Friday, May 11, 2012

Secure Backups with Proteus Bluecat

I've been working with the Bluecat platform, Proteus and Adonis, for the past 7 to 8 months.  Being security minded I always look to encrypted protocols when I first configure a device.  Frankly, I'm dissapointed that vendors still configure their appliances with clear-text protocols like http and ftp by default.  This is true of Bluecat products.

By default Bluecat uses http.  Enabling https is cumbersome and replacing the default self signed certificate is even more difficult for the average user.  Not what I expected in an appliance that is meant to make network administration easier.

Proteus' backup facility is no exception.  There is no facility to transport backups via a secure channel to a remote server.  So I decided to hack one.

I wrote a script that will create the necessary files and configure cron to synchronize the backup repository to remote server running sftp.

 The script, located here, makes use of rsync to sync the backup repository to a remote server.  I chose rsync because I didn't want to deal with removing old backups on the remote server side.  If I had used scp I would have had to think about removing backups from the remote side and that would have added unnecessary complexity.

Luckily for us rsync can use ssh so I made use of that facility as you can see on line 49 of the script:

rsync -r -v --delete-after -e "ssh -i ${BIN_PATH}/${SSH_PRIVATEKEY} -o StrictHostKeyChecking=no" ${DATA_PATH} ${USER}@${SCP_HOST}:${SCP_HOSTPATH}
I use a SSH key for password-less entry and we trust the destination host explicitly so rsync should expect no prompts.

The project is hosted at Google code and you can find it at: http://code.google.com/p/proteus-secure-backup/

Hopefully Bluecat will eliminate the need for these sort of ugly hacks.  Vendors need to enable encryption by default and make clear text protocols the option.