Comprehensive data protection for all workloads
Post Reply
matban
Novice
Posts: 3
Liked: 1 time
Joined: Jan 26, 2018 12:19 pm
Contact:

Feature Request: Opportunistic network encryption

Post by matban »

Hi,

in our company it is required to encrypt all backup traffic. Currently we do this by adding all backup proxies and targets to the "Global Network Traffic Rules" list and checking the box "Encrypt all network traffic". As this can be error prone, we currently address this via the PowerShell automation outlined here.

As the global trend of network communication is evolving to be secure by default (see VMware's opportunistic vMotion encryption for example), I would like to see a configurable option to be able set opportunistic encryption between Veeam components.

Cheers,

Matthäus
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Feature Request: Opportunistic network encryption

Post by foggy »

Hi Matthäus, do you mean a single setting that will enable encryption between all the components?
matban
Novice
Posts: 3
Liked: 1 time
Joined: Jan 26, 2018 12:19 pm
Contact:

Re: Feature Request: Opportunistic network encryption

Post by matban »

Hi,

correct. Just a checkbox or dropdown which changes the behavior from "unencrypted by default" to "encrypted by default".
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Feature Request: Opportunistic network encryption

Post by foggy »

Understood. Thanks for the suggestion.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Opportunistic network encryption

Post by Gostev »

Just found this thread while looking for something else. You can use ForceAgentTrafficEncryption registry value to have Veeam encrypt all of its network connections.
signal
Enthusiast
Posts: 65
Liked: 4 times
Joined: Oct 06, 2016 1:19 pm
Contact:

Re: Feature Request: Opportunistic network encryption

Post by signal »

Gostev wrote: Sep 14, 2018 4:48 pm ... You can use ForceAgentTrafficEncryption registry value to have Veeam encrypt all of its network connections.
Can you elaborate on what this setting does?
Does it include all command and control traffic between console, backup server, guest interaction proxy, FLR appliance, backup repository, backup proxy and guest?
Any further documentation and/or clarification is welcome.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature Request: Opportunistic network encryption

Post by Gostev »

This should be set on the backup server, and it goes into the same/single registry hive where all other registry values we have go. This setting is for data mover to data mover communication only (for the actual payload transfers), as the rest of communications are always encrypted.

Do expect the performance to drop somewhat after you enable this option. Because we had lots of complaints about this after we introduced the traffic encryption option, because we decided to enable one by default as soon as we see a public IP address - and apparently, quite a few users use public IP addresses in their private networks ;) so they all complained about lower performance after upgrade to the corresponding B&R version until we figured out what is going on and gave them a registry value to disable this.
signal
Enthusiast
Posts: 65
Liked: 4 times
Joined: Oct 06, 2016 1:19 pm
Contact:

Re: Feature Request: Opportunistic network encryption

Post by signal »

Gostev wrote: Sep 21, 2018 2:55 pm This should be set on the backup server, and it goes into the same/single registry hive where all other registry values we have go. This setting is for data mover to data mover communication only (for the actual payload transfers), as the rest of communications are always encrypted.
That last part, "as the rest of communication is always encrypted", makes me curious. This conflicts with other information I have seen.
Is all "command and control" encrypted? If so, what kind of encryption? How can security of this communication be controlled?
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Feature Request: Opportunistic network encryption

Post by foggy »

Built-in RPC or .NET encryption (SSPI) is used between the rest of Veeam B&R components.
signal
Enthusiast
Posts: 65
Liked: 4 times
Joined: Oct 06, 2016 1:19 pm
Contact:

Re: Feature Request: Opportunistic network encryption

Post by signal »

I'm not sure if this answer satisfies my query.
The console is part of the components? This thread gives a different answer regarding encryption of console traffic.

Where is the RPC or .NET encryption used? Between which components?
What kind of encryption algorithm is used?
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Feature Request: Opportunistic network encryption

Post by foggy »

Being Windows clients, backup server and console (if installed separately) negotiate over RPC, which provides SSPI API for secure communications (Kerberos and NTLM).
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 126 guests