IBM Tivoli Storage Manager, Version 7.1

Detecting possible security attacks during client-side data deduplication

A rogue application that is part of a client system and that imitates the client, API, or GUI application can initiate an attack on the server. To reduce server vulnerability to such attacks, you can specify a percentage of client extents for the server to verify.

About this task

If the server detects that a security attack is in progress, the current session is canceled. In addition, setting of the node DEDUPLICATION parameter is changed from CLIENTORSERVER to SERVERONLY. The SERVERONLY setting disables client-side data deduplication for that node.

The server also issues a message that a potential security attack was detected and that client-side data deduplication was disabled for the node.

If client-side data deduplication is disabled, all other client operations (for example, backup operations) continue. Only the client-side data deduplication feature is disabled. If client-side data deduplication is disabled for a node because a potential attack was detected, the server deduplicates the data that is eligible for client-side data deduplication.

Procedure

To detect a possible security attack when client-side data deduplication is enabled, issue the SET DEDUPVERIFICATIONLEVEL command. Specify an integer value 1 - 100 to indicate the percentage of client extents to be verified. The default value is 0. This value indicates that no extents are verified.

What to do next

Tip: Verifying extents consumes processing power and adversely affects server performance. For optimal performance, do not specify values greater than 10 for the SET DEDUPVERIFICATIONLEVEL command. Other methods for protecting the server include:
  • Enabling client-side data deduplication only for clients that are secure. If you choose this method, do not change the default setting of SET DEDUPVERIFICATIONLEVEL command.
  • Creating automated scripts to enable client-side data deduplication only during certain time periods.
  • Using storage-device encryption together with client-side data deduplication
  • Enabling Secure Sockets Layer (SSL)
  • Deduplicating data that uses only server-side data deduplication. Server-side data deduplication does not expose the server to security attacks from the client.

To show the current value for SET DEDUPVERIFICATIONLEVEL, issue the QUERY STATUS command. Check the value in the Client-side Deduplication Verification Level field.

Parent topic: Deduplicating data
Related reference:
SET DEDUPVERIFICATIONLEVEL (Set the percentage of extents to verify)

Feedback