Reducing network exposure
You can reduce your network exposure with the following features.
Network access control can ensure that only authorized personnel can access selected networks or network segments to access backup administrative interfaces. For example, you can use an allowed list to control which IP addresses and subnets can access your appliances through SSH and HTTPS. All IP addresses that are not on the allowed list are blocked by default. This feature is an example of network segmentation and can prevent attackers from gaining system access.
How to configure network access control:
Flex Appliance
NetBackup Appliance
NetBackup
Network access control for NetBackup is available through the isolated recovery environment (IRE) feature. See the following section.
Another way to isolate and protect backups is to create an isolated recovery environment (IRE). NetBackup BYO and Flex Appliance include a turnkey, pull-based IRE that creates an air-gapped network environment. This feature lets you create a vault for your data. Additionally, the proprietary compliance secure clock provides added confidence that your storage is never subject to time-based attacks that are meant to expire data prematurely.
How to configure an IRE:
Flex Appliance
See Configuring an isolated recovery environment using the web UI.
NetBackup
See Configuring an isolated recovery environment on a NetBackup BYO media server.
NetBackup Flex Scale
Access Appliance
See Configuring an isolated recovery environment using the command line.
Currently, NetBackup Appliance can be used for the production environment of an IRE but not as the target server.