Storage Security Holes Put VARs On Guard


The recent discoveries of security vulnerabilities in data backup software from three of the top vendors has solution providers keeping their eyes open for problems.

Such vulnerabilities were first seen in Symantec's Backup Exec in June of last year and NetBackup 5.x software in November, in CA&'s ARCserve Backup software for Windows in August and in EMC's Legato NetWorker in August.

All three vendors have since issued patches to fix the exploits. However, the vulnerabilities were highlighted this week when code to exploit the NetBackup hole was discovered this week.

The vulnerabilities are helping to highlight the importance of integrating storage and security technologies.

Mark Teter, CTO of Advanced Systems Group, a Denver-based server and storage solution provider, said he has not yet fielded any customer questions about the vulnerabilities.

"The holes are getting patched quickly," Teter said. "It's unfortunate that they have to be exposed before they are taken care of. The holes have been reported by watch groups, but not yet exploited. So customers are not worried yet."

For Teter, the vulnerabilities caused by holes in backup software validate the Symantec-Veritas merger. "My first reaction is, maybe the data management and security merger of Symantec and Veritas makes sense," he said.

The merger may actually be one of the drivers in bringing potential vulnerabilities in data backup software to light, said Dave Cerniglia, president of Consiliant Technologies, an Irvine, Calif.-based storage solution provider.

"Veritas and Symantec, being one of the leaders in the software industry, are bringing the problem to the forefront," Cerniglia said. "They are trying to merge their technologies to bring storage and security together, and so are bringing awareness to the problems."

However, Cerniglia said, customers have yet to express their concern about the problem. "We sit with their security guys, and they are not asking us about it," he said. "Maybe they are addressing the question at a different layer than we are."

The three vendors in question did not respond directly to questions about the vulnerabilities, other than to send out written statements and point to patch information on their Web sites.

A Symantec spokesperson said in an e-mail that the company continues to recommend that all customers make sure virus definitions are up to date to protect against possible threats, including netbackup-exploit.c, discovered Jan. 16.

An EMC spokesperson, also responding by e-mail, said that while the vendor is not trying to downplay the issue, it will continue to work with watchdog organizations to ensure its products are used in a secure manner in secure environments.