Re: What is the security in Retrospect?

2000-05-10 Thread Matthew Tevenan 

Maurice,

In answer to your questions:

> Specific points of concern are how secure is security code password
> that is stored by the Retrospect client and as well by the Retrospect
> server (for scripted operation)?

I'm not sure what you mean here. There's certainly no backdoor for either,
meaning there's no special way to get around password-protection. This is
why when you forget a client security code an must log it in again, you have
to uninstall and reinstall the client.

> Why are the passwords displayed in clear text when they are first setup in
> the client?

I've added a suggestion in your name that we change this.

> How secure is the data that is being backed as it passes over the
> network? For example, if I choose to have DES encryption on the tape,
> is that DES implemented on the server as data is about to be written
> to the tape or has the data already been DES encrypted on the client
> side?

DES encryption relates to data being written to the tape. If you wish to
encrypt data over the network, turn on link encryption. You turn this on in
the Client Configuration/Properties window. For more information, look it up
in the Retrospect User's Guide index.

> Anyone running Retrospect with a security code to a client could back
> up it to take data off and then alter this data and then return the
> altered data to the client. Aside from this security code and
> blocking the TCP ports that Retrospect uses (via a router/firewall),
> are there any other ways to prevent an unauthorized copy of
> Retrospect from engaging in backup and retrieval?

These, plus link encryption, are the only ways that I know of. You may want
to consult Dantz Technical Note 310 at

<http://www.dantz.com/index.php3?SCREEN=tn310>

It's old, but it provides a good summary of the security that Retrospect
offers. 

> For example, what about the client knowing the IP identify of the server and
> rejecting any server not having that IP address?

Again, Retrospect doesn't do this, but I've logged it as a suggestion.

Regards,

Matthew
Technical Support Specialist
Dantz Development Corporation
925.253.3050 
[EMAIL PROTECTED]

> From: Maurice Volaski <[EMAIL PROTECTED]>
> Reply-To: "retro-talk" <[EMAIL PROTECTED]>
> Date: Tue, 9 May 2000 16:23:16 -0400
> To: "retro-talk" <[EMAIL PROTECTED]>
> Subject: What is the security in Retrospect?
> 
> Some users here have asked about how secure Retrospect is.
> 
> Specific points of concern are how secure is security code password
> that is stored by the Retrospect client and as well by the Retrospect
> server (for scripted operation)? Why are the passwords displayed in
> clear text when they are first setup in the client?
> 
> How secure is the data that is being backed as it passes over the
> network? For example, if I choose to have DES encryption on the tape,
> is that DES implemented on the server as data is about to be written
> to the tape or has the data already been DES encrypted on the client
> side? I assume it can't be the latter since if the password to the
> tape is being used as the key, the client only has the security code,
> not the tape password.
> 
> Anyone running Retrospect with a security code to a client could back
> up it to take data off and then alter this data and then return the
> altered data to the client. Aside from this security code and
> blocking the TCP ports that Retrospect uses (via a router/firewall),
> are there any other ways to prevent an unauthorized copy of
> Retrospect from engaging in backup and retrieval? For example, what
> about the client knowing the IP identify of the server and rejecting
> any server not having that IP address?
> -- 
> --
> Maurice Volaski, [EMAIL PROTECTED]
> Computing Support, Rose F. Kennedy Center
> Albert Einstein College of Medicine of Yeshiva University



--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:<http://list.working-dogs.com/lists/retro-talk/>
Problems?:   [EMAIL PROTECTED]

What is the security in Retrospect?

2000-05-09 Thread Maurice Volaski 

Some users here have asked about how secure Retrospect is.

Specific points of concern are how secure is security code password 
that is stored by the Retrospect client and as well by the Retrospect 
server (for scripted operation)? Why are the passwords displayed in 
clear text when they are first setup in the client?

How secure is the data that is being backed as it passes over the 
network? For example, if I choose to have DES encryption on the tape, 
is that DES implemented on the server as data is about to be written 
to the tape or has the data already been DES encrypted on the client 
side? I assume it can't be the latter since if the password to the 
tape is being used as the key, the client only has the security code, 
not the tape password.

Anyone running Retrospect with a security code to a client could back 
up it to take data off and then alter this data and then return the 
altered data to the client. Aside from this security code and 
blocking the TCP ports that Retrospect uses (via a router/firewall), 
are there any other ways to prevent an unauthorized copy of 
Retrospect from engaging in backup and retrieval? For example, what 
about the client knowing the IP identify of the server and rejecting 
any server not having that IP address?
-- 
--
Maurice Volaski, [EMAIL PROTECTED]
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University


--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Problems?:   [EMAIL PROTECTED]