll outline the process used to establish the trust (You'll need to bone up on your SSL/TLS knowledge) as well as do some techinical deep dives into other technologies we have.