ibm tivoli storage manager building a secure environment sg247505

7/31/2019 IBM Tivoli Storage Manager Building a Secure Environment Sg247505

1/375

ibm.com/redbooks

Front cover

IBM Tivoli Storage Manager

Building a Secure Environment

Charlotte BrookLloyd Diete

Dan Edward

Helder Garc

Carsten Hah

Matthew Le

Are you as safe as you think you are?

Understanding security threats

Si noitpyrcne thgir rof ouy?
http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/


2/375


3/375

International Technical Support Organization

IBM Tivoli Storage Manager: Building a SecureEnvironment

June 2007

SG24-7505-00


4/375

Copyright International Business Machines Corporation 2007. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule

Contract with IBM Corp.

First Edition (June 2007)

This edition applies to Version 5.4 of IBM Tivoli Storage Manager (5608-ISM) and IBM Tivoli Storage ManagerExtended Edition (5608-ISX).

Note: Before using this information and the product it supports, read the information in Notices onpage xiii.


5/375

Copyright IBM Corp. 2007. All rights reserved.iii

Contents

Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiTrademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvThe team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv

Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiComments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Overview of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Why is security important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.1 Why is Tivoli Storage Manager security important . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.2 Tivoli Storage Manager security objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 How is Tivoli Storage Manager security implemented . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Types of threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4.1 Threats from within the organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4.2 Threats from outside the organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4.3 Threats to physical storage of data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.4.4 Threats when data is transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.5 Data transport methodologies with Tivoli Storage Manager . . . . . . . . . . . . . . . . . . . . . . 71.5.1 Review of the Open Systems Interface data model . . . . . . . . . . . . . . . . . . . . . . . . 71.5.2 Interfacing networks together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.5.3 A review of OSI Layer 1 - Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.5.4 A review of Fibre Channel technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.5.5 A review of VPN technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.5.6 Networking summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.6 Tivoli Storage Manager data movement and storage . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.6.1 On-site data movement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.6.2 Off-site data movement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.6.3 Server-to-server data movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.7 Introduction to encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.7.1 Symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.7.2 Asymmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.7.3 Certificates, keystores, and key managers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.8 Tivoli Storage Manager client data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191.8.1 DES56. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191.8.2 AES128. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.9 Tape encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Part 1. Tivoli Storage Manager client considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 2. Client sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.1 Client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.1.1 Command line authentication flow (non-root user) . . . . . . . . . . . . . . . . . . . . . . . . 242.1.2 Command line and scheduler authentication flow (root user) . . . . . . . . . . . . . . . . 25

2.1.3 Web access authentication flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2 Communication between the server and the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


6/375

iv IBM Tivoli Storage Manager: Building a Secure Environment

2.2.1 Session types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.3 Multi-session and transaction data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.3.1 Multi-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.3.2 Client thread types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.3.3 Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 3. Client files and services management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.1 Access controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.1.1 Types of users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.1.2 Ownership and access permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.1.3 Mapping allowable tasks to users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.1.4 Protecting the UNIX and Linux client files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2 The client services and daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.2.1 Running services on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.2.2 Running services on UNIX or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.3 Shared drives and file systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.3.1 Windows shared drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.3.2 UNIX and Linux Network File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 4. Securing the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594.1 Client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4.1.1 Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604.1.2 Password processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.1.3 Registering nodes without an administrator ID . . . . . . . . . . . . . . . . . . . . . . . . . . . 654.1.4 Password rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

4.2 Command action schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.3 Pre and post commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.4 Authority of scheduled commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694.5 Scheduled restores and retrieves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694.6 Access restriction by user or group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694.7 Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

4.8 Cross client restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.8.1 Restoring your data to another workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.8.2 Restoring data from another workstation locally . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.9 Proxy nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734.10 Manipulating node objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4.10.1 Deactivated nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4.10.2 Renaming nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754.11 Controlling client options from the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764.12 Other considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

4.12.1 Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.12.2 Operating system and network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.12.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Part 2. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 5. Tivoli Storage Manager client data encryption . . . . . . . . . . . . . . . . . . . . . . 815.1 Client encryption primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

5.1.1 Encryption of session traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825.1.2 Encryption of data traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.2 Platforms that can use client data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.2.1 Advantages of client side data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875.2.2 Considerations for client side data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 885.2.3 Using data encryption with client compression . . . . . . . . . . . . . . . . . . . . . . . . . . . 88


7/375

Contentsv

5.3 Backup/archive client encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . 885.3.1 Session keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

5.3.2 Data encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895.4 Data encryption using the backup/archive client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.4.1 Enabling encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915.4.2 Include and exclude statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.4.3 PASSWORDACCESS and ENCRYPTKEY interaction . . . . . . . . . . . . . . . . . . . . 915.4.4 Backup/archive client session examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925.4.5 Verifying that backed up data is encrypted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

5.5 Data encryption using the API client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005.5.1 API application-managed encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

5.5.2 API transparent encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015.5.3 Verifying that API data is encrypted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

5.6 Performance observations of the backup/archive client . . . . . . . . . . . . . . . . . . . . . . . 1055.7 Upgrading the level of the Tivoli Storage Manager client . . . . . . . . . . . . . . . . . . . . . . 1125.8 Changing the client host name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125.9 Encryption and hierarchical storage management clients. . . . . . . . . . . . . . . . . . . . . . 1125.10 Encryption and LAN-free. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 6. TS1120 Tape encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136.1 Introduction to TS1120 encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146.2 IBM System Storage TS1120 Tape Drive overview . . . . . . . . . . . . . . . . . . . . . . . . . . 115

6.2.1 TS1120 tape drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

6.2.2 Encryption Key Manager (EKM) software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166.2.3 Encryption policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196.2.4 Tivoli Storage Manager with AME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216.2.5 Tivoli Storage Manager with LME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236.2.6 Tivoli Storage Manager with SME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

6.3 Encryption on a TS3500 Tape Library with ALMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6.4 Configuration with different encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1266.4.1 AME configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

6.4.2 Configuring EKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296.4.3 Device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.4.4 LME configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1416.4.5 SME configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

6.5 EKM server backup and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1526.5.1 EKM server disaster recovery considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . 152

6.6 Recommended best practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1536.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Part 3. Tivoli Storage Manager server considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Chapter 7. Server administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597.1 Security concerns for the Tivoli Storage Manager server . . . . . . . . . . . . . . . . . . . . . . 1607.2 Overview of Tivoli Storage Manager administrator roles. . . . . . . . . . . . . . . . . . . . . . . 160

7.2.1 No authority granted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1607.2.2 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1607.2.3 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1617.2.4 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637.2.5 Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1667.2.6 Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

7.2.7 Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1677.2.8 Administrator IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687.2.9 Special administrator IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169


8/375

vi IBM Tivoli Storage Manager: Building a Secure Environment

7.2.10 Server options related to administrative privilege . . . . . . . . . . . . . . . . . . . . . . . 1707.3 A typical implementation of administrator roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

7.4 Maintaining an audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727.4.1 Activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737.4.2 Server summary table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1747.4.3 Accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

7.4.4 Event receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777.5 Controlling access to the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

7.5.1 Commands and options affecting the entire server. . . . . . . . . . . . . . . . . . . . . . . 1817.5.2 Commands and options that affect client nodes. . . . . . . . . . . . . . . . . . . . . . . . . 1837.5.3 Session control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

7.6 Using the server to manage operations on a client node . . . . . . . . . . . . . . . . . . . . . . 1857.6.1 General considerations for scheduled client operations . . . . . . . . . . . . . . . . . . . 1857.6.2 Session initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

7.7 Securing a network of Tivoli Storage Manager servers. . . . . . . . . . . . . . . . . . . . . . . . 1887.8 Encryption for server-to-server communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

7.8.1 Server-to-server session setup encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897.9 Command routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

7.10 Virtual volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1917.11 Using a configuration manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

7.11.1 Security aspects of profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947.11.2 Administrator ID management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1957.11.3 Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1967.11.4 Other profile associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

7.12 Security considerations for exports and backup sets . . . . . . . . . . . . . . . . . . . . . . . . 1977.13 Administrator roles and Operational Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

7.13.1 Operational Reporting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1997.13.2 Operational Reporting connections to the Tivoli Storage Manager server . . . . 199

7.14 Integrated Solutions Console security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

7.14.1 Adding administrators to the ISC/Administration Center. . . . . . . . . . . . . . . . . . 2027.14.2 Connecting ISC and Tivoli Storage Manager administrator IDs . . . . . . . . . . . . 205

7.15 ISC/AC communication security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077.15.1 Web browser link to ISC/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077.15.2 ISC/AC to Tivoli Storage Manager server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

7.16 Setting up SSL for the ISC/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107.16.1 Overview of the required steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107.16.2 Create key and trust files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

7.16.3 Create the JACL script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2217.16.4 Modify wsadmin.properties to reflect the correct SOAP port . . . . . . . . . . . . . . 2227.16.5 Run wsadmin on the JACL script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2237.16.6 Modify the ConfigService.properties file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2237.16.7 Modify the web.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2237.16.8 Stop the ISC portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

7.16.9 Modify the soap.client.props file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2247.16.10 Start the ISC/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Chapter 8. Storage pool considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2278.1 Storage pool overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

8.1.1 Primary storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288.1.2 Copy storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288.1.3 Active-data storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

8.2 How is data written to storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288.2.1 Disk storage pool volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229


9/375

Contentsvii

8.2.2 Tape storage pool volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2308.3 Encrypted data in storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

8.3.1 Tivoli Storage Manager client encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2368.3.2 Tivoli Storage Manager tape encryption usage. . . . . . . . . . . . . . . . . . . . . . . . . . 237

8.4 Data shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2378.4.1 Why use data shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

8.4.2 Setting up shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2398.4.3 Storage pool shredding considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

8.5 How to protect your data in storage pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Chapter 9. Deployment in a network secured environment . . . . . . . . . . . . . . . . . . . . 2479.1 What is a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2489.2 Tivoli Storage Manager clients in a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

9.2.1 TCP/IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

9.2.2 Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2519.2.3 Initiating scheduled sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2529.2.4 Server-initiated sessions: Configuration example. . . . . . . . . . . . . . . . . . . . . . . . 254

9.3 Sample configurations and best practice recommendations. . . . . . . . . . . . . . . . . . . . 2629.3.1 Tivoli Storage Manager server in a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

9.3.2 Tivoli Storage Manager server not in a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 2629.3.3 Tivoli Storage Manager server in a dedicated network in the DMZ . . . . . . . . . . 2639.3.4 Backing up clients of different security levels on the same server . . . . . . . . . . . 263

Chapter 10. Protecting the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26510.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26610.2 Security policy considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26610.3 Operating system security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

10.3.1 UNIX and Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26810.3.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

10.4 Network security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27010.4.1 Wired network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

10.4.2 Wireless network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27310.5 Security assessment tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27410.6 Human aspects of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

10.6.1 Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27610.7 Environmental considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27710.8 High availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

10.9 Change management considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27810.10 Security audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27810.11 Tivoli Storage Manager server running as a non-root user. . . . . . . . . . . . . . . . . . . 279

10.11.1 Why run as a non-root user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28010.11.2 Set up the non-root user environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28210.11.3 Scripts to start and stop the Tivoli Storage Manager service . . . . . . . . . . . . . 287

10.11.4 Location of Tivoli Storage Manager files for disaster recovery . . . . . . . . . . . . 29010.12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Part 4. Recovery scenarios and summarized guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Chapter 11. Providing a secure disaster recovery environment. . . . . . . . . . . . . . . . . 29311.1 Disaster recovery planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

11.1.1 Seven tiers of disaster recovery solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

11.2 Off-site data vaulting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29811.2.1 Choosing a balance between cost and security . . . . . . . . . . . . . . . . . . . . . . . . 29811.2.2 Hot site and security (BC Tier 2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300


10/375

viii IBM Tivoli Storage Manager: Building a Secure Environment

11.2.3 Warm site and security (BC Tier 2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30111.2.4 Cold site and security (BC Tier 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

11.2.5 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30311.3 Data encryption and disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

11.3.1 No data encryption used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30411.3.2 Tivoli Storage Manager-provided encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 304

11.3.3 System-managed encryption and library-managed encryption. . . . . . . . . . . . . 30711.3.4 Off-site encryption key and password handling . . . . . . . . . . . . . . . . . . . . . . . . 308

11.4 Tape and data security using SAN access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30911.5 Virtual volumes and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

11.5.1 A review of virtual volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

11.6 Database backup security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31111.7 Copy storage pool security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31111.8 Backup set security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31211.9 Active-data pool security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31311.10 Tivoli Continuous Data Protection security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31411.11 Special tape topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

11.11.1 If a tape is scratched or overwritten, can you still access older data . . . . . . . 314

11.11.2 Erasing or destroying media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31511.12 Best practices for off-site data vaulting and security . . . . . . . . . . . . . . . . . . . . . . . . 316

Chapter 12. Recovery and prevention of security breaches or data loss . . . . . . . . . 31912.1 Legal and compliance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

12.2 Missing storage pool volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32012.2.1 Missing copy storage tape volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32012.2.2 Missing primary storage pool tape volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32312.2.3 Missing active-data storage pool tapes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32512.2.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

12.3 A missing or stolen database backup tape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

12.4 Stolen Tivoli Storage Manager server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33012.5 Missing client backup set tapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

12.6 Unauthorized tape drive and library and data access . . . . . . . . . . . . . . . . . . . . . . . . 33312.7 Encryption-related recovery topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

12.7.1 A lost, forgotten, or destroyed client encryption key . . . . . . . . . . . . . . . . . . . . . 334

Chapter 13. Guidelines for audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33513.1 Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

13.2 Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33613.3 Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33613.4 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

13.5 Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33713.6 Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33813.7 People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

13.8 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33813.9 Categorize your data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345


11/375

Copyright IBM Corp. 2007. All rights reserved.ix

Figures

1-1 Open Systems Interface (OSI) Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1-2 Interfacing between networks using repeaters, hubs, bridges, switches, and routers . . 91-3 OSI Layer 1 - Physical connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101-4 Fiber optic cables: single-mode and multi-mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111-5 VPN with IPSec over an Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131-6 Tivoli Storage Manager on-site data movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141-7 DRM off-site rotation to an external vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151-8 Symmetric key encryption process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171-9 Asymmetric key encryption process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2-1 Non-root dsmc authentication flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242-2 Tivoli Storage Manager dsmc authentication flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252-3 Tivoli Storage Manager Java Applet-dsmagent authentication flow . . . . . . . . . . . . . . . 262-4 Producer-Consumer model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292-5 Producer - Consumer transaction handling and multithreaded backup . . . . . . . . . . . . 302-6 Transaction processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3-1 Manage auditing and security log Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 383-2 Ownership of backed up objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403-3 Ownership of archived objects for non-authorized users . . . . . . . . . . . . . . . . . . . . . . . 41

3-4 Ownership of archived objects for authorized users. . . . . . . . . . . . . . . . . . . . . . . . . . . 413-5 Authorization check to access objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423-6 Tivoli Storage Manager basic services on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . 483-7 Check disk quota restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503-8 Changing the logon properties of a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513-9 System State backup on Windows Server 2003. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3-10 Registry backup on Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554-1 Log-in process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4-2 Password encrypted on Windows Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614-3 Using node name authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664-4 Using Web Client and Administrator validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664-5 Restoring data to another workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714-6 Restoring files from other workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724-7 Proxy node configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4-8 Preventing include option from client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775-1 GUI encryption key password dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935-2 Registry entry for encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945-3 Prompt during backup if saved encryption key is not present. . . . . . . . . . . . . . . . . . . . 945-4 Prompt during restore if saved encryption key is unavailable . . . . . . . . . . . . . . . . . . . . 955-5 Error when invalid key is presented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

5-6 Prompt during backup if saved encryption key is not present. . . . . . . . . . . . . . . . . . . . 965-7 Prompt during restore-saved if encryption key is unavailable. . . . . . . . . . . . . . . . . . . . 975-8 Error when invalid key is presented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

5-9 Unencrypted data sent from API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045-10 Portion of an encrypted data packet sent through the API using dapismp . . . . . . . . 1055-11 CPU utilization for test one . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075-12 CPU utilization for test two . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085-13 CPU utilization for test three with AES128 encryption . . . . . . . . . . . . . . . . . . . . . . . 1105-14 CPU utilization for test four with AES128 encryption . . . . . . . . . . . . . . . . . . . . . . . . 1116-1 TS1120 encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114


12/375

x IBM Tivoli Storage Manager: Building a Secure Environment

6-2 Logical diagram of the TS1120 tape drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166-3 EKM uses both symmetric and asymmetric encryption keys . . . . . . . . . . . . . . . . . . . 117

6-4 Encryption data flow for the AME process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226-5 Decryption data flow for the AME process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226-6 Library-managed tape encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246-7 Key and policy flow in a SME environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6-8 Output from Library Specialist indicating tape J12457 is encrypted . . . . . . . . . . . . . . 1296-9 Adding EKM server TCP/IP addresses to Tape specialist . . . . . . . . . . . . . . . . . . . . . 1406-10 Ping connectivity test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406-11 Output indicating successful ping of the EKM server from the tape library. . . . . . . . 1416-12 Example of logical libraries within the Tape Specialist . . . . . . . . . . . . . . . . . . . . . . . 141

6-13 Example of how to enable the logical library for LME. . . . . . . . . . . . . . . . . . . . . . . . 1426-14 Library 20-33 has been enabled with the LME method . . . . . . . . . . . . . . . . . . . . . . 1426-15 Barcode encryption policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1436-16 Tape SJ0011 is not encrypted before it is used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446-17 Output from the Tape Specialist after the archiving test . . . . . . . . . . . . . . . . . . . . . . 1456-18 Tape Specialist configuring the logical library with SME. . . . . . . . . . . . . . . . . . . . . . 1486-19 Two EKM servers with a shared configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

7-1 Web client error from missing node authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687-2 Web client error with locked administrator ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

7-3 Server ACTLOG table columns and descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737-4 Server summary table fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1757-5 Format of data that is written using filetextexit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1797-6 Administrative command logged to application event log . . . . . . . . . . . . . . . . . . . . . . 1817-7 Web client error when SERVERONLY initiation is specified. . . . . . . . . . . . . . . . . . . . 1877-8 Setup for server-to-server tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897-9 Data packet when using server-to-server virtual volumes . . . . . . . . . . . . . . . . . . . . . 1937-10 Tivoli Storage Manager server network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947-11 Automatic entry for local Tivoli Storage Manager server on Windows . . . . . . . . . . . 200

7-12 Setting the administrator ID in Operational Reporting . . . . . . . . . . . . . . . . . . . . . . . 2007-13 Wizards in the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2017-14 ISC/AC user and group management panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027-15 Add user dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2037-16 Newly added ISC/AC administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2037-17 Users and group management menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047-18 All portal user groups menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047-19 Iscadmins group menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

7-20 Add server connection menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2067-21 Dialog for creating server connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077-22 Successful server connection definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077-23 ikeyman utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2117-24 Server key file name and location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2117-25 Password prompt for server key file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

7-26 Create a new self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2127-27 Self-signed certificate menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2137-28 Successful creation of personal self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . 213

7-29 Extract Certificate button. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2147-30 Enter the file name and location for the extracted server certificate. . . . . . . . . . . . . 2147-31 Setting the name for the server trust file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2147-32 Password prompt for the server trust file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2157-33 Add a new certificate to the server trust file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2157-34 Specifying the server certificate to import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2167-35 Successful import of server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216


13/375

Figuresxi

7-36 Creating another key file for the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2177-37 Enter file name and directory path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

7-38 Password prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2187-39 Create a new self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2187-40 Values for the client self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2197-41 Successful creation of client key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

7-42 File name for exported client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2207-43 File name for client trust file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2207-44 Password for client key trust file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2207-45 Selecting the client key to import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2217-46 Enter the label for the certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

7-47 URL for successful SSL connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257-48 SSL-enabled session indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258-1 Word.doc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2348-2 How data shredding works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2389-1 A sample DMZ configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2489-2 Overview of TCP/IP parameters in dsm.opt and dsmserv.opt . . . . . . . . . . . . . . . . . . 2509-3 Prevent administrative access through a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

9-4 Dedicated network for backup in DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26310-1 Packet filtering firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

10-2 Circuit level gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27110-3 Application firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27210-4 Stateful Inspection firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27211-1 Seven tiers of disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29511-2 Production and hot site model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30111-3 Production and Warm site model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30211-4 Server-to-server virtual volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310


14/375

xii IBM Tivoli Storage Manager: Building a Secure Environment


15/375

Copyright IBM Corp. 2007. All rights reserved.xiii

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property r ight may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR

IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in cer tain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs in

any form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs.


16/375

xiv IBM Tivoli Storage Manager: Building a Secure Environment

Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both:

Redbooks (logo) i5/OS

z/OSAIX 5LAIXDominoDB2DFSMSFlashCopy

GDPSGPFS

HyperSwapHACMPIBMLotusMQSeriesNetcoolOS/400

RedbooksSystem i

System pSystem zSystem StorageTivoli EnterpriseTivoli Enterprise ConsoleTivoliTotalStorage

The following terms are trademarks of other companies:

SAP, and SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several othercountries.

Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation and/or

its affiliates.Snapshot, NetApp, and the Network Appliance logo are trademarks or registered trademarks of NetworkAppliance, Inc. in the U.S. and other countries.

IT Infrastructure Library, IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of Government Commerce.

ITIL is a registered trademark, and a registered community trademark of the Office of GovernmentCommerce, and is registered in the U.S. Patent and Trademark Office.

Java, JRE, Solaris, Streamline, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. inthe United States, other countries, or both.

Active Directory, Excel, Microsoft, MSDN, Windows NT, Windows Server, Windows, and the Windows logoare trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.


17/375

Copyright IBM Corp. 2007. All rights reserved.xv

Preface

Many people want to be famous, but nobody wants to hit the headlines in an incident resulting

in the theft or misuse of their employees or clients confidential data. While the necessity ofsecuring the confidentiality, integrity, and availability of the enterprises servers and data iswell-known and understood, the backup server is often overlooked in the security planning.This is very regrettable, because the backup server infrastructure stores copies of all theenterprises most important data, often going back years. Valuable data is often copied totape and transported off-site. These tape cartridges are highly portable and hence potentiallyvulnerable to loss or theft. Knowing all this, the backup server and its infrastructure canrepresent a highly attractive target of unauthorized access from either inside or outside yourdata center. How secure is your backup server and its disk arrays? Do you know where eachand every one of your backup tapes is located - right now?

This book will take you through the various security features of Tivoli Storage Manager andshow you how to use them, together with best practice principles, to design, implement, and

administer a more secure backup management environment. We will cover passwords,administrative levels of control, the vital role of encryption, and procedures for managingoff-site data, among other topics.

This book is targeted at experienced Tivoli Storage Manager administrators. We assume thatyou have a good knowledge of how Tivoli Storage Manager works and how to install andadminister it. You can use the publications listed in the Bibliography as background reading,particularly, IBM Tivoli Storage Management Concepts, SG24-4877, and IBM Tivoli StorageManager Implementation Guide, SG24-5416.

The team that wrote this book

This book was produced by a team of specialists from around the world working at theInternational Technical Support Organization, San Jose Center.

Charlotte Brooks is an IBM Certified IT Specialist and Project Leader for Tivoli Storageand System Storage Solutions at the International Technical Support Organization, SanJose Center. She has 15 years of experience with IBM in storage hardware and softwaresupport, deployment, and management. She has written many IBM Redbooks publications,and has developed and taught IBM classes in all areas of storage and storage management.Before joining the ITSO in 2000, she was the Technical Support Manager for Tivoli StorageManager in the Asia Pacific Region.

Lloyd Dieter is a Systems Engineer for Strategic Computer Solutions in Syracuse, NY. Hehas been in IT since 1983 and has been consulting extensively and performing IBM Tivoli

Storage Manager implementations on a variety of platforms since 1998. He is an IBMCertified Advanced Technical Expert (CATE) with certifications in Tivoli Storage Manager,HACMP, and AIX. He previously co-authored Using TSM in a SAN Environment,SG24-6132.

Dan Edwards is a Consulting I/T Specialist with IBM Global Services, Global TechnologyServices, based in Ottawa, Canada. Dan has over 29 years experience in the computingindustry, including 17 years spent working on UNIX, High Availability, Tivoli StorageManager (ADSM), and other storage solutions. He holds multiple product certifications,including Tivoli Storage Manager, AIX, HACMP, and Oracle. He is also an IBM CertifiedProfessional and a member of the I/T Specialist Certification Board. Dan contracts with IBM


18/375

xvi IBM Tivoli Storage Manager: Building a Secure Environment

clients globally, and over the past five years, has primarily consulted on Tivoli StorageManager, High Availability, and Disaster Recovery engagements. Dan has previouslyco-authored IBM Tivoli Storage Manager in a Clustered Environment, SG24-6679, amongothers.

Helder Garcia is an IT Specialist for IBM Brazil, based in Braslia. He has six yearsexperience with Tivoli Storage Manager working with IBM accounts in Brazil, and 16 years inthe IT industry, with a strong background in network protocols and management. Before

joining IBM in 2005, Helder worked since 1999 with Tivoli products for an IBM BusinessPartner in Brazil. His areas of expertise include consulting, planning, and implementation ofIBM Tivoli Storage Manager backup solutions and storage management, and he has alsotaught Tivoli Storage Manager classes for clients and IBM Business Partners. He is an IBMCertified Deployment Professional for Tivoli Storage Manager V5.2 and V5.3, and has theITIL Foundation Certificate.Carsten Hahn is a Systems Engineer for Bayer Business Services in Leverkusen, Germany.He has 12 years of IT experience, and for the last seven years, he has worked with TivoliStorage Manager, including LAN-free and Lotus Domino backup. His areas of expertiseinclude Tivoli Storage Manager planning, installation, maintenance, and monitoring, as wellas SAN storage infrastructure, management, and implementation, SVC, Windows, and AIX.He has a degree in Computer Science from the University of Applied Sciences in Bingen.

Matthew Lee is a Technical Solution Architect with IBM Global Services, Global TechnologyServices, in Sydney, Australia. He has worked in the IT industry for 21 years and has beenwith IBM since 1999. His areas of expertise include UNIX, systems management, andsecurity and storage solution design, implementation, and management. He has a Bachelorof Electrical Engineering from the University of Western Australia and a Post Graduatedegree in Business Administration from Singapore Institute of Management.

The team: Matt, Helder, Carsten, Dan, Lloyd, and Charlotte


19/375

Prefacexvii

Thanks to the following people for their contributions to this project:

Babette Haeusser, Emma Jacobs, and Deanna PolmInternational Technical Support Organization

Matt Anglin, Kai Asher, Janet Bolton, Dave Cannon, Rob Edwards, Barry Fruchtman, BillHaselton, Jon Haswell, Kevin Hoyt, Mark Haye, Avishai Hochberg, Harry Husfelt, Tricia Jiang,

Alexei Kojenov, Zong Ling, Toby Marek, Howard Martin, Diem Nguyen, Joanne Nguyen, JimSmith, and Chris StakutisIBM Tivoli Storage Manager Development, Marketing, and Test

Ric Bradshaw, Gregory Gendron, Jon Peake, and Rob WilsonIBM Tape Development and Marketing

Anthony Abete and Jeff ZiehmIBM Advanced Technical Support

Tom Benjamin, Timothy Hahn, John Morganti, and John PeckIBM EKM Development

Carl GuslerIBM Austin

Rosane Goldstein Golubcic Langnor and Eduardo TomazIBM Brazil

Deon GeorgeIBM Australia

Ian SanerCristie

Jim Carrick, Andrew Gorelick, Ann Kurtz, and David SwitsStrategic Computer Solutions, NY

Othmar WeberBayer Business Services, Germany

Tom and Jenny Chang, and the staff of The Garden Inn, Los Gatos, CA

Become a published author

Join us for a two- to six-week residency program! Help write an IBM Redbooks publicationdealing with specific products or solutions, while getting hands-on experience withleading-edge technologies. You'll have the opportunity to team with IBM technical

professionals, IBM Business Partners, and Clients.

Your efforts will help increase product acceptance and client satisfaction. As a bonus, you'lldevelop a network of contacts in IBM development labs, and increase your productivity andmarketability.

Find out more about the residency program, browse the residency index, and apply online at:

ibm.com/redbooks/residencies.html
http://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.html


20/375

xviii IBM Tivoli Storage Manager: Building a Secure Environment

Comments welcome

Your comments are important to us!

We want our Redbooks to be as helpful as possible. Send us your comments about this orother Redbooks in one of the following ways:

Use the online Contact us review form found at:ibm.com/redbooks

Send your comments in an e-mail to:

[email protected]

Mail your comments to:

IBM Corporation, International Technical Support OrganizationDept. HYTD Mail Station P0992455 South RoadPoughkeepsie, NY 12601-5400
http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/http://www.redbooks.ibm.com/


21/375

Copyright IBM Corp. 2007. All rights reserved.1

Chapter 1. Introduction

This chapter serves as an introduction for this book about security considerations for IBMTivoli Storage Manager. It discusses the topics that we will discuss, the intended audience,and the structure of the chapters. Additionally, we begin to describe the types of threats thatthe Tivoli Storage Manager administrator might face, and how the Tivoli Storage Manageradministrator can counter these threats.

The amount of introductory material contained in this section is intentionally somewhatlimited, because this book assumes some familiarity with Tivoli Storage Manager.

1


22/375

2 IBM Tivoli Storage Manager: Building a Secure Environment

1.1 Overview of this book

The purpose of this book is to provide an in-depth look at security for the Tivoli StorageManager administrator. Here is a brief overview of the contents of the rest of the book.

Part 1 - Client side securityThis section of the book deals with the Tivoli Storage Manager clients and providing secureTivoli Storage Manager services from the client perspective.

The topics include client session authentication and data flow. We discuss the behavior of thetypes of clients, native compared to Web client, and the trusted communications agent(dsmtca).

We dedicate a chapter to securing the client from an operating system perspective, includingoperations by authorized and non-authorized users, file permissions, and operations withnetwork attached file systems.

Part 2 - Tivoli Storage Manager and encryption

In Part 2, Encryption on page 79, we discuss how to use encryption to secure Tivoli StorageManager stored data and prevent unauthorized access. This includes Tivoli Storage Managerclient encryption and tape encryption. We focus on the encryption available with the IBMTS1120 tape drive (and planned for the next generation of LTO products), although othervendors, for example, Solaris/STK, also provide a tape encryption solution.

You can also perform encryption at the network level, for example, using IPSec, VPN, orappliance solutions, such as those provided by Decru. We do not discuss these in any greatdetail, because they operate independently of Tivoli Storage Manager.

Part 3 - Server side securityThis section focuses on security from the standpoint of the Tivoli Storage Manager serveradministrator.

This section discusses server administrator roles, Operational Reporting, and the IntegratedServices Console/Administration Center (ISC/AC).

We discuss disk storage pools and tape storage pools, including their vulnerability to access,and recommendations for destruction.

We discuss running the Tivoli Storage Manager in a firewalled secure network environmentand especially how to restrict running client sessions.

We give general best practices for server security, covering both physical and personalthreats, and present a procedure for running a Tivoli Storage Manager server from anon-superuser ID.

Part 4 - Recovery scenarios and recommendationsIn the final part of the book, we discuss securing your disaster recovery environment, in thecontext of the overall Business Continuity Plan. We then present a number of scenarios forparticular security-related Tivoli Storage Manager incidents that can occur, including how torecover from them, and more importantly, how to prevent these incidents from occurring inthe first place. Finally, as a summary of many of the topics that we have presented in thebook, we organize many of our recommendations into categorized lists, which you can use torun a check of your environments security and which can assist you to prepare for an audit.


23/375

Chapter 1. Introduction3

In the rest of this chapter, we describe the basic principles of security to provide both abackground and education for a typical storage administrator, who might not have consideredthis topic in-depth and who needs to understand the language of the security experts.

1.2 Why is security important

Data is one of one of the primary assets of any company or organization; without data, mostorganizations cannot function. As with any vital asset, protecting the data must be one of thehighest priorities.

Additionally, in recent years there has been a significant increase in the level of oversight ofthe business practices of every organization. HIPAA, Sarbanes-Oxley, SEC/NASD, and USDoD 5015.2 among others, have forced organizations to closely review their electronic datamanagement practices. Failure to comply with the regulations pertaining to an organizationsarea of business can result in civil, or in some cases, criminal penalties.

Depending on the business sector, the data to be protected might be client accounts, payrollstatements, financial statements, personal health records, or even government defense and

security information.

1.2.1 Why is Tivoli Storage Manager security important

In a typical medium-to-large environment that includes Tivoli Storage Manager, Tivoli StorageManager might be the principal application that reaches into every corner of the enterprise,from the largest database server to the desktop. Not only is the Tivoli Storage Managerserver likely to have the most recent backups from many systems, but it likely has largequantities of historical data, potentially going back for years. Further, the Tivoli StorageManager server has the ability to execute commands and control applications on the clientsattached to it.

Tivoli Storage Manager must therefore be viewed as one of the most valuable and powerfulapplications in any organization where it is widely deployed.

1.2.2 Tivoli Storage Manager security objectives

When first considering security, a common mistake is to believe that the biggest threats arefrom outside the organization, when in actuality, the opposite is true. Your Tivoli StorageManager system is far more likely to be damaged (deliberately or accidentally) by anindividual or issue from within the company than by an external cracking attempt.

In a Tivoli Storage Manager implementation with a well implemented security structure,protection against these internal factors is one of the greatest benefits.

When implementing Tivoli Storage Manager security, it is important to keep in mind what theobjectives are. These can be broken down into the following categories.

IntegrityData integrity is ensuring that the information stored is valid, intact, and protected fromcorruption.

A well-designed Tivoli Storage Manager security implementation can protect the accuracy ofthe information on your Tivoli Storage Manager system. With the right security, you canprevent unauthorized changes or deletions of data.


24/375


ConfidentialityData confidentiality is ensuring that only authorized individuals or systems have access todata, and those individuals and systems can only access the data for which they areauthorized.

Good Tivoli Storage Manager security practices can prevent people from obtaining and

disclosing information to which they should not have access.

AvailabilityData availability is ensuring that the data is available when needed.

If an individual or system accidentally or intentionally damages data on your system, youcannot access those resources until you recover them. A good Tivoli Storage Managersecurity structure can minimize or prevent this kind of damage.

1.3 How is Tivoli Storage Manager security implemented

True security, in general, is not obtained by a single point solution. It is best implemented asa series of successive layers with different verifications and checks performed at the differentlayers.

Network securityTivoli Storage Manager is a client/server application and requires reliable networkconnectivity in order to function.

A detailed treatment of this layer is beyond the scope of this book, but proper implementationof network security practices is a key element of securing the Tivoli Storage Managerenvironment. Properly implementing network security practices restricts access to only thosesystems and individuals that should have access to the Tivoli Storage Manager server andclients.

Operating system securityThe Tivoli Storage Manager server and clients run on individual operating systems, such asUNIX, Linux, Windows, NetWare, or z/OS, or other supported platforms. In a sense, theoperating system is the underlying foundation for the application code running on the system.

Poor security practices that are implemented at the operating system layer makecompromises to the applications running on that operating system easier and more likely.

Tivoli Storage Manager server configurationThe way that you configure a Tivoli Storage Manager server determines who is allowed toaccess the system, and the type of authority that each user has. Solid security practices here

are very important, because the Tivoli Storage Manager server can interact with all of itsclient nodes and typically executes operations with administrative authority on those clients.

Tivoli Storage Manager client configurationThe Tivoli Storage Manager client does not have the broad-reaching power of the server, butit still touches all of the data that is resident on the client node. Therefore, a goodunderstanding of how the client operates and its capabilities is required for good security.


25/375


Data center securityYour Tivoli Storage Manager server, its storage pools, and probably many of the clients, willbe located in a data center. Physical access control to the center, perhaps restricted areaseven within the data center, and media control policies all come into play when securing thedata center.

Off-site securityIn most cases, backup data is physically or electronically transported to another site fordisaster recovery purposes. Because this process is often entrusted to a third party, thisintroduces an extension of the circle of trust. Appropriate service level agreements andregular audits must be in place.

1.4 Types of threats

A threat to your Tivoli Storage Manager environment can be anything that jeopardizes theobjectives outlined in 1.2.2, Tivoli Storage Manager security objectives on page 3. Threatsto the Tivoli Storage Manager environment and the data contained therein can be grouped

into the following general categories.

1.4.1 Threats from within the organization

All too often, the greater threat to data comes not from outside, but from inside theorganization. By virtue of the fact that the people and systems within the organization willhave more access to data than those outside, the potential of threat exposure is increased:

Internal personnel threats

People make mistakes and can be influenced by outside factors. With a poorly defined ornonexistent security policy in place, personnel might be able to access or delete data thatthey should not. This type of access or deletion can be accidental or deliberate.

Physical threats or equipment failurePhysical threats, such as power loss due to accidental or deliberate power disruption inthe data center, should be considered and proper data center access controls used.Equipment failure can result in data loss if proper data protection methodologies are notused.

1.4.2 Threats from outside the organization

Threats from outside the organization can include:

External attacks

These are attacks that originate outside of your environment. Attacks can be of a specific

nature where an educated source targets particular data, applications, or servers, or morebroadly based, such as a fishing expedition that is aimed at discovering vulnerabilities.Because of its strategic importance, Tivoli Storage Manager is intended to be used in arelatively secure environment, and it is assumed that an organization will have externalfirewalls and physical security in place at a minimum.

Environmental threats

These include fire, flooding, or natural phenomena, such as earthquakes, and should beconsidered as part of the overall security plan. Clearly, here security interacts with anorganizations Business Continuity strategy.


26/375


1.4.3 Threats to physical storage of data

This section discusses potential threats for stored data: data on disk, tape, or other media.

Removable media

Removable media likely presents the biggest potential exposure for stored data. By definition,

removable media is portable and can be easily transported and possibly lost or stolen.Removable media might be handled by numerous individuals both inside and outside of theorganization throughout its life cycle. Cartridges, when they are in transit, leave the controlledenvironment of the data center and can be damaged or stolen.

Off-site media (typically tape) rotation is handled either automatically by the Tivoli StorageManager sites Disaster Recovery Manager module, or through manual scripts andprocesses. When Tivoli Storage Manager stores data on removable media, it does not writeany index or catalog to the media itself, because the intent is that the Tivoli Storage Managerdatabase should also be available for any recovery. This makes data extraction from a singlelost or stolen cartridge difficult, but as we discuss later in this book, it is not impossible.

However, encrypting the data stored on removable media makes it essentially impossible to

extract the data from that cartridge. A key message throughout this book is the vital role ofencryption for security purposes.

Disk

Because disk is normally not transported off-site, the primary risk of data loss or theft comesfrom either inside attackers, equipment failure, or environmental factors.

Unless you use Tivoli Storage Managers client encryption, data stored in a disk storage poolor file storage pool is not encrypted. If an attacker can gain access to the storage pool disk,for example, through incorrect zoning or LUN masking in a SAN environment, the attackermight be able to read the unencrypted data on disk using operating system utilities.

Equipment failure primarily comes into play if the Tivoli Storage Manager data structures are

placed on unprotected disk, such asstripedor unmirrored volumes.

1.4.4 Threats when data is transmitted

Data might be transmitted several times in the Tivoli Storage Manager environment,depending on how the system is set up. At a minimum, data is transmitted between the clientand server, either over a network link or SAN.

If the data is unencrypted while in transit, it might be possible for an attacker to use packetsniffing techniques to view or capture data in flight. The use of network switches, which havelargely replaced simple hubs, has helped to alleviate this risk, but a skilled attacker can stillgain access using these methods.

Data in transit across a SAN is typically at much less risk, because it is much more difficult totap into a Fibre Channel SAN link.

Client encryption will encrypt the data at the client prior to transmission, thereby helping toeliminate this type of risk.


27/375


1.5 Data transport methodologies with Tivoli Storage Manager

Tivoli Storage Manager uses a client/server model, with clients sending data to or from theTivoli Storage Manager server typically using either IP networking or Fibre Channelconnections. The Tivoli Storage Manager servers themselves also have the capability to passdata to or from storage devices as well as to other Tivoli Storage Manager servers. Network

connectivity, whether IP-based or Fibre Channel-based, is an important piece of any TivoliStorage Manager implementation.

This section provides a brief overview of networking technologies that are used with TivoliStorage Manager.

1.5.1 Review of the Open Systems Interface data model

There are seven layers in the Open Systems Interface (OSI) data model; each layerrepresents a specific functionality.

The overall objective is to allow Layer 7 applications (such as Tivoli Storage Manager, e-mail,Web servers, and Web browsers) to connect to each other; this chart, Figure 1-1 on page 8,

represents the details of what is required to make that happen.

There are headers shown on the left and right side of the OSI chart in Figure 1-1 on page 8.The applications data is progressively encapsulated with headers as the data passes fromlayer to layer, in preparation for transmission to the other site. At the other end, headers areprogressively removed as the data is passed up toward the receiving application.

The header abbreviations are:

AH - application header

PH - presentation header

SH - session header

TH - transport header NH - network header

LH - data link header


28/375


Figure 1-1 Open Systems Interface (OSI) Data Model

1.5.2 Interfacing networks together

Having explained the OSI model, we turn next to the need for and methods of interfacingbetween two networks.

There are four basic types of network interface devices (Figure 1-2 on page 9):

Repeaters Hubs/Bridges Switches Routers

PVCs,SV

Cs

Network

Channel

E

xtenders

DWDM

SONET

PtP,D

Sn

,OCn

Fram

eR

ela

y

IBMSNA

IBM

NetBUI

IBM

APPN

MicroSoft

NetBios

Novell

IPX

Apple

localtalk

DEC

DecNet

others

Banyon

Vines

7- Application

6- Presentation

5- Session

4- Transport

3- Network

2-Data Link

1- Physical

LAN - Campus

MAN - WAN

A

HDATA

SH

TH

N

H

7- Application

6- Presentation

5- Session

4- Transport

3- Network

2-Data Link

1- Physical

Workstation Workstation

N

H

T

H

S

H

A

HData

Ethernet shared & switched;

10-Base2, 10-Base5, 10-BaseT,

10-BaseF, 100-BaseT, 100-BaseF,

1000-BaseT, 1000-BaseF . . . . . . .

TR shared & switched; 4 & 16 Mbps

MAC

LLC

MAC

LLC

...

...

...

...

...

...

WWW

HTML

E-MAIL

SAP

DB2

,Ora

cle

Voic

eP

STN

Voic

eV

oIP

Vid

eo

Tiv

oli

other...

MSEx

ch

an

ge

LANE-CIP

Satellites

Microwave

FreeSpace

OpticsFSO

UTP3,4,5,6

SingleMode

Fiber-Laser

MultiMode

Fiber-Lightc

VideoCoax

CableTV

Coax

thickthin

Wireless

Network

ATM

Internet Protocol (IP)

LH

LT

P

H

P

H

L

H

L

T


29/375


Figure 1-2 Interfacing between networks using repeaters, hubs, bridges, switches, and routers

As shown by the vertical arrows, the determining factor in which device is used depends onwhat layer of the OSI model is to be interfaced:

Repeaters are used when the highest level of network interconnection is fundamentally atthe OSI Layer 1 physical connection level.

Hubs and Bridges are used when the highest level of network interconnection isfundamentally at the OSI Layer 2 data link level.

Switches are used when the highest level of network interconnection is fundamentally at

the more basic levels of the OSI Layer 3 network level. Routers are used when the highest level of network interconnection is fundamenta

ibm tivoli storage manager building a secure environment sg247505

Documents