-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
in which case is network traffic unencrypted?
Hi everybody,
I know that veeam has a functionality to encrypt network traffic but I do not exactly know in which cases data will be transferred unencrypted. Say if you take a backup, your proxies only use hotadd and your repository is encrypting the data - where will the data be encrypted? By the proxy on source side? By any other instance?
If we talk about nbd mode (without ssl) I know that at least the read data would be unencrypted and I think also using replication between two proxies would transfer raw data per default but as I said I'm not sure how it works between Proxy/Windows Agent and encrypted repository.
Thanks for the clarifications!
I know that veeam has a functionality to encrypt network traffic but I do not exactly know in which cases data will be transferred unencrypted. Say if you take a backup, your proxies only use hotadd and your repository is encrypting the data - where will the data be encrypted? By the proxy on source side? By any other instance?
If we talk about nbd mode (without ssl) I know that at least the read data would be unencrypted and I think also using replication between two proxies would transfer raw data per default but as I said I'm not sure how it works between Proxy/Windows Agent and encrypted repository.
Thanks for the clarifications!
-
- Veeam Software
- Posts: 1856
- Liked: 669 times
- Joined: Mar 02, 2012 1:40 pm
- Full Name: Timothy Dewin
- Contact:
Re: in which case is network traffic unencrypted?
Depends.
Data in the repository is encrypted with the key you have set in the job settings "at rest":
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
Data between the proxy and repository can be encrypted "in flight". This is done in the network settings:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
There is a checkbox there to encrypt data between 2 endpoints. I think we even encrypt "by default" if public IPs are detected
Data read by the proxy, well that depends. If you use NBD mode in SSL mode, it is encrypted. In hotadd, well the data does not really go over any network. And Direct SAN. Well technically it is not encrypted but it would be rather difficult for a hacker to get on the SAN network since they are isolated from the rest of the world
Data in the repository is encrypted with the key you have set in the job settings "at rest":
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
Data between the proxy and repository can be encrypted "in flight". This is done in the network settings:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
There is a checkbox there to encrypt data between 2 endpoints. I think we even encrypt "by default" if public IPs are detected
Data read by the proxy, well that depends. If you use NBD mode in SSL mode, it is encrypted. In hotadd, well the data does not really go over any network. And Direct SAN. Well technically it is not encrypted but it would be rather difficult for a hacker to get on the SAN network since they are isolated from the rest of the world
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Ok thanks for your reply but what you wrote was clear to me. What I do not really understand is if a proxy writes to a CIFS repository, who or what will in the end write the data encrypted to the disk? Does the proxy itself write the data directly to the repository or is there any other instance where the proxy sends the data? If the proxy writes the data directly to the repository, I guess it will be encrypted over the network, otherwise not.
-
- Veeam Software
- Posts: 1856
- Liked: 669 times
- Joined: Mar 02, 2012 1:40 pm
- Full Name: Timothy Dewin
- Contact:
Re: in which case is network traffic unencrypted?
In this case, the gateway server is in fact acting as the repository role (well didn't test it, but I'm assuming)
https://helpcenter.veeam.com/docs/backu ... ver=95#smb
So between the proxy and the gateway server, the data is "in flight"
From the gateway server to the cifs share, the data is already "at rest", because the block are encrypted with the job settings password, send over the network and written to the cifs share
https://helpcenter.veeam.com/docs/backu ... ver=95#smb
So between the proxy and the gateway server, the data is "in flight"
From the gateway server to the cifs share, the data is already "at rest", because the block are encrypted with the job settings password, send over the network and written to the cifs share
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Perfect, that was what I wannted to know - thanks!
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Timothy, one last question: Where do I see which gateway server for the repository has been used? I checked some logfiles and also took a look at past backup jobs, but I can't find any information about the used gateway server. I just see the default gateway, but that's not what I'm looking for. Thanks!
-
- Veeam Software
- Posts: 1856
- Liked: 669 times
- Joined: Mar 02, 2012 1:40 pm
- Full Name: Timothy Dewin
- Contact:
Re: in which case is network traffic unencrypted?
Don't have my lab up and running but I would assume you can find in the job logs. There should be an Agent.log from the datamover that is running on the gateway server, but that log might be stored on the chosen gateway server (under c:\programdata\veeam\...). So you might check the different windows servers connected to your Veeam B&R
This is another advantage of assigning a static gateway. This way, you are sure that the same / correct server is used.
This is another advantage of assigning a static gateway. This way, you are sure that the same / correct server is used.
-
- Veeam Software
- Posts: 21181
- Liked: 2163 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: in which case is network traffic unencrypted?
The job log itself (Job.<Jobname>.Backup.log) should contain this info.
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Thanks for that commenct foggy, I was checking this logfile before but if I search for "gateway" I can only find the default gateway settings... Any idea what the appropriate keyword looks like?
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
...meanwhile I have switched on encryption of network traffic for the whole subnet and I can see the effect during replication jobs. However I haven't found the hint "network traffic will be encrypted" within the statistics for the backup jobs and now I'm wondering if veeam probably skips this step, if proxy equals gateway server, cloud that be? I mean I'm backing up the same vm's and I'm even using the same repository as for the replication jobs where the network traffic is shown as encrypted (in the job statistics) so veeam should act similar.
-
- Veeam Software
- Posts: 21181
- Liked: 2163 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: in which case is network traffic unencrypted?
If gateway runs on the proxy itself, there's no network transfer between them, so nothing to encrypt.
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Thanks foggy, makes sense. Could it be that veeam uses more than one gateway for the same backup job? I mean we're having two proxies and veeam will use both of them during backup job (we have two different hosts, each of one hosting a proxy), will there only be one gateway or will probably both proxies send the traffic directly to the repository (which is within the same subnet/lan)?
-
- Veeam Software
- Posts: 21181
- Liked: 2163 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: in which case is network traffic unencrypted?
It depends on whether per-VM chains are enabled on the repository. If yes, then the source proxy for each VM will be the gateway for it as well. Otherwise, the first proxy that took the task within a job will serve as the gateway for the entire job.
-
- Veteran
- Posts: 948
- Liked: 223 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: in which case is network traffic unencrypted?
Thank you for the clarification foggy, that makes sense to me!
Who is online
Users browsing this forum: bytewiseits and 105 guests