in which case is network traffic unencrypted?

Availability for the Always-On Enterprise

in which case is network traffic unencrypted?

Veeam Logoby mcz » Wed Dec 27, 2017 12:55 pm

Hi everybody,

I know that veeam has a functionality to encrypt network traffic but I do not exactly know in which cases data will be transferred unencrypted. Say if you take a backup, your proxies only use hotadd and your repository is encrypting the data - where will the data be encrypted? By the proxy on source side? By any other instance?

If we talk about nbd mode (without ssl) I know that at least the read data would be unencrypted and I think also using replication between two proxies would transfer raw data per default but as I said I'm not sure how it works between Proxy/Windows Agent and encrypted repository.

Thanks for the clarifications!
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby tdewin » Wed Dec 27, 2017 1:40 pm

Depends.

Data in the repository is encrypted with the key you have set in the job settings "at rest":
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Data between the proxy and repository can be encrypted "in flight". This is done in the network settings:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
There is a checkbox there to encrypt data between 2 endpoints. I think we even encrypt "by default" if public IPs are detected

Data read by the proxy, well that depends. If you use NBD mode in SSL mode, it is encrypted. In hotadd, well the data does not really go over any network. And Direct SAN. Well technically it is not encrypted but it would be rather difficult for a hacker to get on the SAN network since they are isolated from the rest of the world
tdewin
Veeam Software
 
Posts: 1186
Liked: 406 times
Joined: Fri Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Wed Dec 27, 2017 2:06 pm

Ok thanks for your reply but what you wrote was clear to me. What I do not really understand is if a proxy writes to a CIFS repository, who or what will in the end write the data encrypted to the disk? Does the proxy itself write the data directly to the repository or is there any other instance where the proxy sends the data? If the proxy writes the data directly to the repository, I guess it will be encrypted over the network, otherwise not.
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby tdewin » Wed Dec 27, 2017 2:10 pm

In this case, the gateway server is in fact acting as the repository role (well didn't test it, but I'm assuming)
https://helpcenter.veeam.com/docs/backu ... ver=95#smb

So between the proxy and the gateway server, the data is "in flight"

From the gateway server to the cifs share, the data is already "at rest", because the block are encrypted with the job settings password, send over the network and written to the cifs share
tdewin
Veeam Software
 
Posts: 1186
Liked: 406 times
Joined: Fri Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Wed Dec 27, 2017 2:12 pm

Perfect, that was what I wannted to know - thanks!
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Thu Dec 28, 2017 7:52 am

Timothy, one last question: Where do I see which gateway server for the repository has been used? I checked some logfiles and also took a look at past backup jobs, but I can't find any information about the used gateway server. I just see the default gateway, but that's not what I'm looking for. Thanks!
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby tdewin » Thu Dec 28, 2017 10:13 am

Don't have my lab up and running but I would assume you can find in the job logs. There should be an Agent.log from the datamover that is running on the gateway server, but that log might be stored on the chosen gateway server (under c:\programdata\veeam\...). So you might check the different windows servers connected to your Veeam B&R

This is another advantage of assigning a static gateway. This way, you are sure that the same / correct server is used.
tdewin
Veeam Software
 
Posts: 1186
Liked: 406 times
Joined: Fri Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin

Re: in which case is network traffic unencrypted?

Veeam Logoby foggy » Thu Dec 28, 2017 11:31 am

The job log itself (Job.<Jobname>.Backup.log) should contain this info.
foggy
Veeam Software
 
Posts: 15621
Liked: 1164 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Thu Dec 28, 2017 12:45 pm

Thanks for that commenct foggy, I was checking this logfile before but if I search for "gateway" I can only find the default gateway settings... Any idea what the appropriate keyword looks like?
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Thu Dec 28, 2017 3:47 pm

...meanwhile I have switched on encryption of network traffic for the whole subnet and I can see the effect during replication jobs. However I haven't found the hint "network traffic will be encrypted" within the statistics for the backup jobs and now I'm wondering if veeam probably skips this step, if proxy equals gateway server, cloud that be? I mean I'm backing up the same vm's and I'm even using the same repository as for the replication jobs where the network traffic is shown as encrypted (in the job statistics) so veeam should act similar.
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby foggy » Thu Dec 28, 2017 4:22 pm

If gateway runs on the proxy itself, there's no network transfer between them, so nothing to encrypt.
foggy
Veeam Software
 
Posts: 15621
Liked: 1164 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Fri Dec 29, 2017 7:45 am

Thanks foggy, makes sense. Could it be that veeam uses more than one gateway for the same backup job? I mean we're having two proxies and veeam will use both of them during backup job (we have two different hosts, each of one hosting a proxy), will there only be one gateway or will probably both proxies send the traffic directly to the repository (which is within the same subnet/lan)?
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael

Re: in which case is network traffic unencrypted?

Veeam Logoby foggy » Fri Dec 29, 2017 12:22 pm

It depends on whether per-VM chains are enabled on the repository. If yes, then the source proxy for each VM will be the gateway for it as well. Otherwise, the first proxy that took the task within a job will serve as the gateway for the entire job.
foggy
Veeam Software
 
Posts: 15621
Liked: 1164 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: in which case is network traffic unencrypted?

Veeam Logoby mcz » Wed Jan 03, 2018 7:51 am

Thank you for the clarification foggy, that makes sense to me!
mcz
Expert
 
Posts: 154
Liked: 12 times
Joined: Tue Jul 19, 2016 8:39 am
Full Name: Michael


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: hamidou.garba, KevinJ and 1 guest