Service Processor (Svp); Security Issues; Recent Security Updates - Sun Microsystems StorageTek 9985V Manual

Service Processor (SVP)

The ST9985V includes a built-in custom PC called the service processor (SVP). The SVP is integrated into the
controller frame and can only be used by authorized Sun or Hitachi Data Systems personnel. The SVP enables
the Sun or Hitachi Data Systems representative to configure, maintain, and upgrade the ST9985V. The SVP
also collects performance data for all key components of the ST9985V to enable diagnostic testing and
analysis. In addition, the ST9985V Storage Navigator functionality is provided by the SVP. Connecting the
SVP with a service center enables remote maintenance of the subsystem.
Note: The ST9985V can be equipped with an optional duplicate SVP for additional reliability.
Important: The SVP does not have access to any user data stored on the ST9985V.

Security Issues

It is generally recommended that the SVP be administered on a private management network. By doing this,
the SVP is protected from the public internet or open corporate networks, which have a high risk of
transmitting viruses.
However, customers have raised several security issues. Most of these issue are general in nature.

Recent Security Updates

There have been some recent security updates as documented in ECN DKC610I/615I. Key among them are is
support for Trend Micro OfficeScan Corporate Edition. Symantec Anti Virus Corporate Edition and Mcafee
Viruscan Enterprise have been supported for few years now.
Communication between Storage Navigator and SVP can be encrypted using SSL (Secure Socket Layer).
You need to install OpenSA (Apache supporting SSL) to encrypt the communication. Setup for encrypted
communication will be performed only for customers who request encrypted communication.
Authentication is added for Fibre Channel similar like it used for iSCSI ports. The use of this additional
security feature will require Host, HBA and/or Switches that support this function
- Storage Navigator no longer run s a Java Applet in browser ; instead it runs a Java application which faster
and more secure.
Installation of Anti-virus software
The first security issue is associated with viruses infecting the SVP. This usually occurs when the SVP is
placed on an open corporate network which has either a known or "unknown"connection to the internet. With
respect to the term "unknown", this means that the customer may not know that a system on the a supposedly
private network is actually on the public internet, and may actually be infected and spreading viruses across a
supposedly secure private network. In this scenario, installation of anti-virus software is a recommended, pro-
active measure which can mitigate the risk associated with this situation. Please note that this is a seperate cost
item, paid for by the customer.
Please refer to the following Sun Service Bulletin to secure the SVP with anti-virus software.
http://sejsc.ebay/almain.html#SECURITY
Trade Offs Between Placement of the SVP on a Private Network in Context of Remote Administration.
It is generally recommended that the SVP be administered on a private management network. By doing this,
the SVP is protected from the public internet which has a high risk of transmitting infection.
Just the Facts October 2007 41
Sun Confidential – For Internal Use and Authorized Partner Use Only