EMC Unity Family Security Configuration Manual
  1. Manuals
  2. Brands
  3. EMC Manuals
  4. Storage
  5. EMC Unity Family
  6. Security configuration manual

EMC Unity Family Security Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

EMC Unity
EMC Unity
EMC UnityVSA
Version 4.0
Security Configuration Guide
P/N 302-002-564 REV 03
Family
All Flash, EMC Unity
Hybrid,

Advertisement

Table of Contents
loading

Related Manuals for EMC EMC Unity Family

Summary of Contents for EMC EMC Unity Family

  • Page 1 ™ EMC Unity Family ™ ™ EMC Unity All Flash, EMC Unity Hybrid, ™ EMC UnityVSA Version 4.0 Security Configuration Guide P/N 302-002-564 REV 03...
  • Page 2 COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA.

  • Page 3: Table Of Contents

    Storage system management interface access using IPv6......43 Configuring the management interface using DHCP........44 Running the Connection Utility............45 Protocol (SMB) encryption and signing............46 IP packet reflect..................48 IP multi-tenancy..................48 About VLANs................. 49 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 4 Configure alert settings for SNMP traps........63 Chapter 8 Other Security Settings Physical security controls (physical deployments only)......66 Antivirus protection..................66 Appendix A TLS cipher suites Supported TLS cipher suites..............68 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 5: Preface

    Additional resources As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use.
  • Page 6 Additional resources Note Presents information that is important, but not hazard-related. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 7: Introduction

    CHAPTER 1 Introduction This chapter briefly describes a variety of security features implemented on the storage system. Topics include: Overview......................8 Related features and functionality information.............8 Introduction...

  • Page 8: Overview

    Service Commands Technical Notes Secure Remote Services Requirements and Configuration The complete set of EMC customer publications is available on the EMC Online Support website at http://Support.EMC.com. After logging in to the website, click the Support by Product page, to locate information for the specific feature required.

  • Page 9: Access Control

    CHAPTER 2 Access Control This chapter describes a variety of access control features implemented on the storage system. Topics include: Alert settings...................... 10 Storage system factory default management and service accounts....11 Storage system account management..............11 Unisphere......................12 Unisphere command line interface (CLI).............14 Storage system service SSH interface...............

  • Page 10: Alert Settings

    The Unisphere Online Help provides more information. EMC Secure Remote ESRS provides an IP-based connection that enables EMC Support to receive error files and alert Services (ESRS) messages from your storage system, and to perform remote troubleshooting resulting in a fast and efficient time to resolution.

  • Page 11: Storage System Factory Default Management And Service Accounts

    Access Control Storage system factory default management and service accounts The storage system comes with factory default user account settings to use when initially accessing and configuring the storage system. See Table 3 on page 11. Table 3 Factory default user account settings Account type Username Password Privileges...

  • Page 12: Unisphere

    Session IDs are generated during authentication and used for the duration of each session Password usage Unisphere account usernames and passwords must meet these requirements, as shown in Table 5 on page 13. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 13 Access Control Table 5 Unisphere account requirements Restriction Password requirement Minimum number of characters Minimum number of uppercase characters Minimum number of lowercase characters Minimum number of numeric characters Minimum number of special characters Supported special characters include: !,@#$%^*_~? Maximum number of characters Note You can change account passwords from Unisphere by selecting Settings and, under Users and Groups, select User Management...

  • Page 14: Unisphere Command Line Interface (Cli)

    Password usage Authentication to the Unisphere CLI is performed in accordance with management accounts created and managed through Unisphere. The same permissions that apply EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 15: Storage System Service Ssh Interface

    On Windows 7, Windows 8, and Windows 10: C:\Users\${user_name} \AppData\Local\.emc\uemcli\cert On UNIX/Linux: <home_directory>/.emc/uemcli/cert Locate the files config.xml and config.key. If you uninstall Unisphere CLI, these directories and files are not deleted, giving you the option of retaining them. If these files are no longer needed, consider deleting them.

  • Page 16: Storage System Sp Ethernet Service Port And Ipmitool

    SP console of a storage system. This utility requires login credentials and an IP address to activate the console. For more information about the IPMItool, see the IPMItool User Guide Technical Notes . EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 17: Smi-S Provider

    Access Control The SP Ethernet service port interface provides the same functions and features as the service SSH interface and is also subject to the same restrictions. The difference is that users access the interface through an Ethernet port connection rather than an SSH client.
  • Page 18 The VASA Provider fails, terminating the connection. When the VASA Provider starts up, it can respond to communication from the vCenter Server to reestablish the SSL connection and VASA session. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 19: Single Sign-On With Unisphere Central

    Access Control A vCenter session is based on secure HTTPS communication between a vCenter Server and a VP. The VASA architecture uses SSL certificates and VASA session identifiers to support secure connections. With VASA 1.0, the vCenter Server added the VP certificate to its truststore as part of the VP installation, or when it created a VASA session connection.

  • Page 20: Single Sign-On Process Flows

    2. The browser is redirected by the web server to a local Unisphere Central login URL and the user is presented with a login screen. 3. The user types and submits LDAP login credentials. The username is in the form <LDAP DOMAIN>/username. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 21: Logging In To A Local Storage System

    Access Control 4. A session token is set and the browser is redirected by the system back to the original URL that was specified. 5. The browser downloads the Unisphere content and Unisphere Central is instantiated. 6. The user then navigates through Unisphere to a particular storage system to monitor.

  • Page 22: Single Sign-On And Nat Support

    The following components are involved in user mapping: UNIX Directory Services EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 23: Access Policies For Nfs, Smb, And Ftp

    Access Control Windows resolvers Secmap NTXMAP UNIX Directory Services UNIX Directory Services (UDSs) are used to determine the following for user mapping: Given a user identidier (UID), return the corresponding UNIX account name. Given a UNIX account name, return the corresponding UID and primary group identifier (GID).

  • Page 24: Credentials For File Level Security

    Unix credential for access through NFS if the extended credential option is enabled. There is one cache instance for each NAS server. Granting access to unmapped users Multiprotocol requires the following: EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 25 Access Control A Windows user must be mapped to a UNIX user. A UNIX user must be mapped to a Windows user in order to build the Windows credential when the user is accessing a file system that has a Windows access policy.

  • Page 26: Nfs Secure

    KDC when joining/unjoining the SMB server. Note that the SMB server cannot be destroyed if NFS secure is configured to use the SMB configuration. If the administrator selects to use a UNIX based Kerberos realm, more configuration is needed: EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 27: Dynamic Access Control

    Access Control Realm name: The name of the Kerberos realm, which generally contains all upper- case letters. Entirely configure a UNIX KDC based Kerberos realm. To ensure that a client mounts an NFS export with a specific security, a security parameter, sec, is provided that indicates which minimal security is allowed.
  • Page 28 Add or remove custom recovery rules (to replace the default recovery rule). Control the verbosity of the logging produced by DAC for diagnostic purposes. For detailed information about the svc_dac command, refer to the EMC Unity Family Service Commands Technical Notes .

  • Page 29: Logging

    CHAPTER 3 Logging This chapter describes a variety of logging features implemented on the storage system. Topics include: Logging......................30 Remote logging options..................31 Logging...

  • Page 30: Logging

    There, you can use tools such as syslog to filter and analyze log results. The Logging on page 30 section provides more information. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 31: Remote Logging Options

    Logging Table 9 Logging features (continued) Feature Description Time synchronization Log time is recorded in GMT format and is maintained according to the storage system time (which may be synchronized to the local network time through an NTP server). Remote logging options The storage system supports logging user/audit messages to a remote host.
  • Page 32 Logging EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 33: Communication Security

    CHAPTER 4 Communication Security This chapter describes a variety of communication security features implemented on the storage system. Topics include: Port usage......................34 Storage system certificate................. 41 Storage system interfaces, services, and features that support Internet Protocol version 6......................42 Storage system management interface access using IPv6.........

  • Page 34: Port Usage

    IP addresses will not be assigned using DHCP. DHCP client Allows the storage system to act as a DHCP client during the initial configuration process and is used to EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 35 Communication Security Table 10 Storage system network ports (continued) Service Protocol Port Description receive messages from DHCP server to the client (storage system) to automatically obtain its management interface information. Also, used to configure DHCP for the management interface of a storage system which has already been deployed.
  • Page 36 (versions 2, 3, and 4) and is an important component of the SP to NAS Server interaction. NAS, VAAI-NAS 2049 Provides NAS datastores for VMware and is used for VAAI-NAS. If closed, EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 37 However, incoming requests over the external network are rejected. Background information on PAX is contained in the relevant EMC documentation on backups. There are several technical modules on this topic to deal with a variety of backup tools.
  • Page 38 (which are SID-based) are mapped to UNIX-based UID and GID values. Internal 60260 IWD initial configuration daemon. If closed, initialization of the array will be unavailable through the network. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 39: Ports The Storage System May Contact

    Communication Security Ports the storage system may contact The storage system functions as a network client in several circumstances, for example, in communicating with an LDAP server. In these instances, the storage system initiates communication and the network infrastructure will need to support these connections.
  • Page 40 Used to send Internet storage naming service (iSNS) registrations to the iSNS server. iSCSI 3260 Provides access to iSCSI services. If closed, file-based iSCSI services will be unavailable. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 41: Storage System Certificate

    Communication Security Table 11 Network connections that may be initiated by the storage system (continued) Service Protocol Port Description TCP/UDP 4000 Used to provide NFS statd services. statd is the NFS file- locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS.

  • Page 42: Storage System Interfaces, Services, And Features That Support Internet Protocol Version 6

    Domain Name Server (DNS) NTP (network time protocol) server Remote logging server LDAP server Unisphere host configuration Microsoft Exchange setting VMware datastore (NFS) VMware datastore (VMFS) Hyper-V datastore EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 43: Storage System Management Interface Access Using Ipv6

    Table 12 IPv6 support by setting type and component (continued) Setting Type Component IPv6 Supported Unisphere alert setting SNMP trap destinations SMTP server EMC Secure Remote Support (ESRS) Storage server setting iSCSI server Shared Folder server Network Information Service (NIS) server (for NFS NAS...

  • Page 44: Configuring The Management Interface Using Dhcp

    The DNS server is an IP-based server that translates domain names into IP addresses. As opposed to numeric IP addresses, domain names are alphabetic and are usually EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 45: Running The Connection Utility

    Note If you use DHCP to assign IP addresses to any EMC Secure Remote Services (ESRS) components (ESRS Virtual Edition servers, Policy Manager, or managed devices), they must have static IP addresses. Leases for the IP addresses that EMC devices use cannot be set to expire.

  • Page 46: Protocol (Smb) Encryption And Signing

    Configuring SMB signing through GPOs affects all clients and servers within the domain and overrides individual Registry settings. Refer to Microsoft's security documentation for detailed information about enabling and configuring SMB signing. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 47 Communication Security In SMB1, enabling signing significantly decreases performance, especially when going across a WAN. There is limited degradation in performance with SMB2 and SMB3 signing as compared to SMB1. The performance impact of signing will be greater when using faster networks. Configure SMB signing with GPOs Table 13 on page 47 explains the GPOs available for SMB1 signing.

  • Page 48: Ip Packet Reflect

    IP addresses and port numbers. VLAN domain. Routing table. IP firewall. DNS server or other administrative servers to allow the tenant to have its own authentication and security validation. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 49: About Vlans

    Communication Security IP multi-tenancy is implemented by adding a tenant to the storage system, associating a set of VLANs with the tenant, and then creating one NAS server for each of the tenant's VLANs, as needed. It is recommended that you create a separate pool for the tenant and that you associate that pool with all of the tenant's NAS servers.
  • Page 50 SP has completed rebooting, reboot the other SP. The system will only operate fully in the configured FIPS 140-2 mode after both SPs have completed rebooting. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 51: Data Security Settings

    CHAPTER 5 Data Security Settings This chapter describes the security features that are available on the storage system for supported storage types. Topics include: About Data at Rest Encryption (physical deployments only)......52 Data security settings..................56 Data Security Settings...

  • Page 52: About Data At Rest Encryption (Physical Deployments Only)

    A separate auditing function is provided for general key operations that track all key establishment, deletion, backup, and restore changes as well as SLIC addition. For additional information about the Data at Rest Encryption feature, refer to the EMC Unity: Data at Rest Encryption white paper.

  • Page 53: Backup Keystore File

    For SAS Flash 2 drives, unmap is used to scrub the drives rather than zeroing. For more information about Data at Rest Encryption and the scrubbing process, refer to the EMC Unity: Data at Rest Encryption white paper located at EMC Online Support (https://support.emc.com).

  • Page 54: Data At Rest Encryption Audit Logging

    DEK is generated for the hot spare, EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 55: Adding A Disk Drive To A Storage System With Encryption Activated

    Data Security Settings and rebuild begins. The DEK from the removed drive will be removed immediately from the keystore. A keystore modified status will be set by the Key Manager at this point and will trigger an alert to back up the keystore because DEK modifications were made to the keystore.

  • Page 56: Data Security Settings

    Key Distribution Center. Kerberos server that delivers Kerberos tickets to connect to Kerberos services. Backup and restore NDMP security can be implemented based on NDMP shared secrets. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 57: Security Maintenance

    CHAPTER 6 Security Maintenance This chapter describes a variety of security maintenance features implemented on the storage system. Topics include: Secure maintenance..................58 EMC Secure Remote Services for your storage system........59 Security Maintenance...

  • Page 58: Secure Maintenance

    Process Description Downloading storage system software from License acquisition is performed from within the EMC Online Support website an authenticated session on the EMC Online Support website. EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 59: Emc Secure Remote Services For Your Storage System

    (register), modify, delete (unregister), and querying status capabilities that ESRS clients can use to register with the ESRS Gateway. For more information about ESRS Gateway and Policy Manager, go to the EMC Secure Remote Services product page on EMC Online Support (https:// support.emc.com).
  • Page 60 Security Maintenance EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 61: Security Alert Settings

    CHAPTER 7 Security Alert Settings This chapter describes the different methods available to notify administrators of alerts that occur on the storage system. Topics include: Alert settings..................... 62 Configuring alert settings...................63 Security Alert Settings...

  • Page 62: Alert Settings

    The Unisphere Online Help provides more information. EMC Secure Remote ESRS provides an IP-based connection that enables EMC Support to receive error files and alert Services (ESRS) messages from your storage system, and to perform remote troubleshooting resulting in a fast and efficient time to resolution.

  • Page 63: Configuring Alert Settings

    Security Alert Settings Configuring alert settings You can configure storage system alert settings for email notifications and SNMP traps from the storage system. Configure alert settings for email notifications Using Unisphere: Procedure 1. Select Settings Alerts Email and SMTP. > >...
  • Page 64 Security Alert Settings Warning and above Notice and above Information and above EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

  • Page 65: Other Security Settings

    CHAPTER 8 Other Security Settings This chapter contains other information that is relevant for ensuring the secure operation of the storage system. Topics include: Physical security controls (physical deployments only)........66 Antivirus protection................... 66 Other Security Settings...

  • Page 66: Physical Security Controls (Physical Deployments Only)

    The EE installer, which contains the CAVA installer, and the EE release notes are available at the EMC Online Support website under Support By Product for Unity Family, Unity VSA, Unity Hybrid, or Unity All Flash in Downloads Full Release.

  • Page 67: Appendix Atls Cipher Suites

    APPENDIX A TLS cipher suites This appendix lists the TLS cipher suites supported by the storage system. Topics include: Supported TLS cipher suites................68 TLS cipher suites...

  • Page 68: Supported Tls Cipher Suites

    443, 8443, 8444 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2 TLSv1.2 443, 8443, 8444 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3 TLSv1.2 443, 8443, 8444 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA2 TLSv1.2 443, 8443, 8444 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3 TLSv1.2 443, 8443, 8444 TLS_RSA_WITH_AES_128_CBC_SHA TLSv1, TLSv1.1, TLSv1.2 5989 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...
  • Page 69 TLS cipher suites Table 20 Default/Supported TLS cipher suites supported on the storage system (continued) Cipher Suites Protocols Ports TLS_RSA_WITH_AES_256_CBC_SHA TLSv1, TLSv1.1, TLSv1.2 5989 TLS_RSA_WITH_3DES-EDE-CBC-SHA TLSv1, TLSv1.1, TLSv1.2 5989 Supported TLS cipher suites...
  • Page 70 TLS cipher suites EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide...

This manual is also suitable for:

Emc unityvsaEmc unity all flashEmc unityhybrid

Table of Contents