Dell CloudBoost 19.

12
Security Configuration Guide

Dell Inc.

January 2025
Rev. 01
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2016 - 2025 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners.
 Contents
PREFACE.....................................................................................................................................................................................4

Chapter 1: CloudBoost Architecture.............................................................................................. 7

CloudBoost components.................................................................................................................................................... 7
CloudBoost architecture.................................................................................................................................................... 8

Chapter 2: Data Protection........................................................................................................... 9

Firewall port requirements.................................................................................................................................................9
Data at rest protection ....................................................................................................................................................10
Data in transit protection................................................................................................................................................. 10
Cloud storage provider...................................................................................................................................................... 11
Data removal practices......................................................................................................................................................11

Chapter 3: Infrastructure Security .............................................................................................. 12

Infrastructure features..................................................................................................................................................... 12
CloudBoost access control.............................................................................................................................................. 12
CloudBoost updates and malware protection............................................................................................................. 12
Security configuration settings.......................................................................................................................................12

Contents 3
 PREFACE
As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of
the software or hardware currently in use might not support some functions that are described in this document. The product
release notes provide the most up-to-date information about product features.
If a product does not function correctly or does not function as described in this document, contact a technical support
professional.
NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,
go to the Dell Support site.

Purpose
This document describes the security best practices for the CloudBoost appliance.

Audience
This guide is part of the CloudBoost documentation set, and is intended for use by system administrators who are responsible
for setting up and maintaining backups on a network. Operators who monitor daily backups will also find this guide useful.

Revision history
The following table presents the revision history of this document.

Table 1. Document revision history

Revision Date Description
01 January, 2025 Initial release of the CloudBoost 19.12 Security Configuration Guide.

Related documentation
The following publications provide information about CloudBoost.
● CloudBoost Release Notes

Contains information about new features and changes, fixed problems, known limitations, environment, and system
requirements for the latest release.

● NetWorker 19.12 with CloudBoost 19.12 Integration Guide

Guide for integrating NetWorker 19.12 with CloudBoost 19.12.

Typographical conventions
The following type style conventions are used in this document:

Table 2. Style conventions

Formatting Description
Bold Used for interface elements that a user specifically selects or clicks, for example, names of
buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page,
pane, screen area with title, table label, and window.

4 PREFACE
Table 2. Style conventions (continued)
Formatting Description
Italic Used for full titles of publications that are referenced in the text.
Monospace Used for:
● System code
● System output, such as an error message or script
● Pathnames, file names, file name extensions, prompts, and syntax
● Commands and options
Monospace italic Used for variables.
Monospace bold Used for user input.
[] Square brackets enclose optional values.
| Vertical line indicates alternate selections. The vertical line means or for the alternate
selections.
{} Braces enclose content that the user must specify, such as x, y, or z.
... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Where to find product documentation

● Dell Customer Support
● Dell Community Network

Where to get support

The Support website Dell Customer Support provides access to product licensing, documentation, advisories, downloads, and
how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Support.
To access a product-specific page:
1. Go to Dell Customer Support.
2. In the search box, type a product name, and then from the list that appears, select the product.

Knowledgebase
The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx)
or by keyword.
To search the Knowledgebase:
1. Go to Dell Customer Support.
2. On the Support tab, click Knowledge Base.
3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by
typing a product name in the search box, and then selecting the product from the list that appears.

Live chat
To participate in a live interactive chat with a support agent:
1. Go to Dell Customer Support.
2. On the Support tab, click Contact Support.
3. On the Contact Information page, click the relevant support, and then proceed.

PREFACE 5
Service requests
To obtain in-depth help from Licensing, submit a service request. To submit a service request:
1. Go to Dell Customer Support.
2. On the Support tab, click Service Requests.
NOTE: To create a service request, you must have a valid support agreement. For details about either an account or
obtaining a valid support agreement, contact a sales representative. To find the details of a service request in the Service
Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to Dell Customer Support.
2. On the Support tab, click Service Requests.
3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities
For peer contacts, conversations, and content on product support and solutions, go to the Dell Community Network.
Interactively engage with customers, partners, and certified professionals online.

How to provide feedback

Feedback helps to improve the accuracy, organization, and overall quality of publications. Perform one of the following steps to
provide feedback:
● Go to Dell Content Feedback Platform, and submit a ticket.
● Send feedback to DPADDocFeedback.

6 PREFACE
 1
CloudBoost Architecture
CloudBoost is a virtual appliance along with other components that enable long-term storage in the cloud of backups that are
made with NetWorker.
This section includes the following topics:
Topics:
• CloudBoost components
• CloudBoost architecture

CloudBoost components
This table lists the CloudBoost components.

Table 3. CloudBoost components

Component Description
CloudBoost appliance Appliance that indexes, deduplicates, compresses, encrypts, and manages data transfer to and
from the cloud. The optional data cache stores the data that is most recently written to or read
data from the cloud. CloudBoost appliance can be hosted on the customer site on VMware ESX,
Amazon Web Services (AWS) or Microsoft Azure.
Cloud storage provider Object storage for data that is sent from the CloudBoost appliance. Several public and private
cloud storage providers are supported.

For more information on supported private and public clouds, see the CloudBoost Integration
Guide

EMC Secure Remote Virtual appliance that enables two-way remote communication with EMC Secure Remote
Services Services (ESRS) to monitor system health and to communicate events, alerts, status, and health
to Customer Support proactively. No user data is transferred.

CloudBoost Architecture 7
CloudBoost architecture
This graphic outlines the CloudBoost architecture.

Figure 1. CloudBoost architecture

8 CloudBoost Architecture
 2
Data Protection
CloudBoost protects data by encrypting it when it is received by the CloudBoost client. Data remains encrypted within the
CloudBoost environment, including within the cloud storage provider, until it is restored. When restored, the data is decrypted
as it leaves the CloudBoost environment and is returned to the application. While data is in transit, it is encrypted a second time.
Communication between CloudBoost components is also encrypted.
Storage providers also add their own measures to protect data. For more information, contact the provider.
This section includes the following topics:
Topics:
• Firewall port requirements
• Data at rest protection
• Data in transit protection
• Cloud storage provider
• Data removal practices

Firewall port requirements

As with all networked software solutions, adhering to best practices for security is encouraged to protect the deployment. If the
ports in the following table are not configured before you configure the CloudBoost appliance, restart the CloudBoost appliance.
NOTE: It is not recommended to route outbound http traffic from the CloudBoost appliance through a proxy because it
can create a performance bottleneck. In environments where outbound http traffic is restricted, create an exception for the
appliance in the firewall after you consult with the IT security team. To configure a proxy, see Configure CloudBoost to use
a proxy.
The following table outlines the firewall port requirements.

Table 4. Firewall port requirements

Out In TCP port Description
Administrator workstation CloudBoost appliance 22 SSH for maintenance and troubleshooting
CloudBoost appliance Cloud storage (public or 443 HTTPS to access object store (if
private) supported)
CloudBoost appliance On-Prem CloudBoost 7443 HTTPS to On-Prem CloudBoost
Management Console Management Console.
NetWorker Server CloudBoost appliance 7937-7942 The CloudBoost appliance has a pre-
configured NetWorker SN. For a single
or CloudBoost device, a minimum of six
NetWorker Client ports must be opened on the CloudBoost
appliance. The port range can be expanded
based on the deployment type and the
number of CloudBoost devices configured.
The NetWorker Security Configuration
Guide provides additional information on the
NetWorker port requirements.
NetWorker client ● Cloud Storage (public or 443 HTTPS to access object store (if
private) supported)
● CloudBoost appliance for
metadata.

Data Protection 9
Table 4. Firewall port requirements (continued)
Out In TCP port Description
CloudBoost appliance EMC Secure Remote Services 9443 Communication from the CloudBoost
gateway appliance to the Secure Remote Services
gateway

Figure 2. CloudBoost firewall ports

For information about firewall ports for any system that you deploy with CloudBoost, refer to the documentation for that
system.
For information about NetWorker, refer to the NetWorker Security Configuration Guide.

Data at rest protection

At rest data is encrypted using 256-bit AES encryption in CBC mode. Data remains encrypted as it is sent to or retrieved
from the cloud storage provider. Data is not decrypted until it is returned from the CloudBoost environment to the integrated
backup application as part of a restore operation. CloudBoost uses convergent cryptography to achieve data confidentiality in
deduplication.
The metadata and management databases from the CloudBoost appliance are periodically backed up into the same cloud object
store for disaster recovery of the CloudBoost appliance. The database backups are protected by private and public key for
encryption and decryption purpose. The data is encrypted by with the public key and the corresponding private key is required
for decryption of data.
The private key is known only to the customer and can be used in disaster recovery situations to restore an appliance. The use
of asymmetrical encryption ensures that only the customer can decrypt their data.
The CloudBoost appliance has an option to generate the key pair. The key pair is not stored in the CloudBoost appliance. It
is purged after the administrator acknowledges that the key is downloaded. CloudBoost administrator can update the backup
encryption key by uploading a new public key.

Data in transit protection

The CloudBoost appliance and the cloud storage provider use SSL and TLS to encrypt data being transferred between
them. This encryption is in addition to the encryption that occurred when the data was received from the integrated backup
application.
All communications between the CloudBoost components is also encrypted with SSL and TLS. For information on the ports that
must be opened, see Firewall port requirements.

10 Data Protection
Cloud storage provider
Data is stored with a supported cloud storage provider. The data is encrypted before being sent to the provider and remains
encrypted in the provider data center. The provider does not know the encryption key and cannot decrypt the data. Each
provider also takes additional measures to protect the data. For more information, contact the provider.

Data removal practices

CloudBoost places the application data in the CloudBoost appliance and the cloud storage provider data center. As the data is
being transferred to the cloud storage provider, it is stored on the appliance. After the data is transferred, the data is deleted
from the appliance. If the appliance cache feature is enabled, the data remains on the appliance for quicker restores until the
appliance must make room for new data transfers, at which time it is deleted.
Data that is transferred to a cloud storage provider remains with the provider until you no longer want that data that is stored
in the cloud. How quickly the data is removed depends on the provider. Each provider has its own data removal policies. Contact
the specific provider for its policies.
If CloudBoost integration with a backup application is abruptly stopped without proper removal (example: an application server
fails), the application data remains stored encrypted with the cloud storage provider. If the appliance cache feature is enabled,
cached data remains encrypted on the appliance.
If you stop using CloudBoost, any data on the appliance remains encrypted on the appliance. Data that is stored with a cloud
storage provider remains encrypted. Encrypted data cannot be decrypted without CloudBoost. The time the data remains stored
with the provider depends on their policies and the status of the account with the provider.

Data Protection 11
 3
Infrastructure Security
This section includes the following topics:
Topics:
• Infrastructure features
• CloudBoost access control
• CloudBoost updates and malware protection
• Security configuration settings

Infrastructure features
CloudBoost includes features to protect the infrastructure:
● To prevent unauthorized access to CloudBoost, the proper account credentials are required.
● To address vulnerabilities, updates are made available as needed. Updates can be applied without interruption to the
availability of CloudBoost.
● To help with network management, specific ports are used for specific CloudBoost activities.

CloudBoost access control

Access control prevents unauthorized users from getting to the data and CloudBoost components. Access to CloudBoost is
controlled through accounts and passwords.
● On-Prem CloudBoost Management Console – You access the portal by logging in with a web browser by using On-Prem
CloudBoost Management Console credentials. The portal allows you to perform administrative tasks, such as specifying
cloud storage providers, managing and configuring the CloudBoost appliance, and starting the installation of appliance
software updates.
● CloudBoost appliance – When you deploy the CloudBoost appliance, you choose a password for the appliance administrator
account. This password allows you to log in to the appliance to provide the appliance with its registration code during initial
deployment. You can also log in to perform certain administrative and support tasks at the command line interface.
● Access to the On-Prem CloudBoost Management Console is secured with TLS 1.2. You can access the portal as an
administrator by using a web browser

https://<FQDN of the appliance>:7443

The administrator can login to CloudBoost using a CLI through the SSH port 22.

CloudBoost updates and malware protection

Updates are provided to the On-Prem CloudBoost Management Console, CloudBoost appliance, and CloudBoost clients as new
features are available and as issues are addressed. The CloudBoost administrator is responsible for updating the appliance and
the CloudBoost clients, when the clients are installed on an integrated backup application server.
The CloudBoost appliance does not protect against malware attacks, nor does it try to recognize and prevent data that is
related to or affected by malware from being sent to the cloud storage provider. To ensure the integrity of data, appropriate
anti-malware software should be used.

Security configuration settings

CloudBoost includes settings that control security related aspects of the product.

12 Infrastructure Security
● Remote appliance administration – By default, remote access to the CloudBoost appliance is disabled. You can enable remote
access to the appliance, perhaps when troubleshooting and for support purposes.
● Proxy server – You can specify the use of a proxy server.
● To manage CloudBoost functionality the appliance is shipped with a built-in admin user. You cannot create more users in the
appliance. Currently, there is no support for registering an external authentication provider like LDAP.
● All the management services can be reached through TLS 1.2 compliant endpoints at the gateway service. By default, the
gateway service boots up with self-signed certificate but the CloudBoost administrator can enable SSL using a certificate
signed by a Certificate Authority (CA) during initial configuration.

Infrastructure Security 13