Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Increasing NetBackup security
  7. NetBackup Access Control (NBAC)
NetBackup™ Security and Encryption Guide

NetBackup Access Control (NBAC)

The NetBackup Access Control (NBAC) functionality incorporates the NetBackup Product Authentication and Authorization into NetBackup, increasing security for the primary servers, media servers, and clients.

See About NetBackup security and encryption.

Important points about NBAC include:

  • Authentication and Authorization are used together

  • NBAC uses authentication identities from a trusted source to reliably identify involved parties. Access decisions can then be made for manipulation of NetBackup based on those identities. Note that NetBackup Security Services are now embedded.

  • The NetBackup Product Authentication and Authorization consist of the root broker, authentication broker, authorization engine, and the graphical user interface.

  • Oracle, Oracle Archiver, DB2, Informix, Sybase, SQL Server, SAP and EV Migrator are not supported with NBAC.

  • NBAC is not supported on Appliances.

  • The NetBackup catalog backup is supported with NBAC.

The following table describes the NetBackup components that are used in security.

Table: NetBackup components used in security

Component

Description

Root broker

The NetBackup primary server is the root broker in a datacenter installation. There is no provision to use another root broker. The recommendation is to allow trust between root brokers.

The root broker authenticates the authentication broker. The root broker does not authenticate clients.

Authentication broker

Authenticates the primary server, media server, graphical user interface, and clients by establishing credentials with each one of them. The authentication broker also authenticates a user when operating a command prompt. There can be more than one authentication broker in a datacenter installation. The authentication broker can be combined with the root broker.

Authorization engine

Communicates with the primary server and the media server to determine the permissions of an authenticated user. These permissions determine the functionality available to a given server. The authorization engine also stores user groups and permissions. Only one authorization engine is required in a datacenter installation. The authorization engine also communicates over the WAN to authorize other media servers in a multi-datacenter environment.

graphical user interface

Specifies a Remote Administration Console that receives credentials from the authentication brokers. The graphical user interface then may use the credentials to gain access to functionality on the clients, media, and primary servers.

Master server

Communicates with the root broker and authentication broker, graphical user interface, authorization engine, media server, and clients.

NetBackup administrator

Specifies a user who has been granted administrator permissions to access and manage the NetBackup functionality from within the data center.

Media server

Communicates with the primary server, root broker and authentication broker, authorization engine, and clients 1 through 6. The media server writes unencrypted data to tape for client 5 and encrypted data to tape for client 6.

Clients

Specifies that clients 1 through 4 are standard NetBackup types. Client 5 is a web server type located in the DMZ. Client 6 is a client side encrypted type also located in the DMZ. All client types are managed by the primary server and have their data backed up to tape through the media server. Clients 5 and 6 communicate to NetBackup using NetBackup only ports through the internal firewall. Client 5 also receives connections from the Internet using HTTP only ports through the external firewall.

Tapes

Specifies that the tape security in NetBackup can be increased by adding the following:

  • Client side encryption

  • Encryption of data at rest

Unencrypted and encrypted data tapes are produced in the datacenter. The unencrypted tape data is written for clients 1 through 5 and stored on-site at the datacenter. The encrypted tapes are written for client 6 and are transported off-site to a vault for disaster recovery protection.

Encryption

Specifies that NetBackup encryption can increase security by providing the following:

  • Greater data confidentiality

  • The loss of physical tape is not as critical if all the data is effectively encrypted

  • The best risk mitigation strategy

For more information about encryption:

See Encryption security questions to consider.

Data over the wire security

Includes the communication between primary servers, media servers, clients, and communication using ports through firewalls and over WANs.

For more information about ports, see the NetBackup Network Ports Reference Guide:

The data over the wire part of NetBackup can help increase security in the following ways:

  • NetBackup Access Control (NBAC)

  • Classic NetBackup daemons employ authentication when NBAC is enabled

  • CORBA daemons use the fully encrypted channels that support confidentiality, and provide data integrity

  • Firewalls

  • Disabling the unused ports in NetBackup and in other products:

  • PBX and VNETD dedicated ports provide increased NetBackup security

  • Central set of ports to monitor and open through firewalls

Note:

Communication between NetBackup 8.1 and later hosts is secure.

See About secure communication in NetBackup.

Firewall security

Specifies that the NetBackup firewall support can help increase security.

Important points about firewall security include the following:

  • It is recommended to use firewall and intrusion detection protection for NetBackup.

  • Firewall protection relates to general network security from a NetBackup standpoint. It focuses on reducing the possible "door locks" for a thief to try to pick. It may be helpful to review the possibility of blocking NFS, telnet, FTP, email ports. They are not strictly needed for NetBackup use and can provide an "open door" for unwanted access.

  • Secure the primary server as much as possible

  • Firewalls can include internal firewalls and external firewalls, as follows:

    • Internal firewall - allows NetBackup to access web server client 5 and encrypted client 6 in the DMZ. Only selected NetBackup ports and possibly other application ports are enabled for data communication through the internal firewall and into and out of the DMZ. The HTTP ports are open in the External Firewall and are not allowed to pass through the internal firewall.

    • External firewall - allows external users to access the web server client 5 located in the DMZ from the Internet over HTTP ports. NetBackup ports are open for web server client 5 to communicate through the internal firewall to NetBackup. The NetBackup ports are not allowed to pass through the external firewall to the Internet. Only the HTTP ports of web server client 5 can pass through the external firewall to the Internet.

Demilitarized zone (DMZ)

Specifies that the demilitarized zone (DMZ) increases security as follows:

  • The DMZ is a restricted area in which the number of ports that are allowed for specific hosts is highly controlled

  • The DMZ exists between the external firewall and the internal firewall. The common area in this example is the web server. The external firewall blocks all ports except for the HTTP (standard) and HTTPS (secure) web ports. The internal firewall blocks all ports except for NetBackup and database ports. The DMZ eliminates the possibility of external Internet access to internal NetBackup server and database information.

The DMZ provides a "safe" area of operation for the web server client 5 and encrypted client 6 between the internal firewall and external firewall. The web server client 5 in the DMZ can communicate to NetBackup through the internal firewall using designated NetBackup ports. The web server client 5 can also communicate through the external firewall to the Internet using only HTTP ports.

Figure: Example firewalls and DMZ shows an example internal and external firewall with DMZ.

The following figure shows an example of the internal and the external firewall with DMZ.

Figure: Example firewalls and DMZ

Example firewalls and DMZ

Feedback

Was this page helpful?
Previous

Datacenter-level security overview

Next

Combined world, enterprise, and datacenter levels

Feedback

Was this page helpful?