EMC VNXe Security Configuration Guide

EMC VNXe Security Configuration Guide
EMC® VNXe™
Release 2
Security Configuration Guide
P/N 300-012-190 Rev 05
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright © 2011 - 2013 EMC Corporation. All rights reserved.
Published January 2013
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date regulatory document for your product line, go to the Technical
Documentation and Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on
EMC.com.
All other trademarks used herein are the property of their respective owners.
Corporate Headquarters: Hopkinton, MA 01748-9103
2
EMC VNXe Security Configuration Guide
Contents
Preface.....................................................................................................5
Chapter 1: Introduction...........................................................................7
Overview..................................................................................................................8
Related documents..................................................................................................8
Chapter 2: Access Control.....................................................................9
Access methods......................................................................................................10
VNXe factory default management and service accounts...............................11
VNXe account management................................................................................12
Unisphere for VNXe..............................................................................................12
VNXe Unisphere command line interface (CLI)...............................................14
VNXe service SSH interface.................................................................................15
VNXe service serial port interface.......................................................................17
Chapter 3: Logging...............................................................................19
Logging...................................................................................................................20
Remote logging options........................................................................................21
Chapter 4: Communication Security...................................................23
Port usage...............................................................................................................24
VNXe network ports...................................................................................24
Ports the VNXe may contact......................................................................28
VNXe certificate.....................................................................................................30
Configuring the management interface using DHCP......................................30
Automatically assign an IP address to your VNXe system...................31
EMC VNXe Security Configuration Guide
3
Contents
VNXe interfaces, services, and features that support Internet Protocol
version 6............................................................................................................32
VNXe management interface access using IPv6...............................................34
Running the Connection Utility..........................................................................35
CIFS encryption.....................................................................................................36
Chapter 5: Data Security Settings........................................................37
Data security settings............................................................................................38
Data-at-rest-encryption.........................................................................................38
Chapter 6: Security Maintenance........................................................43
Secure maintenance...............................................................................................44
License update.............................................................................................44
Software upgrade........................................................................................44
Chapter 7: Security Alert Settings........................................................47
Alert settings..........................................................................................................48
Configuring alert settings...........................................................................49
Chapter 8: Other Security Settings.......................................................51
Data erasure...........................................................................................................52
Physical security controls.....................................................................................52
Antivirus protection..............................................................................................52
4
EMC VNXe Security Configuration Guide
Preface
As part of an effort to improve and enhance the performance and capabilities of its product lines,
EMC periodically releases revisions of its hardware and software. Therefore, some functions described
in this document may not be supported by all versions of the software or hardware currently in use.
For the most up-to-date information on product features, refer to your product release notes.
If a product does not function properly or does not function as described in this document, please
contact your EMC representative.
EMC VNXe Security Configuration Guide
5
Preface
Special notice conventions
EMC uses the following conventions for special notices:
Note: Emphasizes content that is of exceptional importance or interest but does not relate to personal
injury or business/data loss.
Identifies content that warns of potential business or data loss.
Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
Indicates a hazardous situation which, if not avoided, could result in death or
serious injury.
Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
Where to get help
VNXe support, product, and licensing information can be obtained as follows:
Product information — For documentation, release notes, software updates, or for
information about EMC products, licensing, and service, go to the EMC Online Support
website (registration required) at http://www.emc.com/vnxesupport.
Technical support — For technical support and service requests, go to EMC Online
Support. Under Service Center, you will see several options, including one to create
a service request. Note that to open a service request, you must have a valid support
agreement. Contact your EMC sales representative for details about obtaining a valid
support agreement or with questions about your account.
Note: Do not request a specific support representative unless one has already been assigned to
your particular system problem.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications.
Please send your opinion of this document to:
techpubcomments@EMC.com
6
EMC VNXe Security Configuration Guide
1
Introduction
This chapter briefly describes a variety of security features implemented
on the VNXe.
Topics include:
◆
◆
Overview on page 8
Related documents on page 8
EMC VNXe Security Configuration Guide
7
Introduction
Overview
EMC® VNXe™ uses a variety of security features to control user and network access, monitor
system access and use, and support the transmission of storage data. This document describes
available VNXe security features.
This document is intended for administrators responsible for VNXe system configuration
and operation.
The guide approaches security settings within the categories shown in Table 1 on page 8:
Table 1. Security settings categories
Security category
Description
Access control
Limiting access by end-user or by other entities to protect hardware,
software, or specific product features.
Logs
Managing the logging of events.
Communication security Securing product network communications.
Data security
Providing protection for product data.
Serviceability
Maintaining control of product service operations performed by EMC
or its service partners.
Alert system
Assuring security alerts and notifications generation for security-related
events.
Other security settings
Security settings that do not fall in one of the previous sections, such
as data erasure and physical security.
Related documents
You can find specific configuration instructions within the VNXe documentation that is
available in the EMC Online Support website at www.emc.com/vnxesupport. This guide
includes references to the following documents where appropriate.
8
◆
Installing Your VNXe Hardware
◆
Unisphere for VNXe Online Help
◆
Using the VNXe with CIFS Shared Folders
◆
Using the VNXe with NFS Shared Folders
◆
Using the VNXe with Microsoft Exchange
◆
Using the Celerra VNXe with Generic iSCSI Storage
◆
Using the VNXe with VMware Storage
◆
VNXe CLI User's Guide
EMC VNXe Security Configuration Guide
2
Access Control
This chapter describes a variety of access control features implemented
on the VNXe.
Topics include:
◆
◆
◆
◆
◆
◆
◆
Access methods on page 10
VNXe factory default management and service accounts on page 11
VNXe account management on page 12
Unisphere for VNXe on page 12
VNXe Unisphere command line interface (CLI) on page 14
VNXe service SSH interface on page 15
VNXe service serial port interface on page 17
EMC VNXe Security Configuration Guide
9
Access Control
Access methods
VNXe supports the access methods shown in Table 2 on page 10.
Table 2. Access methods
Type
Description
Management ac- These accounts have privileges (see Table 6 on page 13) for performing management and monitoring
counts
tasks associated with the VNXe system and its storage resources.
Passwords are created and managed through the VNXe management interfaces and can be used to
access either of the following management interfaces:
◆
EMC Unisphere™:
A Web-based graphical interface accessed via HTTPS that provides tools for configuring, managing,
and monitoring VNXe storage and system settings.
◆
VNXe Unisphere CLI:
The VNXe Unisphere CLI provides a subset of the functionality available through Unisphere.
10
EMC VNXe Security Configuration Guide
Access Control
Table 2. Access methods (continued)
Type
Description
Service account
This account performs specialized service functions. A single account provides access to service interfaces using SSH or serial port connection.
VNXe service interfaces include the following:
◆
Unisphere for VNXe:
Using a management account, type the service password to access the Unisphere service page
from which you can perform the following actions:
◆
Collect system service information:
Collect information for the system and save it to a file. EMC service personnel can use the
collected information to analyze your system.
◆
Reinitialize the system :
Reset the VNXe system to the original factory settings. Both Storage Processors (SPs) must
be installed, operating normally, and be in Service Mode or you cannot perform this action.
Note: Service Mode is a reduced operational mode designed for maintenance and troubleshooting. A VNXe system in this mode is restricted to a limited interface through Unisphere
as well as a specific CLI interface that allows for isolated problem resolution.
◆
Change the system service password:
Change the Service password for accessing the Service System page.
◆
VNXe Unisphere CLI:
The VNXe Unisphere CLI provides a command line interface for the same functionality available
through Unisphere.
◆
VNXe SSH service script interface:
A command line interface that is accessible through an SSH client and provides service-specific
functions for diagnosing, troubleshooting, and resolving VNXe issues.
◆
VNXe serial port service interface:
Provides the same diagnostic and troubleshooting features as the SSH service interface, except
access is provided through a serial port interface.
VNXe factory default management and service accounts
The VNXe system comes with factory default user account settings to use when initially
accessing and configuring the VNXe system. See Table 3 on page 12.
VNXe factory default management and service accounts
11
Access Control
Table 3. Factory default user account settings
Account type
Username
Password
Privileges
Management (Unisphere)
admin
Password123#
Administrator privileges for
resetting default passwords,
configure system settings,
create user accounts, and
allocate storage.
Service
service
service
Perform service operations.
Note: During the initial configuration process, you are required to change the password for the default
administrator and service accounts.
VNXe account management
Table 4 on page 12 illustrates the ways in which you can manage VNXe accounts.
Table 4. Account management methods
Account roles
Description
Management
After the VNXe initial system configuration process is complete, you can manage VNXe
management accounts from Unisphere or the VNXe Unisphere CLI. You can create, modify,
delete, or reset password settings for VNXe local accounts, and assign or change roles to
accounts that determine the privileges provided to users who use them.
Service
You cannot create or delete VNXe service accounts. You can reset the service account
password by using the Change Service Password function from the Unisphere Service page.
Note: You can reset the VNXe system factory default account passwords by pressing the password
reset button on the VNXe system chassis. The Unisphere Online Help provides more information.
Unisphere for VNXe
Authentication for access to Unisphere is performed based on the credentials of the user
(local or LDAP) account. User accounts are created and subsequently managed through the
Unisphere Manage Administration page. The authorizations that apply to Unisphere depend
on the role associated with the user account.
Session rules
Unisphere sessions have the following characteristics:
◆
12
Expiration term of one hour
EMC VNXe Security Configuration Guide
Access Control
◆
Session timeout is not configurable
◆
Session IDs are generated during authentication and used for the duration of each
session
Password usage
Unisphere account usernames and passwords must meet these requirements, as shown
Table 5 on page 13.
Table 5. Unisphere account requirements
Restriction
Password requirement
Minimum number of characters
8
Minimum number of uppercase characters
1
Minimum number of lowercase characters
1
Minimum number of numeric characters
1
Minimum number of special characters
Supported special characters include:
1
!,@#$%^*_~?
Maximum number of characters
40
Note: You can change account passwords from Unisphere by clicking Settings > More Configuration>
Manage Administration. When changing a password, you cannot reuse any of the last three passwords.
The Unisphere Online Help provides more information.
Authorization
Table 6 on page 13 shows the roles you can assign to VNXe local users and the privileges
associated with these roles. In addition, you can assign these roles to LDAP users and
groups.
Table 6. Local user roles and privileges
Task
Operator
Storage adminis- Administrator
trator
Change own local login password
x
x
Add hosts
Create storage
x
x
x
x
Unisphere for VNXe
13
Access Control
Table 6. Local user roles and privileges (continued)
Task
Operator
Storage adminis- Administrator
trator
Delete storage
x
x
Add storage objects to storage resources (virtual disks, shares, storage
groups, etc.)
x
x
x
x
x
x
View storage configuration and status
x
View VNXe user accounts
Add, delete or modify VNXe user accounts
View current software or license status
x
x
x
x
Perform software or license upgrade
x
Perform initial configuration
x
Modify Storage Server configuration
x
Modify VNXe system settings
x
Modify VNXe network settings
x
Change management interface language
x
x
x
Note: You can change account roles in Unisphere by clicking Settings > More Configuration> Manage
Administration. The Unisphere Online Help provides more information.
VNXe Unisphere command line interface (CLI)
The VNXe Unisphere CLI provides a command line interface for the same functionality
available through Unisphere.
Running the Unisphere CLI requires special VNXe command line software. You can
download this software from the EMC Online Support website at
www.emc.com/vnxesupport.
Session rules
The Unisphere CLI client does not support sessions. You must use command line syntax
to specify the account username and password with each command that you issue.
You can use the Unisphere CLI -saveuser command to save the access credentials
(username and password) for a specific account to a local file. After you save the access
credentials, the CLI automatically applies them to the specified VNXe destination and
port each time you run a command.
14
EMC VNXe Security Configuration Guide
Access Control
Password usage
Authentication to the Unisphere CLI is performed in accordance with management
accounts created and managed through Unisphere. The same permissions that apply to
Unisphere apply to specific commands depending on the role associated with the current
login account.
Saved settings
You can save the following settings on the host on which you run Unisphere CLI:
◆
User access credentials, including your username and password, for each system you
access.
◆
SSL certificates imported from the system.
◆
Information about default system to access through Unisphere CLI, including the
system name or IP address and the system port number.
Unisphere CLI saves the settings to a secure lockbox that resides locally on the host on
which Unisphere CLI is installed. The stored data is only available on the host where it
was saved and to the user who saved it. The lockbox resides in the following locations:
◆
On Windows XP:
C:\Documents and Settings\<account_name>\Local
Settings\ApplicationData\EMC\UEM CLI\
◆
On Windows 7:
C :\Users\${user_name}\AppData\Local\.EMC\UEM CLI\
◆
On UNIX/Linux:
<home_directory>/EMC/UEM CLI
Locate the files config.xml and config.key. If you uninstall Unisphere CLI, these directories
and files are not deleted, giving you the option of retaining them; however, for security
reasons, you may want to delete these files.
VNXe service SSH interface
The VNXe SSH service interface provides a command line interface for performing a subset
of functionality available from the Unisphere Service page (Settings > Service System).
The service account enables users to perform the following functions:
◆
Perform specialized VNXe service commands for monitoring and troubleshooting VNXe
system settings and operations.
VNXe service SSH interface
15
Access Control
◆
Operate standard Linux commands as a member of a non-privileged Linux user account.
This account does not have access to proprietary system files, configuration files, or
user/customer data.
Sessions
The VNXe SSH service interface sessions are maintained according to the settings
established by the SSH client. Session characteristics are determined by the SSH client
configuration settings.
Password usage
The service account is an account that EMC service personnel can use to perform basic
Linux commands.
The default password for the VNXe service interface is service. When you perform initial
configuration for the VNXe system, you must change the default service password.
Password restrictions are the same as those that apply to Unisphere management accounts
(see Table 5 on page 13). For information on the VNXe service command,
svc_service_password, used to manage the password settings for the VNXe service
account, see the technical notes document, VNXe Service Commands.
Authorization
As shown in Table 7 on page 16, authorization for the service account is defined in two
ways.
Table 7. Service account authorization definitions
Authorization type
Description
Linux file system permissions File system permissions define most of the tasks that the service account can and
cannot perform on the VNXe system. For example, most Linux tools and utilities that
modify system operation in any way require superuser account privileges. Since the
service account does not have such access rights, the service account cannot use
Linux tools and utilities to which it does not have execute permissions.
Access control lists (ACLs)
The ACL mechanism on the VNXe uses a list of very specific rules to explicitly grant
or deny access to system resources by the service account.These rules specify service
account permissions to other areas of the VNXe system that are not otherwise defined
by standard Linux file system permissions.
VNXe service commands
A set of problem diagnostic, system configuration, and system recovery commands are
installed on the VNXe's operating environment (OE). These commands provide an
in-depth level of information and a lower level of system control than is available through
16
EMC VNXe Security Configuration Guide
Access Control
Unisphere. The technical notes document, VNXe Service Commands, describes these
commands and their common use cases.
VNXe service serial port interface
The VNXe service serial port interface provides the same functions and features as the service
SSH interface and is also subject to the same restrictions. The difference is that users access
the interface through a serial port connection rather than an SSH client.
For a list of service commands refer to the VNXe Service Commands Technical Notes document.
VNXe service serial port interface
17
Access Control
18
EMC VNXe Security Configuration Guide
3
Logging
This chapter describes a variety of logging features implemented on the
VNXe.
Topics include:
◆
◆
Logging on page 20
Remote logging options on page 21
EMC VNXe Security Configuration Guide
19
Logging
Logging
VNXe system maintains the following types of logs for tracking events that occur on the
system. See Table 8 on page 20.
Table 8. Logs
Log type
Description
System log
Information displayed in Unisphere to notify users about VNXe user-actionable events. These records are
localized according to the default language setting specified for the system. Note that "user-actionable
events" includes audit events. However, not all logged events show up in the GUI. Those audit log entries
that don't don't meet a certain severity threshold are logged by the system but don't appear in the GUI.
System alert Information used by the Service personnel to diagnose or monitor the VNXe system status or behavior.
These records are recorded in English only.
Viewing and managing logs
The following logging features are available for VNXe systems. See Table 9 on page 20.
Table 9. Logging features
Feature
Description
Log roll-over
When the VNXe log system accumulates two million log entries, it purges the oldest 500K
entries (as determined by log record time) to return to 1.5 million log entries.
You can archive log entries by enabling remote logging so that log entries are uploaded to a
remote network node where they can be archived or backed up. The
dctm://esa/37000001802104c9?DMS_OBJECT_SPEC=RELATION_ID&DMS_ANCHOR=#R18780 section provides more information.
Logging levels
Logging levels are not configurable for VNXe. Log levels can only be configured for exported
log files as described in the dctm://esa/37000001802104ca?DMS_OBJECT_SPEC=RELATION_ID&DMS_ANCHOR=#R18780 section.
Alert integration
You can view VNXe alert information in the following ways:
◆
View alerts only:
In Unisphere, go to System > System Alerts.
◆
View all log events:
Using the VNXe Unisphere CLI, type the command cemcli list event.
20
EMC VNXe Security Configuration Guide
Logging
Table 9. Logging features (continued)
Feature
Description
External log management You can archive log entries by enabling remote logging so that log entries are uploaded to a
remote network node where they can be archived or backed up. There, you can use tools
such as syslog to filter and analyze log results. The
dctm://esa/37000001802104cb?DMS_OBJECT_SPEC=RELATION_ID&DMS_ANCHOR=#R18780 section provides more information.
Time synchronization
Log time is recorded in GMT format and is maintained according to the VNXe system time
(which may be synchronized to the local network time through an NTP server).
Remote logging options
VNXe supports logging user/audit messages to a remote network address. By default, VNXe
transfers log information on port 514 using UDP. The following remote logging settings are
configurable through Unisphere. Log into Unisphere and click Settings > Management
Settings and select the Network tab.
◆
Network name or address where VNXe sends remote log information
◆
Type of user-level log messages to send. Use the Facility field to set the type of log
messages. EMC recommends that you select the User-Level Messages options.
◆
Port number and type (UDP or TCP) to use for log transmission
◆
Language setting for text within log messages
Configuring a host to receive VNXe log messages
Before configuring remote logging for a VNXe system, you must configure a remote
system running syslog to receive logging messages from the VNXe system. In many
scenarios, a root/administrator on the receiving computer can configure the remote syslog
server to receive log information by editing the syslog-ng.conf file on the remote system.
Note: For more information on setting up and running a remote syslog server, refer to the
documentation for the operating system running on the remote system.
Remote logging options
21
Logging
22
EMC VNXe Security Configuration Guide
4
Communication Security
This chapter describes a variety of communication security features
implemented on the VNXe.
Topics include:
◆
◆
◆
◆
◆
◆
◆
Port usage on page 24
VNXe certificate on page 30
Configuring the management interface using DHCP on page 30
VNXe interfaces, services, and features that support Internet Protocol
version 6 on page 32
VNXe management interface access using IPv6 on page 34
Running the Connection Utility on page 35
CIFS encryption on page 36
EMC VNXe Security Configuration Guide
23
Communication Security
Port usage
Communications with the Unisphere and CLI interfaces are conducted through HTTPS on
port 443. Attempts to access Unisphere on port 80 (through HTTP) are automatically
redirected to port 443.
VNXe network ports
Table 10 on page 28 outlines the collection of network services (and the corresponding ports)
that may be found on the VNXe.
Table 10. VNXe network ports
Service
Protocol
Port
Description
SSH/SSHD/SFTP
TCP
22
Allows SSH access (if enabled) and SFTP
(FTP over SSH). SFTP is a client/server
protocol. Users can use SFTP to perform
file transfers on a VNXe system on the local
subnet.
If closed, management connections using
SSH will be unavailable.
Dynamic DNS update
UDP
53
Used to transmit DNS queries to the DNS
server in conjunction with the Dynamic Host
Control Protocol (DHCP).
If closed, DNS name resolution will not
work.
DHCP client
UDP
67
Allows the VNXe to act as a DHCP client
during the initial configuration process and
is used to transmit messages from the client
(VNXe) to the DHCP server to automatically
obtain management interface information.
Also, used to configure DHCP for the management interface of a VNXe which has already been deployed.
If closed, dynamic IP addresses will not be
assigned using DHCP.
24
EMC VNXe Security Configuration Guide
Communication Security
Table 10. VNXe network ports (continued)
Service
Protocol
Port
Description
DHCP client
UDP
68
Allows the VNXe to act as a DHCP client
during the initial configuration process and
is used to receive messages from DHCP
server to the client (VNXe) to automatically
obtain its management interface information. Also, used to configure DHCP for the
management interface of a VNXe which has
already been deployed.
If closed, dynamic IP addresses will not be
assigned using DHCP.
HTTP
TCP
80
Redirect for HTTP traffic to Unisphere and
the VNXe Unisphere CLI.
If closed, management traffic to the default
HTTP port will be unavailable.
rpcbind
TCP/UDP
111
(Network infrastructure)
Opened by the standard portmapper or
rpcbind service and is an ancillary VNXe
network service.
It cannot be stopped. By definition, if a client
system has network connectivity to the port,
it can query it. No authentication is performed.
NTP
UDP
123
NTP time synchronization.
If closed, time will not be synchronized
among arrays.
NETBIOS Session Ser- TCP
vice
139
(CIFS)
The NETBIOS Session Service is associated with VNXe CIFS file sharing services
and is a core component of that functionality. If CIFS services are enabled, this port is
open. It is specifically required for earlier
versions of the Windows OS (pre-Windows
2000).
Clients with legitimate access to the VNXe
CIFS services must have network connectivity to the port for continued operation.
SNMP
UDP
161, 162
SNMP communications.
If closed, VNXe alert mechanisms which
rely on SNMP will not be sent.
Port usage
25
Communication Security
Table 10. VNXe network ports (continued)
Service
Protocol
Port
Description
HTTPS
TCP
443
Secure HTTP traffic to the Unisphere and
VNXe Unisphere CLI.
If closed, communication with the array will
be unavailable.
CIFS
TCP
445
CIFS connectivity port for Windows 2000
and later clients. Clients with legitimate access to the VNXe CIFS services must have
network connectivity to the port for continued operation.
Dynamic DNS update
UDP
Dynamically assigned
port (above 1024)
Used to receive responses to DNS queries
from the DNS server in conjunction with the
Dynamic Host Control Protocol (DHCP).
If closed, DNS name resolution will not
work.
mountd
TCP
1234
Used for the mount service, which is a core
component of the NFS service (versions 2
and 3).
NFS
TCP
2049
Used to provide NFS services.
Portable Archive Interchange (PAX)
TCP
4658
PAX is a VNXe archive protocol that works
with standard UNIX tape formats.
(NFS)
(Backup Services)
This service must bind to multiple internal
network interfaces and as a consequence,
it binds to the external interface as well.
However, incoming requests over the external network are rejected.
Background information on PAX is contained in the relevant EMC documentation
on backups and NDMP. There are several
technical modules on this topic to deal with
a variety of backup tools.
Network Block Service
(NBS)
TCP
5033
An EMC proprietary protocol similar to (and
a precursor of) iSCSI.The NBS service that
opens this port is a core VNXe service and
cannot be stopped.
Externally, NBS is used for snapshot and
replication control functions.
Replication services
26
TCP
EMC VNXe Security Configuration Guide
5081
Data Mover-to-Data Mover replication
commands.
Communication Security
Table 10. VNXe network ports (continued)
Service
Protocol
Port
Description
Replication services
TCP
5083
Associated with replication services.
Replication services
TCP
5084
Associated with replication services.
Replication services
TCP
5085
Associated with replication services.
Statistics monitoring
service
TCP
7777
Statistics monitoring service
RCP
TCP
8888
Used by the replicator (on the secondary
side). It is left open by the replicator as soon
as some data has to be replicated. After it
is started, there is no way to stop the service.
TCP
10000
Enables you to control the backup and recovery of an NDMP server through a network backup application, without installing
third-party software on the server. In a
VNXe system, the Data Mover functions as
the NDMP server.
(Replication services)
NDMP
The NDMP service can be disabled if NDMP
tape backup is not used.
The NDMP service is authenticated with a
username/password pair. The username is
configurable. The NDMP documentation
describes how to configure the password
for a variety of environments.
usermapper
TCP
12345
CIFS
The usermapper service opens this port. It
is a core service associated with VNXe
CIFS services and should not be stopped
in specific environments.
This is the method by which Windows credentials (which are SID-based) are mapped
to UNIX-based UID and GID values.
IWD
UDP
Dynamically allocated
IWD initial configuration daemon.
If closed, initialization of the array will be
unavailable through the network.
rquotad
TCP
Dynamically allocated
The rquotad daemon provides quota information to NFS clients that have mounted a
file system.
Port usage
27
Communication Security
Table 10. VNXe network ports (continued)
Service
Protocol
Port
Description
nlockmgr
TCP
Dynamically allocated
Used for NFS file locking. It processes lock
requests from NFS clients and works in
conjunction with the status service.
status
TCP
Dynamically allocated
The NFS file-locking status monitor and
works in conjunction with nlockmgr to provide crash and recovery functions for NFS
(which is inherently a stateless protocol).
Ports the VNXe may contact
The VNXe functions as a network client in several circumstances, for example, in
communicating with an LDAP server. In these instances, the VNXe initiates communication
and the network infrastructure will need to support these connections.Table 10 on page 28
describes the ports that a VNXe must be allowed to access for the corresponding service to
function properly. This includes the VNXe Unisphere CLI.
Table 11. Network connections that may be initiated by the VNXe
Service
Protocol
Port
Description
SMTP
TCP
25
Allows the system to send email.
If closed, email notifications will be unavailable.
DNS
UDP
53
DNS queries.
If closed, DNS name resolution will not work.
DHCP
UDP
67-68
Allows VNXe to act as a DHCP client.
If closed, dynamic IP addresses will not be assigned
using DHCP.
HTTP
TCP
80
Redirect for HTTP traffic to Unisphere and the VNXe
Unisphere CLI.
If closed, management traffic to the default HTTP
port will be unavailable.
NTP
UDP
123
NTP time synchronization.
If closed, time will not be synchronized among arrays.
28
EMC VNXe Security Configuration Guide
Communication Security
Table 11. Network connections that may be initiated
by the VNXe (continued)
Service
Protocol
Port
Description
SNMP
UDP
161, 162*
SNMP communications.
If closed, VNXe alert mechanisms which rely on
SNMP will not be sent.
LDAP
TCP
389*
Unsecure LDAP queries.
If closed, Unsecure LDAP authentication queries will
be unavailable. Secure LDAP is configurable as an
alternative.
HTTPS
TCP
443
HTTPS traffic to the Unisphere and VNXe Unisphere
CLI.
If closed, communication with the array will be unavailable.
CIFS
TCP
445
All Windows NT domain controllers.
CIFS
TCP
445
All Windows domain controllers.
Remote Syslog
UDP or TCP
514*
Log system messages to a remote host.
You can configure the log transmission method (UDP
or TCP) and the host port that the system uses.
LDAPS
TCP
639*
Secure LDAP queries.
If closed, secure LDAP authentication will be unavailable.
CIM XML
TCP
5989
Used for various internal tasks related to system to
system replication. Authentication and authorization
are required for all calls made using CIM-XML.
IWD
UDP
Dynamically assigned IWD initial configuration daemon.
If closed, initialization of the array will be unavailable
through the network.
rquotad
TCP
Dynamically allocated The rquotad daemon provides quota information to
NFS clients that have mounted a file system.
nlockmgr
TCP
Dynamically allocated Used for NFS file locking. It processes lock requests
from NFS clients and works in conjunction with the
status service.
Port usage
29
Communication Security
Table 11. Network connections that may be initiated
by the VNXe (continued)
Service
Protocol
Port
Description
status
TCP
Dynamically allocated The NFS file-locking status monitor and works in
conjunction with nlockmgr to provide crash and recovery functions for NFS (which is inherently a
stateless protocol).
Note: The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring
Directory Services. The default port number is displayed in an entry box that can be overridden by
the user. Also, the Remote Syslog port number and the SNMP port number can be overridden from
inside Unisphere.
VNXe certificate
The VNXe uses OpenSSL during its first initialization to automatically generate a self-signed
certificate. The certificate is preserved both in NVRAM and on the backend LUN. Later, the
VNXe presents it to a client when the client attempts to connect to the VNXe through the
management port.
The certificate is set to expire after 3 years; however, the VNXe will regenerate the certificate
one month before its expiration date. Also, you can upload a new certificate by using the
svc_custom_cert service command. This command installs a specified SSL certificate in
PEM format for use with the Unisphere management interface. For more information about
this service command, see the VNXe Service Commands Technical Notes document. You cannot
view the certificate through Unisphere or the VNXe Unisphere CLI; however, you can view
the certificate through a browser client or a web tool that tries to connect to the management
port.
Configuring the management interface using DHCP
After you finish installing, cabling, and powering up the system, an IP address must be
assigned to the VNXe management interface. If you are running VNXe on a dynamic network
that includes a Dynamic Host Control Protocol (DHCP) server and a Domain Name System
(DNS) server, the management IP address can be assigned automatically.
Note: If you are not running the VNXe system in a dynamic network environment, or you would
rather manually assign a static IP address, you must install and run the VNXe Connection Utility (see
Running the Connection Utility on page 35).
The appropriate network configuration must include setting the range of available IP
addresses, the correct subnet masks, and gateway and name server addresses. Consult your
30
EMC VNXe Security Configuration Guide
Communication Security
specific network's documentation for more information on setting up DHCP and DNS
servers.
DHCP is a protocol for assigning dynamic Internet Protocol (IP) addresses to devices on a
network. DHCP allows you to control Internet Protocol (IP) addresses from a centralized
server and automatically assign a new, unique IP address when a VNXe system is plugged
into your organization's network. This dynamic addressing simplifies network administration
because the software keeps track of IP addresses rather than requiring an administrator to
manage the task.
The DNS server is an IP-based server that translates domain names into IP addresses. As
opposed to numeric IP addresses, domain names are alphabetic and are usually easier to
remember. Since an IP network is based on IP addresses, every time you use a domain name,
the DNS server must translate the name into a corresponding IP address. For example, the
domain name www.emc.com translates to the IP address 10.250.16.87.
While the DHCP protocol exchange is not inherently secure and the possibility of
communicating with a malicious server exists, it is expected that your management IP
network is physically secure to control access and help prevent any rogue DHCP exchanges.
Also, no administrative information such as user names, passwords, and such are exchanged
during the DHCP/Dynamic DNS configuration.
Configuration of the management IP items (DHCP preference, DNS and NTP server
configuration) fall under the existing Unisphere framework related to security. DNS and
DHCP events including obtaining a new IP address on lease expiration are recorded in
VNXe audit logs. If DHCP is not used for the VNXe management IP configuration, no
additional network ports will be opened.
Automatically assign an IP address to your VNXe system
Before you begin
Ensure you have network connection between the VNXe system, a DHCP server, and a DNS
server.
Procedure
Once your DHCP network is configured, you can automatically assign an IP address to your
VNXe system:
1. Power on the VNXe system.
The SP fault light on the back of the VNXe illuminates (blue with flashing amber once
in three seconds), indicating that the system is not initialized and a management IP
address has not been assigned. The DHCP client software running on the VNXe system
requests an IP address on the local network. The DHCP server will dynamically assign
an IP address to the VNXe and send this information to the DNS server. The VNXe
management IP will be registered in the network domain. Once the IP address has been
assigned, the SP fault light turns off and you can log into Unisphere to properly configure
your VNXe system. If you want to manually configure the VNXe management IP as a
static IP address, you can still do so even after the IP is automatically assigned and the
Configuring the management interface using DHCP
31
Communication Security
SP fault light has turned off. However, you must do so before accepting the end user
license agreement (EULA) of the Configuration Wizard.
2. Open a web browser and access the management interface using the following syntax
serial_number.domain
Where:
serial_number is the serial number of your VNXe. This can be found in the packing
materials that came with your VNXe.
domain is the network domain on which the VNXe system is located.
For example:
FM100000000017.mylab.emc.com.
If a certificate error appears, follow the instructions in your browser to bypass the error.
3. Log into the VNXe system using the default username (admin) and password
(Password123#).
The first time you open Unisphere, the Configuration Wizard runs to assist you with
configuring passwords, DNS and NTP servers, storage pools, storage server settings,
and ESRS and ConnectEMC features.
4. Proceed through the Configuration Wizard until the Domain Name Server panel appears.
5. In the Domain Name Server (DNS) panel, select Obtain default DNS server addresses
automatically.
6. Continue through the wizard, using the information described in the VNXe Quick Start
poster or the online help for assistance.
VNXe interfaces, services, and features that support Internet Protocol
version 6
You can configure the interfaces on a system and use Internet Protocol version 6 (IPv6)
addresses to configure different services and features. The following list contains features
where IPv6 protocol is supported:
32
◆
Interfaces (SF, iSCSI) - to statically assign an IPv4 or IPv6 address to an interface
◆
Hosts - to enter a network name, an IPv4 address or an IPv6 address of a host
◆
Routes - to configure a route for IPv4 or IPv6 protocol
EMC VNXe Security Configuration Guide
Communication Security
◆
Diagnostics - to initiate a diagnostic ping CLI command using either an IPv4 or IPv6
destination address. The Unisphere Ping Destination screen supports the IPv6 destination
addresses as well.
All VNXe components support IPv4, and most support IPv6. The following table shows the
availability of IPv6 support by setting type and component:
Setting Type
Component
IPv6 Supported
Unisphere management settings
Management port
Yes
Domain Name Server (DNS)
Yes
NTP (network time protocol) server
Yes
Remote logging server
Yes
Microsoft Exchange
Yes
VMware datastore (NFS)
Yes
VMware datastore (VMFS)
Yes
Hyper-V datastore
Yes
SNMP trap destinations
Yes
SMTP server
Yes
Connect EMC
No
EMC Secure Remote Support (ESRS)
No
iSCSI server
Yes
Shared Folder server
Yes
Unisphere host configuration setting
Unisphere alert setting
Storage server setting
Network Information Service (NIS) server (for Yes
NFS Shared Folder Servers)
Active Directory server (for CIFS Shared
Folder Servers)
Yes
Internet Storage Service (iSNS) server
Yes
VNXe interfaces, services, and features that support Internet Protocol version 6
33
Communication Security
Setting Type
Component
IPv6 Supported
Other
PING destinations
Yes
Remote log
Yes
LDAP
Yes
Unisphere Remote
No
Replication
No
IPv6 address standard
Internet Protocol version 6 (IPv6) is an Internet Protocol address standard developed by
the Internet Engineering Task Force (IETF) to supplement and eventually replace the
IPv4 address standard that most Internet services use today.
IPv4 uses 32-bit IP addresses, which provides approximately 4.3 billion possible addresses.
With the explosive growth of Internet users and Internet-connected devices, the available
IPv4 address space is insufficient. IPv6 solves the address shortage issue, because it uses
128-bit addresses, which provides approximately 340 trillion addresses. IPv6 also solves
other IPv4 issues, including mobility, autoconfiguration, and overall extensibility issues.
An IPv6 address is a hexadecimal value that contains eight, 16-bit, colon-separated fields:
hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh
Each digit in an IPv6 address can be a number from 0-9 or a letter from A-F.
For more information about the IPv6 standard, see information about the IPv6 standard
(RFC 2460) on the IETF website (http://www.ietf.org).
VNXe management interface access using IPv6
When you set up management connections in VNXe, you can configure the system to accept
the following types of IP addresses:
◆
Static Internet Protocol version 6 (IPv6) addresses, IPv4 addresses obtained through
DHCP, and static IPv4 addresses
◆
IPv4 addresses only
You can statically assign the IPv6 addresses to the management interface. An IPv6 address
on the management interface can be set to one of two modes, manual/static or disabled.
When you disable IPv6, the protocol does not unbind from the interface. The disable
command removes any unicast IPv6 addresses assigned to the management interface and
the VNXe will no longer answer requests addressed over IPv6. IPv6 is disabled by default.
34
EMC VNXe Security Configuration Guide
Communication Security
After you finish installing, cabling, and powering up the system, an IP address must be
assigned to the VNXe management interface. If you are not running VNXe on a dynamic
network, or if you would rather manually assign a static IP address, you must download,
install, and run the VNXe Connection Utility. For more information about the Connection
Utility, see Running the Connection Utility on page 35.
Inbound requests using IPv6 to the VNXe through the management interface are supported.
You can configure the management interface on a VNXe to operate in an IPv4-only, IPv6-only,
or a combined IPv4 and IPv6 environment and you can manage the VNXe using Unisphere
UI and the command line interface (CLI).
Outbound services such as Network Time Protocol (NTP) and Domain Naming System
(DNS) support IPv6 addressing either by using explicit IPv6 addresses or by using DNS
names. If a DNS name resolves to both IPv6 and IPv4, the VNXe will communicate with the
server over IPv6.
The manage network interface set and show CLI commands that are used to manage the
management interfaces include attributes related to IPv6. For more information about these
manage network interface commands and attributes, refer to the VNXe Unisphere CLI User
Guide.
Running the Connection Utility
Note: If you are running the VNXe system in a dynamic network environment that includes a DHCP
server and a DNS server, you do not have to use the VNXe Connection Utility and instead can
automatically assign a dynamic IP address (IPv4 only) for the VNXe management interface (see
Configuring the management interface using DHCP on page 30). When a VNXe system uses a static
IP address, it is manually configured with the Connection Utility to use a specific IP address. One
problem with static assignment, which can result from a mistake or inattention to detail, occurs when
two VNXe systems are configured with the same management IP address. This creates a conflict that
could result in loss of network connectivity. Using DHCP to dynamically assign IP addresses minimizes
these types of conflicts. VNXe systems configured to use DHCP for IP assignment do not need to use
statically assigned IP addresses.
Connection Utility installation software is available from the EMC Online Support website.
After you download the software, install the program on a Windows host. When you run
the Connection Utility from a computer on the same subnet as the VNXe, the Connection
Utility automatically discovers any unconfigured VNXe systems. If you run the Connection
Utility on a different subnet, you can save the configuration to a USB drive and then transfer
it to the VNXe system.
Note: You cannot change the management IP address when both of the Storage Processors (SP) are in
Service mode.
After you run the Connection Utility and transfer the configuration to your VNXe system,
you can connect to the VNXe system through a web browser using the IP address that you
assigned to the VNXe management interface.
Running the Connection Utility
35
Communication Security
The first time you connect to the VNXe system, the VNXe Configuration Wizard starts. The
Configuration Wizard lets you set up the initial configuration of the VNXe system so that
you can start to create storage resources.
CIFS encryption
SMB 3.0 and Windows 2012 support on the VNXe provides CIFS encryption for those hosts
capable of using CIFS. CIFS Encryption provides secure access to data on CIFS file shares.
This encryption provides security to data on untrusted networks, that is, it provides end to
end encryption of SMB data sent between the array and the host. The data is protected from
eavesdropping/snooping attacks on untrusted networks.
CIFS Encryption can be configured per share. Once a share is defined as encrypted, any
SMB3 client must encrypt all its requests related to the share; otherwise, access to the share
will be denied.
To enable CIFS Encryption, you either set the CIFS Encryption option when you add a CIFS
server or set it through the create and set commands for CIFS shares. Also, you set the
CIFS Encryption option when you create a CIFS Shared Folder. There is no setting required
on the SMB client.
Note: For more information about setting CIFS encryption, refer to the Unisphere for VNXe online
help and the VNXe Unisphere CLI User Guide.
36
EMC VNXe Security Configuration Guide
5
Data Security Settings
This chapter describes the security features that are available on the VNXe
for supported storage types.
Topics include:
◆
◆
Data security settings on page 38
Data-at-rest-encryption on page 38
EMC VNXe Security Configuration Guide
37
Data Security Settings
Data security settings
Table 12 on page 38 shows security features available for supported VNXe storage types.
Table 12. Security features
Storage type
Port
Protocol
Security settings
iSCSI storage
3260
TCP
◆
iSCSI host (initiator) level access control is available through
Unisphere (allowing clients to access primary storage, snapshots, or both).
◆
CHAP authentication is supported so that VNXe iSCSI
Servers (targets) can authenticate iSCSI hosts (initiators) that
attempt to access iSCSI-based storage.
◆
Mutual CHAP authentication is supported so that iSCSI hosts
(initiators) can authenticate VNXe iSCSI Servers.
◆
Authentication for domain and administrative actions is provided through Active Directory user and group accounts.
◆
File and share access controls are provided through Windows
directory services.
◆
Security signatures are supported through SMB signing.
◆
CIFS encryption is provided through SMB 3.0 and Windows
2012 for those hosts capable of using CIFS. See CIFS encryption on page 36 for information on CIFS encryption.
◆
Supports optional file-level retention services through add-on
software. See Antivirus protection on page 52 for information
on EMC Common AntiVirus Agent (CAVA).
◆
Share-based access control provided through Unisphere.
◆
Support for NFS authentication and access control methods
identified in NFS versions 2 and 3.
◆
Supports optional file-level retention services through add-on
software.
◆
NDMP security can be implemented based on NDMP shared
secrets.
CIFS storage
NFS storage
445
2049
TCP, UDP
TCP
Backup and restore
Data-at-rest-encryption
Encryption is the process of transforming data to make it unreadable to anyone except those
possessing specialized knowledge. Self-Encrypting Drives (SEDs) in a VNXe system use
AES-256 bit encryption. The encryption is done within each drive before the data is written
38
EMC VNXe Security Configuration Guide
Data Security Settings
to the media. This protects the data on the drive against theft, hardware loss, and attempts
to read the drive directly by physically de-constructing the drive using methods such as a
drive recovery service. The encryption also provides a means to quickly and securely erase
information on a drive without the need to overwrite it multiple times in order to ensure
that the information is not recoverable.
Reading encrypted data requires the authentication key for the SED to unlock the drive.
Only authenticated SEDs will be unlocked and accessible. Once the drive is unlocked, the
SED decrypts the encrypted data back to its original form.
Self-Encrypting Drives
VNXe systems support data at rest encryption through the use of Self-Encrypting Drives
(SEDs). All data on a SED is encrypted by the data encryption key that is stored on the
drive. Encryption is set at the factory before shipment and cannot be reversed once set.
The SED encryption/decryption process is transparent and automatic, and does not
degrade performance.
Access control to a SED is enforced through the use of an authentication key. The
authentication key is used to lock/unlock the drive and to encrypt/decrypt the data
encryption key that is stored on the drive. On power-cycle, a SED that is part of a
user-defined storage pool comes up in a locked state and does not permit access. The
authentication key is used to unlock the drive and to gain access to user data.
An embedded Key Manager on the storage processor (SP) provides key management
for the authentication key. Key management responsibilities include:
◆
authentication key generation
◆
secure key storage
◆
self-managed key life cycle
◆
synchronization of redundant key copies
A VNXe system contains either all SEDs or all non-self-encrypting drives. You cannot
add a non-self-encrypting drive to a VNXe SED system. If you try to do this, the system
raises an error. Likewise, you cannot add a SED to a VNXe non-self-encrypting drive
system.
Secure array
A secure array is one that can only have SEDs installed in the array. You cannot intermix
SEDs with non-encrypted drives in a VNXe. All SEDs in the VNXe are unlocked by
default and only become locked once a storage pool is associated with them. An
authorization key is created and applied to all drives while locking them and is required
for any future interactions. Conversely, if all storage pools associated with a drive are
destroyed, all the data on the drive is cryptographically destroyed (authorization key is
deleted, making the data unrecoverable) and the drive is unlocked.
Once a SED is included in a storage pool, access control is enabled and the authentication
key is set. The drive may then be used only with the authentication key stored on the
Data-at-rest-encryption
39
Data Security Settings
array. User data on the drive will not be accessible on a different array or externally.
With the exception of the first four drives in the Disk Processor Enclosure (DPE), a drive
may be re-purposed for use on another array by destroying any storage pool it may
belong to. Destroying the storage pool will cryptographically erase any user data on the
drive, disable access control on these drives, and reset all passwords to the manufacturer's
secure ID. Drives that do not belong to a storage pool do not hold user data and do not
have access restrictions. These drives may be moved without issues.
If you inadvertently delete a storage pool with a drive missing, that drive will remain
inaccessible until it is reverted to the factory default. Reverting a drive cryptographically
erases the data on the drive and disables authentication. To revert a SED to its factory
default, use the svc_key_restore service command. For information on this service
command, see the technical notes document, VNXe Service Commands. For additional
information and help to revert a SED to the factory default, contact your service
provider.
When a new SED is introduced in the VNXe, either as a replacement of an existing drive
or as a part of an array expansion, it is automatically detected and included in the array.
If the new drive replaces an old drive that was a part of a storage pool, access control
will be enabled and the authentication key will be set on the new drive.
Note: Removing drives can degrade storage pools and reduce the redundancy of that storage pool.
With regards to a system with SEDs, certain hardware part replacements impact SED
operation:
◆
Replacing both SPs and the chassis at the same time is not supported. The
authentication key will become inaccessible.
EMC highly recommends that you back up the authentication key to an external
drive as soon as the key is created. If the master copy of the authentication key is
missing or corrupted, the data stored on the system will become inaccessible. For
instructions to back up the authentication key, refer to the VNXe Unisphere online
help or the VNXe Unisphere CLI User Guide .
◆
Array conversion, in which all the drives are removed and inserted in a new array,
is not supported.
Authentication key
The Key Manager randomly generates the authentication key for SEDs automatically
the first time you create a storage pool on a VNXe SED system. The same authentication
key will apply to all drives in the VNXe system, including those added to the system
later on.
VXNe encrypts the authentication key and stores it in a secured area on the system drive
under a triple mirrored redundancy scheme. You can back up the authentication key to
an external device by using either a Unisphere UI option or Unisphere CLI command.
40
EMC VNXe Security Configuration Guide
Data Security Settings
EMC highly recommends that you back up the authentication key to an external drive
as soon as the key is created. If the master copy of the authentication key is missing
or corrupted, the data stored on the system will become inaccessible. For instructions
to back up the authentication key, refer to the VNXe Unisphere online help or the
VNXe Unisphere CLI User Guide .
If you receive an alert for a corrupt authentication key, you must restore the key. Place
both SPs in the VNXe into service mode and run the svc_key_restore service command
on one of the SPs in the VNXe.
Note: For instructions for placing SPs into service mode, refer to the VNXe Unisphere online help.
For information about the svc_key_restore service command, see the VNXe Service Commands
Technical Notes .
With the following exception, if all the storage pools on the VNXe system are deleted,
the master copy of the authentication key will also be deleted. However, if you reinitialize
a system containing storage pools, the authentication key will still be valid when the
system comes back up, even though the storage pools were deleted.
The backup authentication keys are useless after all the storage pools on the VNXe
system are deleted (with the exception of reinitializing a system containing storage
pools). When the first new storage pool is subsequently created, a new master copy
of the authentication key is automatically generated. In this case all existing backup
authentication keys of the previous authentication key are invalid, and a new backup
authentication key should be made.
Data-at-rest-encryption
41
Data Security Settings
42
EMC VNXe Security Configuration Guide
6
Security Maintenance
This chapter describes a variety of security maintenance features
implemented on the VNXe.
Topics include:
◆
Secure maintenance on page 44
EMC VNXe Security Configuration Guide
43
Security Maintenance
Secure maintenance
VNXe provides the following secure functions for performing remote system maintenance
and update tasks:
◆
VNXe license activation
◆
VNXe software upgrade
◆
VNXe software Hotfixes
License update
The VNXe license update feature allows users to obtain and install licenses for specific VNXe
functionality, such as file-level retention or RepliStor™ replication. Table 13 on page 44
shows security features that are associated with the VNXe license update feature.
Table 13. VNXe license update security features
Process
Security
Obtaining licenses from the EMC Online Support
website
License acquisition is performed from within an authenticated session on the EMC Online Support website
(www.emc.com/vnxesupport).
Receiving license files
Licenses are sent to an email address specified within
an authenticated EMC Online Support website
(www.emc.com/vnxesupport) transaction.
Uploading and installing licenses through Unisphere License file uploads to the VNXe system occur within
client to the VNXe system
Unisphere sessions authenticated through HTTPS.
VNXe system validates received license files using
digital signatures. Each licensed feature is validated
by a unique signature within the license file.
Software upgrade
The VNXe software update feature allows users to obtain and install software for upgrading
or updating the software running on the VNXe system. Table 14 on page 45 shows security
features that are associated with the VNXe software upgrade feature.
44
EMC VNXe Security Configuration Guide
Security Maintenance
Table 14. Software upgrade security features
Process
Description
Downloading VNXe software from the EMC Online License acquisition is performed from within an auSupport website
thenticated session on the EMC Online Support
website (www.emc.com/vnxesupport).
Uploading VNXe software
Software upload to the VNXe system occurs within
an authenticated Unisphere session through HTTPS.
Secure maintenance
45
Security Maintenance
46
EMC VNXe Security Configuration Guide
7
Security Alert Settings
This chapter describes the different methods available to notify
administrators of alerts that occur on the VNXe.
Topics include:
◆
Alert settings on page 48
EMC VNXe Security Configuration Guide
47
Security Alert Settings
Alert settings
VNXe alerts inform administrators of actionable events that occur on the VNXe system.
VNXe events can be reported as shown in Table 15 on page 48.
Table 15. Alert settings
Alert type
Description
Visual notification
Displays informational pop-up messages when users log in to the interface and in real-time
to indicate when alert conditions occur. Pop-ups provide basic information about the alert
condition. You can obtain additional information from the System > System Alerts page.
Note: VNXe visual alert notifications are not configurable.
Email notification
Enables you to specify one or more email addresses to which to send alert messages.You
can configure the following settings:
◆
Email addresses to which to send VNXe system alerts.
◆
Severity level (emergency, error, or information) required for email notification.
Note: For VNXe alert email notification to work, you must configure a target SMTP server
for the VNXe system.
SNMP traps
Transfer alert information to designated hosts (trap destinations) that act as repositories
for generated alert information by the VNXe network system.
You can configure SNMP traps through Unisphere. Settings include:
◆
IP address of a network SNMP trap destination
◆
Port number on which the trap destination receives traps
◆
Optional security settings for trap data transmission
◆
Authentication protocol: Hashing algorithm used for SNMP traps (SHA or MD5)
◆
Privacy protocol: Encryption algorithm used for SNMP traps (DES, AES, AES192,
or AES256)
The Unisphere Online Help provides more information.
ConnectEMC
Automatically sends alert notifications to EMC for help in diagnosing product issues.
Note: For ConnectEMC notification to work, you must configure a target SMTP server for
the VNXe system.
48
EMC VNXe Security Configuration Guide
Security Alert Settings
Table 15. Alert settings (continued)
Alert type
Description
EMC Secure Remote Support (ESRS)
ESRS provides an IP-based connection that enables EMC Support to receive error files
and alert messages from your VNXe system, and to perform remote troubleshooting resulting
in a fast and efficient time to resolution.
Note: Available with VNXe operating environment (OE) version 2 or later. For ESRS to
work, you must enable it on the VNXe system.
Configuring alert settings
You can configure VNXe alert settings for email notifications and SNMP traps from the
VNXe.
Configure email notification alert settings
Using Unisphere:
1. Select Settings > More Configuration > Alert Settings.
2. In the Email Alerts section, configure the severity level at which alert email messages are
generated to one of the following:
◆
Information
◆
Warning
◆
Error
◆
Critical
◆
Emergency
Note: For the VNXe alert email mechanism to work, a target SMTP server must be configured for
the VNXe system.
Configure SNMP traps alert settings
Using Unisphere:
1. Select Settings > More Configuration > Alert Settings.
2. In the Alerts Settings section, configure the severity level at which SNMP traps are
generated to one of the following:
Alert settings
49
Security Alert Settings
50
◆
Information
◆
Warning
◆
Error
◆
Critical
◆
Emergency
EMC VNXe Security Configuration Guide
8
Other Security Settings
This chapter contains other information that is relevant for ensuring the
secure operation of the VNXe.
Topics include:
◆
◆
◆
Data erasure on page 52
Physical security controls on page 52
Antivirus protection on page 52
EMC VNXe Security Configuration Guide
51
Other Security Settings
Data erasure
Objects deleted cannot be reconstructed. However, in the cases where data erasure is a
requirement, EMC offers data erasure services.
Physical security controls
The area where the VNXe system resides must be chosen and modified to provide for the
physical security of the VNXe system. These include basic measures such as providing
sufficient doors and locks, permitting only authorized and monitored physical access to the
system, providing reliable power source, and following standard cabling best practices.
In addition, the following VNXe system components require particular care:
◆
Password reset button: Temporarily resets the factory default passwords for both the
VNXe default administrator account and service account - until an administrator resets
the password.
◆
Serial port connector: Allows authenticated access through serial port connection.
Antivirus protection
The VNXe supports EMC Common AntiVirus Agent (CAVA). CAVA, a component of VNX
Event Enabler (VEE) 4.9.3.0, provides an antivirus solution to clients using a VNXe system.
It uses an industry-standard CIFS protocol in a Microsoft Windows Server environment.
CAVA uses third-party antivirus software to identify and eliminate known viruses before
they infect files on the VNXe system. The VEE installer, which contains the CAVA installer,
and the VEE release notes are available in Downloads > VNXe product support at the EMC
Online Support website.
52
EMC VNXe Security Configuration Guide
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising