NetWorker 7.4.5 – Should you update?

 NetWorker  3 Responses »
Aug 172009
 

Over the last 36 hours or so I’ve been doing a lot of tests of NetWorker 7.4.5, and overall I must say I’m reasonably impressed in its stability.

Let’s be completely up front: this is a bug-fix only release. If you check the release notes, you’ll see that there are no new features in this release at all. This from the outset usually means a fairly stable release, as there’s no “new code” (so to speak) competing with existing code and patches.

So far my testing has been limited to Linux and Solaris, with Windows testing to start tomorrow. (I frequently pick on Linux for heavy NetWorker testing because I’ve found in the past that if a *nix platform is going to have issues, Linux will be the first one to do so.)

According to the release notes, there’s 89 resolved issues in NetWorker 7.4.5; while some of them of course are somewhat trivial (e.g., one of the fixed issues is to do with NetWorker vs EBS branding in particular scripts), many of them represent significant fixes to issues in NetWorker 7.4. Previously several of these rolled into cumulative patch clusters, however, the number of fixes in 7.4.5 exceeds the number of patches cited for the cumulative patch clusters by a quite a bit, meaning there’s been quite a lot of effort go into this “service pack”.

My gut feel at this point is that if you’re still on the 7.4.x tree, 7.4.5 may be quite a worthwhile version to update to. As always, no site should update their version of NetWorker without a careful review of the release notes, and administrators should make themselves completely aware of (at bare minimum) the following:

  • Fixed issues.
  • Known limitations.
  • Where their current installers are should a back-out be required.
  • Where copies of any currently installed patches are should a back-out be required.

In short: an update should always be prepared for, both in the action plan and the back-out plan, and always consider the update in light of the needs and issues of your site.

I’ll post another update in a day or two once I’ve had more time to review this release.

 Posted by Preston de Guise at 18:21  Tagged with:

What's wrong with the NMC installation process?

 NetWorker, Security  No Responses »
Aug 172009
 

There is, in my opinion, an unpleasant security hole in the NMC installation/configuration process.

The security hole is simple: it does not prompt for the administrator password on installation. This is inappropriate for a data protection product, and I think it’s something that EMC should fix.

The NMC installation process is slightly different depending on whether you’re working with 7.5.x or 7.4.x and lower.

For 7.4.x and lower, the process works as follows:

  • Install NetWorker management console.
  • (On Unix platforms, manually run the /opt/lgtonmc/bin/nmc_config file to initialise the configuration.)
  • Launch NMC.
  • Use the default username/password until you get around to changing the password.

For 7.5.x and higher installations, the process works as follows:

  • Install NetWorker management console.
  • First person to logon gets to set the administrator password.

In both instances, this represents a clear security threat to the environment, particularly when installing NetWorker on the backup server or another host that already has administrator access to the datazone, and needs to be managed carefully. Two clear options, depending on the level of trust you have within your environment are:

  • Use firewall/network security configuration options to restrict access to the NMC console port (9000) to a single, known and trusted host, until you are able to log on and change the password.

or

  • Be prepared to log onto NMC as soon as the installation (or for Unix, installation/configuration) is complete and trust that you “get there first”.

In reality, the second option would not be declared secure by any security expert, but for small environments where the trust level is high, it may be acceptable for local security policies.

The real solution though is simple: EMC must change the NMC installation process to force the input of a secure administrator password at install time. That way, by the time the daemons are first started, they are already secured.

 Posted by Preston de Guise at 07:55  Tagged with: , , , ,
© 2012 The NetWorker Blog Suffusion theme by Sayontan Sinha