Comprehensive data protection for all workloads
Post Reply
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

in which case is network traffic unencrypted?

Post by mcz »

Hi everybody,

I know that veeam has a functionality to encrypt network traffic but I do not exactly know in which cases data will be transferred unencrypted. Say if you take a backup, your proxies only use hotadd and your repository is encrypting the data - where will the data be encrypted? By the proxy on source side? By any other instance?

If we talk about nbd mode (without ssl) I know that at least the read data would be unencrypted and I think also using replication between two proxies would transfer raw data per default but as I said I'm not sure how it works between Proxy/Windows Agent and encrypted repository.

Thanks for the clarifications!
tdewin
Veeam Software
Posts: 1856
Liked: 669 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: in which case is network traffic unencrypted?

Post by tdewin »

Depends.

Data in the repository is encrypted with the key you have set in the job settings "at rest":
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Data between the proxy and repository can be encrypted "in flight". This is done in the network settings:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
There is a checkbox there to encrypt data between 2 endpoints. I think we even encrypt "by default" if public IPs are detected

Data read by the proxy, well that depends. If you use NBD mode in SSL mode, it is encrypted. In hotadd, well the data does not really go over any network. And Direct SAN. Well technically it is not encrypted but it would be rather difficult for a hacker to get on the SAN network since they are isolated from the rest of the world
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Ok thanks for your reply but what you wrote was clear to me. What I do not really understand is if a proxy writes to a CIFS repository, who or what will in the end write the data encrypted to the disk? Does the proxy itself write the data directly to the repository or is there any other instance where the proxy sends the data? If the proxy writes the data directly to the repository, I guess it will be encrypted over the network, otherwise not.
tdewin
Veeam Software
Posts: 1856
Liked: 669 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: in which case is network traffic unencrypted?

Post by tdewin »

In this case, the gateway server is in fact acting as the repository role (well didn't test it, but I'm assuming)
https://helpcenter.veeam.com/docs/backu ... ver=95#smb

So between the proxy and the gateway server, the data is "in flight"

From the gateway server to the cifs share, the data is already "at rest", because the block are encrypted with the job settings password, send over the network and written to the cifs share
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Perfect, that was what I wannted to know - thanks!
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Timothy, one last question: Where do I see which gateway server for the repository has been used? I checked some logfiles and also took a look at past backup jobs, but I can't find any information about the used gateway server. I just see the default gateway, but that's not what I'm looking for. Thanks!
tdewin
Veeam Software
Posts: 1856
Liked: 669 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: in which case is network traffic unencrypted?

Post by tdewin »

Don't have my lab up and running but I would assume you can find in the job logs. There should be an Agent.log from the datamover that is running on the gateway server, but that log might be stored on the chosen gateway server (under c:\programdata\veeam\...). So you might check the different windows servers connected to your Veeam B&R

This is another advantage of assigning a static gateway. This way, you are sure that the same / correct server is used.
foggy
Veeam Software
Posts: 21181
Liked: 2163 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: in which case is network traffic unencrypted?

Post by foggy »

The job log itself (Job.<Jobname>.Backup.log) should contain this info.
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Thanks for that commenct foggy, I was checking this logfile before but if I search for "gateway" I can only find the default gateway settings... Any idea what the appropriate keyword looks like?
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

...meanwhile I have switched on encryption of network traffic for the whole subnet and I can see the effect during replication jobs. However I haven't found the hint "network traffic will be encrypted" within the statistics for the backup jobs and now I'm wondering if veeam probably skips this step, if proxy equals gateway server, cloud that be? I mean I'm backing up the same vm's and I'm even using the same repository as for the replication jobs where the network traffic is shown as encrypted (in the job statistics) so veeam should act similar.
foggy
Veeam Software
Posts: 21181
Liked: 2163 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: in which case is network traffic unencrypted?

Post by foggy »

If gateway runs on the proxy itself, there's no network transfer between them, so nothing to encrypt.
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Thanks foggy, makes sense. Could it be that veeam uses more than one gateway for the same backup job? I mean we're having two proxies and veeam will use both of them during backup job (we have two different hosts, each of one hosting a proxy), will there only be one gateway or will probably both proxies send the traffic directly to the repository (which is within the same subnet/lan)?
foggy
Veeam Software
Posts: 21181
Liked: 2163 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: in which case is network traffic unencrypted?

Post by foggy »

It depends on whether per-VM chains are enabled on the repository. If yes, then the source proxy for each VM will be the gateway for it as well. Otherwise, the first proxy that took the task within a job will serve as the gateway for the entire job.
mcz
Veteran
Posts: 948
Liked: 223 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: in which case is network traffic unencrypted?

Post by mcz »

Thank you for the clarification foggy, that makes sense to me!
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 65 guests