Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Top recommendations to improve your NetBackup and NetBackup appliances security posture
  4. Reducing network exposure
NetBackup and NetBackup Appliances Hardening Guide

Reducing network exposure

You can reduce your network exposure with the following features.

Network access control

Network access control can ensure that only authorized personnel can access selected networks or network segments to access backup administrative interfaces. For example, you can use an allowed list to control which IP addresses and subnets can access your appliances through SSH and HTTPS. All IP addresses that are not on the allowed list are blocked by default. This feature is an example of network segmentation and can prevent attackers from gaining system access.

How to configure network access control:

  • Flex Appliance

    See Using network access control.

  • NetBackup Appliance

    See About Network Access Control.

  • NetBackup

    Network access control for NetBackup is available through the isolated recovery environment (IRE) feature. See the following section.

Isolated recovery environments

Another way to isolate and protect backups is to create an isolated recovery environment (IRE). NetBackup BYO and Flex Appliance include a turnkey, pull-based IRE that creates an air-gapped network environment. This feature lets you create a vault for your data. Additionally, the proprietary compliance secure clock provides added confidence that your storage is never subject to time-based attacks that are meant to expire data prematurely.

How to configure an IRE:

  • Flex Appliance

    See Configuring an isolated recovery environment using the web UI.

  • NetBackup

    See Configuring an isolated recovery environment on a NetBackup BYO media server.

  • NetBackup Flex Scale

    See Configuring isolated recovery environment (IRE).

  • Access Appliance

    See Configuring an isolated recovery environment using the command line.

Currently, NetBackup Appliance can be used for the production environment of an IRE but not as the target server.

Feedback

Was this page helpful?
Previous

Securing credentials

Next

Enabling encryption

Feedback

Was this page helpful?