• Communication Security

    PDF

    Communication Security

    This chapter describes a variety of communication security features implemented on the storage system.

    Topics include:

    Port usage

    Communications with the Unisphere and CLI interfaces are conducted through HTTPS on port 443. Attempts to access Unisphere on port 80 (through HTTP) are automatically redirected to port 443.

    Storage system network ports

    Table 1 outlines the collection of network services (and the corresponding ports) that may be found on the storage system.

    Table 1. Storage system network ports
    Service
    Protocol
    Port
    Description
    FTP
    TCP
    21
    Port 21 is the control port on which the FTP service listens for incoming FTP requests.
    SFTP
    TCP/UDP
    22
    Allows alert notifications through SFTP (FTP over SSH). SFTP is a client/server protocol. Users can use SFTP to perform file transfers on a storage system on the local subnet. Also provides outgoing FTP control connection. If closed, FTP will not be available.
    SSH/SSHD, VSI
    TCP/UDP
    22
    Allows SSH access (if enabled). Also used for VSI plugin. If closed, management connections using SSH will be unavailable and VSI plugin will not be available.
    Dynamic DNS update
    TCP/UDP
    53
    Used to transmit DNS queries to the DNS server in conjunction with the Dynamic Host Control Protocol (DHCP). If closed, DNS name resolution will not work.
    DHCP client
    UDP
    67
    Allows the storage system to act as a DHCP client during the initial configuration process and is used to transmit messages from the client (storage system) to the DHCP server to automatically obtain management interface information. Also, used to configure DHCP for the management interface of a storage system which has already been deployed. If closed, dynamic IP addresses will not be assigned using DHCP.
    DHCP client
    UDP
    68
    Allows the storage system to act as a DHCP client during the initial configuration process and is used to receive messages from DHCP server to the client (storage system) to automatically obtain its management interface information. Also, used to configure DHCP for the management interface of a storage system which has already been deployed. If closed, dynamic IP addresses will not be assigned using DHCP.
    HTTP
    TCP/UDP
    80
    Redirect for HTTP traffic to Unisphere and the Unisphere CLI. If closed, management traffic to the default HTTP port will be unavailable.
    NAS, VAAI-NAS
    TCP
    111
    Provides NAS datastores for VMware and is used for VAAI-NAS. If closed, NAS datastores and VAAI-NAS will be unavailable.
    Portmapper, rpcbind (Network infrastructure)
    TCP/UDP
    111
    Opened by the standard portmapper or rpcbind service and is an ancillary storage system network service. It cannot be stopped. By definition, if a client system has network connectivity to the port, it can query it. No authentication is performed.
    NTP
    UDP
    123
    NTP time synchronization. If closed, time will not be synchronized among arrays.
    DCE Remote Procedure Call (DCERPC) and NDMP
    UDP
    135
    Multiple purposes for MicroSoft Client. Also used for NDMP.
    NETBIOS Name Service (SMB)
    TCP/UDP
    137
    The NETBIOS Name Service is associated with the storage system SMB file sharing services and is a core component of that feature (Wins). If disabled, this port disables all SMB-related services.
    NETBIOS Datagram Service (SMB)
    UDP
    138
    The NETBIOS Datagram Service is associated with the storage system SMB file sharing services and is a core component of that feature. Only Browse service is used. If disabled, this port disables Browsing capability.
    NETBIOS Session Service (SMB)
    TCP/UDP
    139
    The NETBIOS Session Service is associated with storage system SMB file sharing services and is a core component of that functionality. If SMB services are enabled, this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation.
    SNMP Unix Multiplexer
    TCP
    199
    SNMP communications. If closed, storage system alert mechanisms which rely on SNMP will not be sent.
    LDAP
    TCP/UDP
    389
    Unsecure LDAP queries. If closed, Unsecure LDAP authentication queries will be unavailable. Secure LDAP is configurable as an alternative.
    Service Location Protocol (SLP)
    TCP/UDP
    427
    Allows hosts (or other resources) to discover available services provided by a storage system.
    HTTPS
    TCP/UDP
    443
    Secure HTTP traffic to the Unisphere and Unisphere CLI. If closed, communication with the array will be unavailable.
    Note:  For SMI-S, used for array management; however, port 5989 is the default port used for this purpose.
    SMB
    TCP
    445
    SMB (on domain controller) and SMB connectivity port for Windows 2000 and later clients. Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation. Disabling this port disables all SMB-related services. If port 139 is also disabled, SMB file sharing is disabled.
    DHCP (IPv6 only)
    UDP
    546
    DHCP(v6) Client. If closed, dynamic IP addresses will not be assigned using DHCP.
    DHCP (IPv6 only)
    UDP
    547
    DHCP(v6) Server. If closed, dynamic IP addresses will not be assigned using DHCP.
    LDAPS
    TCP/UDP
    636
    Secure LDAP queries. If closed, secure LDAP authentication will be unavailable.
    FTP
    TCP
    1024:65535
    Used for passive FTP. Port 1024:65535 is related to data while port 1025:65535 is related to management.
    mountd (NFS)
    TCP/UDP
    1234
    Used for the mount service, which is a core component of the NFS service (versions 2, 3, and 4) and is an important component of the SP to NAS Server interaction.
    NAS, VAAI-NAS
    TCP
    2049
    Provides NAS datastores for VMware and is used for VAAI-NAS. If closed, NAS datastores and VAAI-NAS will be unavailable.
    NFS
    TCP/UDP
    2049
    Used to provide NFS services.
    UDI SSH
    TCP
    2222
    Redirects traffic from port 22 for device eth*.
    iSCSI
    TCP
    3260
    Provides access to iSCSI services. If closed, file-based iSCSI services will be unavailable.
    NFS
    TCP/UDP
    4000
    Used to provide NFS statd services. statd is the NFS file-locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS. If closed, NAS statd services will be unavailable.
    NFS
    TCP/UDP
    4001
    Used to provide NFS lockd services. lockd is the NFS file-locking daemon. It processes lock requests from NFS clients and works in conjunction with the statd daemon. If closed, NAS lockd services will be unavailable.
    NFS
    TCP/UDP
    4002
    Used to provide NFS rquotad services. The rquotad daemon provides quota information to NFS clients that have mounted a file system. If closed, NAS rquotad services will be unavailable.
    SMB
    UDP
    4003
    Allows SMB ACL to be viewed or changed from a Linux host with emcgetsd or emcsetsd tools.
    Portable Archive Interchange (PAX) (Backup Services)
    TCP
    4658
    • PAX is a storage system archive protocol that works with standard UNIX tape formats.
    • This service must bind to multiple internal network interfaces and as a consequence, it binds to the external interface as well. However, incoming requests over the external network are rejected.
    • Background information on PAX is contained in the relevant EMC documentation on backups. There are several technical modules on this topic to deal with a variety of backup tools.
    VSI
    TCP
    5080
    This port provides for VSI plugin. If closed, VSI plugin will not be available.
    Replication services
    TCP
    5085
    Associated with replication services
    Key Management Interoperability Protocol (KMIP)
    TCP
    5696
    For KMIP, supports external key management using KMIP. If closed, KMIP services will be unavailable.
    SMI-S
    TCP
    5989
    For SMI-S, used for array management. SMI-S client connects to array using SMI-S TCP 5989 HTTPS. The SMI-S Provider Programmer's Guide provides more information about configuring this service.
    VASA
    TCP
    8443
    VASA Vendor provider for VASA 2.0.
    VASA
    TCP
    8444
    VASA Vendor provider for VASA 1.0.
    RCP (Replication services)
    TCP
    8888
    Used by the replicator (on the secondary side). It is left open by the replicator as soon as some data has to be replicated. After it is started, there is no way to stop the service.
    NDMP
    TCP
    10000
    • Enables you to control the backup and recovery of a Network Data Management Protocol (NDMP) server through a network backup application, without installing third-party software on the server. In a storage system, the NAS Server functions as the NDMP server.
    • The NDMP service can be disabled if NDMP tape backup is not used.
    • The NDMP service is authenticated with a username/password pair. The username is configurable. The NDMP documentation describes how to configure the password for a variety of environments.
    NDMP
    TCP
    10500:10531
    For three-way backup/restore sessions, NAS Servers use ports 10500 to 10531.
    IWD
    Internal
    60260
    IWD initial configuration daemon. If closed, initialization of the array will be unavailable through the network.

    Ports the storage system may contact

    The storage system functions as a network client in several circumstances, for example, in communicating with an LDAP server. In these instances, the storage system initiates communication and the network infrastructure will need to support these connections. Table 2 describes the ports that a storage system must be allowed to access for the corresponding service to function properly. This includes the Unisphere CLI.

    Table 2. Network connections that may be initiated by the storage system
    Service
    Protocol
    Port
    Description
    FTP
    TCP
    20
    Port used for FTP data transfers. This port can be opened by enabling FTP as described in the next row. Authentication is performed on port 21 and defined by the FTP protocol.
    FTP/SFTP
    TCP
    21
    Allows alert notifications through SFTP (FTP over SSH). SFTP is a client/server protocol. Users can use SFTP to perform file transfers on a storage system on the local subnet. Also provides outgoing FTP control connection. If closed, FTP will not be available.
    SSH/SSHD, VSI
    TCP
    22
    Allows SSH access (if enabled). Also used for VSI plugin. If closed, management connections using SSH and VSI plugin will not be available.
    SMTP
    TCP
    25
    Allows the system to send email. If closed, email notifications will be unavailable.
    DNS
    TCP/UDP
    53
    DNS queries. If closed, DNS name resolution will not work.
    DHCP
    UDP
    67-68
    Allows the storage system to act as a DHCP client. If closed, dynamic IP addresses will not be assigned using DHCP.
    HTTP
    TCP
    80
    Redirect for HTTP traffic to Unisphere and the Unisphere CLI. If closed, management traffic to the default HTTP port will be unavailable.
    Kerberos
    TCP/UDP
    88
    Provides outgoing Kerberos ticket. If closed, Kerberos authentication and all protocols that use it; for example, SMB, LDAP, GPO, secNFS, and such, will not be available.
    Portmapper, rpcbind (Network infrastructure)
    TCP/UDP
    111
    Opened by the standard portmapper or rpcbind service and is an ancillary storage system network service. It cannot be stopped. By definition, if a client system has network connectivity to the port, it can query it. No authentication is performed.
    NTP
    UDP
    123
    NTP time synchronization. If closed, time will not be synchronized among arrays.
    NETBIOS Name Service (SMB)
    TCP/UDP
    137
    The NETBIOS Name Service is associated with the storage system SMB file sharing services and is a core component of that feature (Wins). If disabled, this port disables all SMB-related services.
    NETBIOS Datagram Service (SMB)
    UDP
    138
    The NETBIOS Datagram Service is associated with the storage system SMB file sharing services and is a core component of that feature. Only Browse service is used. If disabled, this port disables Browsing capability.
    NETBIOS Session Service (SMB)
    TCP/UDP
    139
    The NETBIOS Session Service is associated with storage system SMB file sharing services and is a core component of that functionality. If SMB services are enabled, this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation.
    LDAP
    TCP/UDP
    389 a
    Unsecure LDAP queries. If closed, Unsecure LDAP authentication queries will be unavailable. Secure LDAP is configurable as an alternative.
    Service Location Protocol (SLP)
    TCP/UDP
    427
    Allows hosts (or other resources) to discover available services provided by a storage system.
    HTTPS
    TCP
    443
    HTTPS traffic to the Unisphere and Unisphere CLI, and for secure remote services when ESRS is enabled and Integrated ESRS is configured on the storage system. If closed, communication with the array will be unavailable.
    Kerberos
    TCP/UDP
    464
    Provides Kerberos Password Change and Set. If closed, impacts SMB.
    Remote Syslog
    UDP
    514 b
    Syslog - Log system messages to a remote host. You can configure the host port that the system uses.
    LDAPS
    TCP/UDP
    636 b
    Secure LDAP queries. If closed, secure LDAP authentication will be unavailable.
    VMware
    TCP
    843
    VMawareness - Allows VMware SDK communication with vSphere. If closed, VCenter/ESX discovery will be unavailable.
    FTP
    TCP
    1024:65535
    Provides outgoing FTP control connection. If closed, FTP will not be available.
    SOCKS
    TCP
    1080
    Port 1080 is the default used when the port is not specified and ESRS is enabled and Integrated ESRS is configured on the storage system, and a firewall is employed between the storage system and a Proxy server. If the default or user-specified port is closed, communication with the array through the port will be unavailable.
    mountd (NFS)
    TCP/UDP
    1234
    Used for the mount service, which is a core component of the NFS service (versions 2, 3, and 4) and is an important component of the SP to NAS Server interaction.
    NFS
    TCP/UDP
    2049
    Used to provide NFS services.
    HTTP
    TCP
    3128
    Port 3128 is the default used when the port is not specified and ESRS is enabled and Integrated ESRS is configured on the storage system, and a firewall is employed between the storage system and a Proxy server. If the default or user-specified port is closed, communication with the array through the port will be unavailable.
    iSNS
    TCP
    3205
    Used to send Internet storage naming service (iSNS) registrations to the iSNS server.
    iSCSI
    TCP
    3260
    Provides access to iSCSI services. If closed, file-based iSCSI services will be unavailable.
    NFS
    TCP/UDP
    4000
    Used to provide NFS statd services. statd is the NFS file-locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS.
    NFS
    TCP/UDP
    4001
    Used to provide NFS lockd services.lockd is the NFS file-locking daemon. It processes lock requests from NFS clients and works in conjunction with the statd daemon.
    NFS
    TCP/UDP
    4002
    Used to provide NFS rquotad services. The rquotad daemon provides quota information to NFS clients that have mounted a file system.
    VSI
    TCP
    5080
    This port provides for VSI plugin. If closed, VSI plugin will not be available.
    KMIP
    TCP
    5696
    For KMIP, supports external key management using KMIP. If closed, KMIP services will be unavailable.
    HTTPS
    TCP
    8443
    HTTPS traffic for secure remote support when ESRS is enabled and Integrated ESRS is configured on the storage system. If closed, there will be a significant decrease in remote support performance, which will directly impact the time to resolve issues on the Unity storage system.
    REST
    TCP
    9443
    Used to send service notifications to an ESRS gateway server when ESRS is enabled and Centralized ESRS is configured on the storage system.
    Common AntiVirus Agent (CAVA)
    TCP
    12228
    Used to provide a CAVA anti-virus solution to clients using a NAS server. If closed, CAVA anti-virus solution will not be available.
    IWD
    Internal
    60260
    IWD initial configuration daemon. If closed, initialization of the array will be unavailable through the network.
    a. The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring Directory Services. The default port number is displayed in an entry box that can be overridden by the user. Also, the Remote Syslog port number can be overridden from inside Unisphere.

    Storage system certificate

    The storage system automatically generates a self-signed certificate during its first initialization. The certificate is preserved both in NVRAM and on the backend LUN. Later, the storage system presents it to a client when the client attempts to connect to the storage system through the management port.

    The certificate is set to expire after 3 years; however, the storage system will regenerate the certificate one month before its expiration date. Also, you can upload a new certificate by using the svc_custom_cert service command. This command installs a specified SSL certificate in PEM format for use with the Unisphere management interface. For more information about this service command, see the Service Commands Technical Notes document. You cannot view the certificate through Unisphere or the Unisphere CLI; however, you can view the certificate through a browser client or a web tool that tries to connect to the management port.

    Note:  When the array is in FIPS mode and a certificate is generated off-array, in addition to the certificate being in PEM format, the private key needs to be in PKCS#1 format. You can use an openssl command to do this conversion. Once the .cer and .pk files are generated, this additional step is required when the certificate will be used on an array in FIPS mode.

    To increase security, some organizations use CA certificate chaining. Certificate chaining links two or more CA certificates together. The primary CA certificate is the root certificate at the end of the CA certificate chain. Since the system needs the complete certificate chain to verify the authenticity of a certificate that is received, ask the directory server administrator if certificate chaining is used. If so, you must concatenate all the relevant certificates into a single file and upload that version. The certificate must be in PEM/Base64 encoded format and use the suffix .cer.

    Replacing storage system self-signed certificate with signed certificates from a local Certificate Authority

    Before you can upload new certificates for the storage system from a local Certificate Authority to replace the existing Unisphere self-signed SSL certificates, you need to do the following:

    1. Create a private key on the storage processor (SP).
      Note:  For example:
                                              22:59:02 service@unknown spa:~/openssl> openssl genrsa -des3 -out unitycert.key -passout pass:emcemc 
      Generating RSA private key, 2048 bit long modulus
      ............................+++
      ..............................................................................+++ 
      e is 65537 (0x10001)
                                            
    2. Remove the passphrase from the key on the SP.
      NOTICE  This step is very important. If the passphrase is not removed from the key, it will cause an SP panic.
      Note:  For example:
                                              22:59:08 service@unknown spa:~/openssl> openssl rsa -in unitycert.key -passin pass:emcemc -out unitycert.pk 
      writing RSA key
                                            
    3. Request a CSR on the SP.
      Note:  For example:
                                              22:59:12 service@unknown spa:~/openssl> openssl req -new -sha256 -key unitycert.pk -out unitycert.csr -days 1825
      -subj '/C=US/ST=MA/L=Sarasota/O=MyCust/CN=10.0.0.1'
                                            
      Here -subj '/C=US/ST=MA/L=Sarasota/O=MyCust/CN=10.0.0.1' is an example, you should change it to correspond to your environment.
    4. Get the CSR signed by your CA (Windows CA server, Openssl CA server, or another CA server). The following are examples of sending a CSR to a CA server for signing by the following means:
      • Print the CSR using the cat command, copy or paste it to your local notepad, and name it as unitycert.csr.
                                        23:00:01 service@unknown spa:~/openssl> cat unitycert.csr
         -----BEGIN CERTIFICATE REQUEST-----
        MIICljCCAX4CAQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMREwDwYDVQQH
        DAhTYXJhc290YTEPMA0GA1UECgwGTXlDdXN0MREwDwYDVQQDDAgxMC4wLjAuMTCC
         ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBxqufN1Vpm0hq5K5UU0ocd
        teL2hJr5T1WIOmwQreX4nIdHIxVoWmyepmT7IZJIrQZQc8GuFDRx5qZ/cwlxoup7
        3aprMKCx8Ka6nQE3ue46tehYxqwA7mCyT1XYIW7c5l1HJmEddj+Lqj23OwXTkOjX
        skzubLfI08zDgYyW+KrmMmnAQIpPucHiX8FmjhilNGUXXiN7f/jtDq4M1QZcj2Vp
        CVySMB5b1bGs1u10HQcv/aBSE5cU7FAxaLyJpIHJnk8fPXJo02hSu6B3NG7RDa1B
        35gW6qqlbFIjXUlWtzi4JKA6GIzCq576YcGeQA5QuIrKqE6feeTjsKD1Ac9tXacC
        AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBpJn2Fu9noAMhn+IbTJf9EVTAYsZGc
        ddtgZcnVgEpI/dxB0p4ME210hg28UEwKl0wFAypGm8LaMxg0lbtfpUpU31JbaS+2
        lJc/79vxTfrWWNnSF95C+wer2LB93VLov8MSQqPZfl0LPb4NRU/XaE4l9Vh5DYl4
        /FmwHXsifwV5f1TUkvhC8YTwn5frWQjruz+ItZ3z9DetQX0OXYXMcaPX5Qp6aU5m
        dsXFHDDiaVbOofJN9z6OPOsWUhn0ZwEpnW8q/+V72MdBIfiwEjoQqZZKh4w1l0/7
        uElP8BfS7vH/i87OCqHJM0g/O3IndF+p5wYzmhrDPg/f3belQVQvKs7Z
        -----END CERTIFICATE REQUEST-----
                                      
      • Download CSR by Secure Copy Protocol (SCP).
        Note:  To download CSR files using SCP, use a third party tool (for example, WinSCP) to connect to the Unity management IP interface (username: service), and then copy the unitycert.csr file to the local computer.
    5. After you get the signed certificate from the CA server, upload it to the SP and save its name as unitycert.crt (coresponding to unitycert.pk).
      Note:  For example:
                                              $ svc_custom_cert unitycert
      
      Example:
      service@spa spa:~> svc_custom_cert pod6 Successfully installed custom certificate files. Restarting web server ...
      Unsupported
      Sun May 22 05:37:48 2016:7645\0x7f44ba3e27c0:32:Module CIC/1.1.10.6 loaded
                                            

    Storage system interfaces, services, and features that support Internet Protocol version 6

    You can configure the interfaces on a system and use Internet Protocol version 6 (IPv6) addresses to configure different services and features. The following list contains features where IPv6 protocol is supported:

    • Interfaces (SF, iSCSI) - to statically assign an IPv4 or IPv6 address to an interface
    • Hosts - to enter a network name, an IPv4 address or an IPv6 address of a host
    • Routes - to configure a route for IPv4 or IPv6 protocol
    • Diagnostics - to initiate a diagnostic ping CLI command using either an IPv4 or IPv6 destination address. In Unisphere select Settings > Access > Routing > Ping/Trace to access the Ping/Trace screen which supports the IPv6 destination addresses as well.

    All storage system components support IPv4, and most support IPv6. Table 3 shows the availability of IPv6 support by setting type and component:

    Table 3. IPv6 support by setting type and component
    Setting Type
    Component
    IPv6 Supported
    Unisphere management settings
    Management port
    Yes
    Domain Name Server (DNS)
    Yes
    NTP (network time protocol) server
    Yes
    Remote logging server
    Yes
    LDAP server
    No
    Unisphere host configuration setting
    Microsoft Exchange
    Yes
    VMware datastore (NFS)
    Yes
    VMware datastore (VMFS)
    Yes
    Hyper-V datastore
    Yes
    Unisphere alert setting
    SNMP trap destinations
    Yes
    SMTP server
    Yes
    EMC Secure Remote Services (ESRS)
    No
    Storage server setting
    iSCSI server
    Yes
    Shared Folder server
    Yes
    Network Information Service (NIS) server (for NFS NAS Servers)
    Yes
    Active Directory server (for SMB NAS Servers)
    Yes
    Internet Storage Service (iSNS) server
    Yes
    Other
    PING destinations
    Yes
    Remote log
    Yes
    LDAP
    Yes
    IPv6 address standard

    Internet Protocol version 6 (IPv6) is an Internet Protocol address standard developed by the Internet Engineering Task Force (IETF) to supplement and eventually replace the IPv4 address standard that most Internet services use today.

    IPv4 uses 32-bit IP addresses, which provides approximately 4.3 billion possible addresses. With the explosive growth of Internet users and Internet-connected devices, the available IPv4 address space is insufficient. IPv6 solves the address shortage issue, because it uses 128-bit addresses, which provides approximately 340 trillion addresses. IPv6 also solves other IPv4 issues, including mobility, autoconfiguration, and overall extensibility issues.

    An IPv6 address is a hexadecimal value that contains eight, 16-bit, colon-separated fields:

    hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh

    Each digit in an IPv6 address can be a number from 0-9 or a letter from A-F.

    For more information about the IPv6 standard, see information about the IPv6 standard (RFC 2460) on the IETF website (http://www.ietf.org).

    Storage system management interface access using IPv6

    When you set up management connections in the storage system, you can configure the system to accept the following types of IP addresses:

    • Static Internet Protocol version 6 (IPv6) addresses, IPv4 addresses obtained through DHCP, and static IPv4 addresses
    • IPv4 addresses only

    You can statically assign the IPv6 addresses to the management interface. An IPv6 address on the management interface can be set to one of two modes, manual/static or disabled. When you disable IPv6, the protocol does not unbind from the interface. The disable command removes any unicast IPv6 addresses assigned to the management interface and the storage system will no longer answer requests addressed over IPv6. IPv6 is disabled by default.

    After you finish installing, cabling, and powering up the system, an IP address must be assigned to the storage system management interface. If you are not running the storage system on a dynamic network, or if you would rather manually assign a static IP address, you must download, install, and run the Connection Utility. For more information about the Connection Utility, see Running the Connection Utility.

    Inbound requests using IPv6 to the storage system through the management interface are supported. You can configure the management interface on a storage system to operate in an IPv4-only, IPv6-only, or a combined IPv4 and IPv6 environment and you can manage the storage system using Unisphere UI and the command line interface (CLI).

    Outbound services such as Network Time Protocol (NTP) and Domain Naming System (DNS) support IPv6 addressing either by using explicit IPv6 addresses or by using DNS names. If a DNS name resolves to both IPv6 and IPv4, the storage system will communicate with the server over IPv6.

    The manage network interface set and show CLI commands that are used to manage the management interfaces include attributes related to IPv6. For more information about these manage network interface commands and attributes, refer to the Unisphere Command Line Interface User Guide.

    Configuring the management interface using DHCP

    After you finish installing, cabling, and powering up the system, an IP address must be assigned to the storage system management interface. If you are running the storage system on a dynamic network that includes a Dynamic Host Control Protocol (DHCP) server and a Domain Name System (DNS) server, the management IP address can be assigned automatically.

    Note:  If you are not running the storage system in a dynamic network environment, or you would rather manually assign a static IP address, you must install and run the Connection Utility. For more information concerning the Connection Utility, see Running the Connection Utility.

    The appropriate network configuration must include setting the range of available IP addresses, the correct subnet masks, and gateway and name server addresses. Consult your specific network's documentation for more information on setting up DHCP and DNS servers.

    DHCP is a protocol for assigning dynamic Internet Protocol (IP) addresses to devices on a network. DHCP allows you to control Internet Protocol (IP) addresses from a centralized server and automatically assign a new, unique IP address when a storage system is plugged into your organization's network. This dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task.

    The DNS server is an IP-based server that translates domain names into IP addresses. As opposed to numeric IP addresses, domain names are alphabetic and are usually easier to remember. Since an IP network is based on IP addresses, every time you use a domain name, the DNS server must translate the name into a corresponding IP address. For example, the domain name www.Javanet.com translates to the IP address 209.94.128.8.

    No administrative information such as user names, passwords, and such are exchanged during the DHCP/Dynamic DNS configuration. Configuration of the management IP items (DHCP preference, DNS and NTP server configuration) fall under the existing Unisphere framework related to security. DNS and DHCP events including obtaining a new IP address on lease expiration are recorded in storage system audit logs. If DHCP is not used for the storage system management IP configuration, no additional network ports will be opened.

    Dynamic IP addresses (DHCP) should not be used for any components of the EMC Secure Remote Services (ESRS) Virtual Edition (VE) servers, Policy Manager servers, or managed devices.

    Note:   If you use DHCP to assign IP addresses to any ESRS components (ESRS VE servers, Policy Manager, or managed devices), they must have static IP addresses. Leases for the IP addresses that EMC devices use cannot be set to expire. EMC recommends that you assign static IP addresses to those devices you plan to have managed by ESRS.

    Running the Connection Utility

    Note:   If you are running the storage system in a dynamic network environment that includes a DHCP server and a DNS server, you do not have to use the Connection Utility and instead can automatically assign a dynamic IP address (IPv4 only) for the storage system management interface. When a storage system uses a static IP address, it is manually configured with the Connection Utility to use a specific IP address. One problem with static assignment, which can result from a mistake or inattention to detail, occurs when two storage systems are configured with the same management IP address. This creates a conflict that could result in loss of network connectivity. Using DHCP to dynamically assign IP addresses minimizes these types of conflicts. Storage systems configured to use DHCP for IP assignment do not need to use statically assigned IP addresses.

    Connection Utility installation software is available from the EMC Online Support website (https://support.emc.com), under the Downloads selection on the menu bar of the product page for your storage system. After you download the software, install the program on a Windows host. When you run the Connection Utility from a computer on the same subnet as the storage system, the Connection Utility automatically discovers any unconfigured storage systems. If you run the Connection Utility on a different subnet, you can save the configuration to a USB drive and then transfer it to the storage system. If the storage system is located on a different subnet than the host running the Connection Utility, you can select to manually configure and save IP network and Hostname information to a USB drive as a text file, then insert the USB drive into either SP, which will then automatically set the IP network and Hostname information.

    Note:  You cannot change the management IP address when both of the Storage Processors (SP) are in Service mode.

    After you run the Connection Utility and transfer the configuration to your storage system, you can connect to the storage system through a web browser using the IP address that you assigned to the storage system management interface.

    The first time you connect to the storage system, the storage system Initial Configuration Wizard starts. The Initial Configuration Wizard lets you set up the initial configuration of the storage system so that you can start to create storage resources.

    Note:   For more information concerning the Connection Utility, see the Unity Series Installation Guide.

    Protocol (SMB) encryption and signing

    SMB 3.0 and Windows 2012 support on the storage system provides SMB encryption for those hosts capable of using SMB. SMB Encryption provides secure access to data on SMB file shares. This encryption provides security to data on untrusted networks, that is, it provides end-to-end encryption of SMB data sent between the array and the host. The data is protected from eavesdropping/snooping attacks on untrusted networks.

    SMB Encryption can be configured for each share. Once a share is defined as encrypted, any SMB3 client must encrypt all its requests related to the share; otherwise, access to the share will be denied.

    To enable SMB Encryption, you either set the Protocol Encryption option in the advanced SMB share properties in Unisphere or set it through the create and set CLI commands for SMB shares. There is no setting required on the SMB client.

    Note:  For more information about setting SMB encryption, refer to the Unisphere online help and the Unisphere Command Line Interface User Guide.

    SMB also provides data integrity validation (signing). This mechanism ensures that packets have not been intercepted, changed, or replayed. SMB signing adds a signature to every packet and guarantees that a third party has not changed the packets.

    To use SMB signing, the client and the server in a transaction must have SMB signing enabled. By default, Windows Server domain controllers require that the clients use SMB signing. For Windows Server domains (Windows 2000 and later), SMB signing is set by using a group policy object (GPO) policy. For Windows XP, GPO services for SMB signing are not available; you must use the Windows Registry settings.

    Note:  Configuring SMB signing through GPOs affects all clients and servers within the domain and overrides individual Registry settings. Refer to Microsoft's security documentation for detailed information about enabling and configuring SMB signing.

    In SMB1, enabling signing significantly decreases performance, especially when going across a WAN. There is limited degradation in performance with SMB2 and SMB3 signing as compared to SMB1. The performance impact of signing will be greater when using faster networks.

    NOTICE   If the older SMB1 protocol does not need to be supported in your environment, it can be disabled by using the svc_nas service command. For more information about this service command, see the Service Commands Technical Notes.
    Configure SMB signing with GPOs

    Table 4 explains the GPOs available for SMB1 signing.

    Note:   For SMB2 and SMB3, each version has a GPO for each side (server-side and client-side) to enable the Digitally sign communications (always) option. Neither server-side nor client-side has a GPO to enable the Digitally sign communications (if client agrees) option.
    Table 4. SMB1 signing GPOs
    GPO name
    What it controls
    Default setting
    Microsoft network server: Digitally sign communications (always)
    Whether the server-side SMB component requires signing
    Disabled
    Microsoft network server: Digitally sign communications (if client agrees)
    Whether the server-side SMB component has signing enabled
    Disabled
    Microsoft network client: Digitally sign communications (always)
    Whether the client-side SMB component requires signing
    Disabled
    Microsoft network client: Digitally sign communications (if server agrees)
    Whether the client-side SMB component has signing enabled
    Enabled

    You can also configure SMB signing through the Windows Registry. If a GPO service is not available, such as in a Windows NT environment, the Registry settings are used.

    Configure SMB signing with the Windows Registry

    Registry settings affect only the individual server or client that you configure. Registry settings are configured on individual Windows workstations and servers and affect individual Windows workstations and servers.

    Note:  The following Registry settings pertain to Windows NT with SP 4 or later. These Registry entries exist in Windows Server, but should be set through GPOs.

    The server-side settings are located in: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\

    Note:  For SMB2 and SMB3, each version has a Registry key for each side (server-side and client-side) to enable the requiresecuritysignature option. Neither server-side nor client-side has a Registry key to enable the enablesecuritysignature option.
    Table 5. Server-side SMB1 signing Registry entries
    Registry entries
    Values
    Purpose
    enablesecuritysignature
    • 0 disabled (default)
    • 1 enabled
    Determines if SMB signing is enabled.
    requiresecuritysignature
    • 0 disabled (default)
    • 1 enabled
    Determines if SMB signing is required.

    The client-side settings are located in: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters\

    Table 6. Client-side SMB1 signing Registry entries
    Registry entries
    Values
    Purpose
    enablesecuritysignature
    • 0 disabled
    • 1 enabled (default)
    Determines if SMB signing is enabled.
    requiresecuritysignature
    • 0 disabled (default)
    • 1 enabled
    Determines if SMB signing is required.

    IP packet reflect

    IP packet reflect provides your network with an additional security level. Because the majority of network traffic on a NAS server (including all file system I/O) is client initiated, the NAS server uses Packet Reflect to reply to client requests. With Packet Reflect, there is no need to determine the route to send the reply packets. Because reply packets always go out the same interface as the request packets, request packets cannot be used to indirectly flood other LANs. In cases where two network devices exist, one connected to the Internet and the other connected to the intranet, replies to Internet requests do not appear on the intranet. Also, the internal networks used by the storage system are not affected by any packet from external networks.

    IP packet reflect can be enabled for each NAS server. It is disabled for all NAS servers by default.

    IP multi-tenancy

    IP multi-tenancy provides the ability to assign isolated, file-based storage partitions to the NAS servers on a storage processor. Tenants are used to enable the cost-effective management of available resources, while at the same time ensuring that tenant visibility and management is restricted to assigned resources only.

    Note:  If this is the first creation of a tenant in your environment, have the system automatically generate a Universal Unique Identifier (UUID) value for the tenant. For existing tenants in your environment that have a system generated UUID value, enter that UUID value manually.

    With IP multi-tenancy, each tenant can have its own:

    • IP addresses and port numbers.
    • VLAN domain.
    • Routing table.
    • IP firewall.
    • DNS server or other administrative servers to allow the tenant to have its own authentication and security validation.

    IP multi-tenancy is implemented by adding a tenant to the storage system, associating a set of VLANs with the tenant, and then creating one NAS server for each of the tenant's VLANs, as needed. It is recommended that you create a separate pool for the tenant and that you associate that pool with all of the tenant's NAS servers.

    Note:  A pool is a set of drives that provide specific storage characteristics for the resources that use them.

    Note the following about the IP multi-tenancy feature:

    • There is a one-to-many relationship between tenants and NAS servers. A tenant can be associated with multiple NAS servers, but a NAS server can be associated with only one tenant.
    • You can associate a NAS server with a tenant when you create the NAS server. Once you create a NAS server that is associated with a tenant, you cannot change any of its properties.
    • During replication, data for a tenant is transferred over the service provider's network rather than the tenant's network.
    • Because multiple tenants can share the same storage system, a spike in traffic for one tenant can negatively impact the response time for other tenants.

    About VLANs

    VLANs are logical networks that function independently of the physical network configuration. For example, VLANs enable you to put all of a department's computers on the same logical subnet, which can increase security and reduce network broadcast traffic.

    When a single NIC is assigned multiple logical interfaces, a different VLAN can be assigned to each interface. When each interface has a different VLAN, a packet is accepted only if its destination IP address is the same as the IP address of the interface, and the packet's VLAN tag is the same as the interface's VLAN ID. If the VLAN ID of an interface is set to zero, packets are sent without VLAN tags.

    There are two ways to work with VLANs:

    • Configure a switch port with a VLAN identifier and connect a NAS server port or iSCSI interface to that switch port. The Unity system is unaware that it is part of the VLAN, and no special configuration of the NAS server or iSCSI interface is needed. In this case, the VLAN ID is set to zero.
    • Implement IP multi-tenancy using VLANs. In this scenario, each tenant is associated with a set of one or more VLANs, and the NAS server is responsible for interpreting the VLAN tags and processing the packets appropriately. This enables the NAS server to connect to multiple VLANs and their corresponding subnets through a single physical connection. In this method, the switch ports for servers are configured to include VLAN tags on packets sent to the server.

    Management support for FIPS 140-2

    Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. To learn more about FIPS 140-2, refer to FIPS 1402-2 publication.

    The storage system supports FIPS 140-2 mode for the SSL modules that handle client management traffic. Management communication into and out of the system is encrypted using SSL. As a part of this process, the client and the storage management software negotiate a cipher suite to use in the exchange. Enabling FIPS 140-2 mode restricts the negotiable set of cipher suites to only those that are listed in the FIPS 140-2 Approved Security Functions publication. If FIPS 140-2 mode is enabled, you may find that some of your existing clients can no longer communicate with the management ports of the system if they do not support FIPS 140-2 Approved cipher suites. FIPS 140-2 mode cannot be enabled on a storage system when non-FIPS-compliant certificates exist in the certificate store. You must remove all non-FIPS compliant certificates from the storage system before you enable the FIPS 140-2 mode.

    Managing FIPS 140-2 mode on the storage system

    Only the Administrator and Security Administrator have the privileges to manage the FIPS 140-2 mode setting. Use the following CLI command to set the FIPS 140-2 mode setting on a storage system:

    uemcli /sys/security set -fips140Enabled yes will set it to FIPS 140-2 mode.

    uemcli /sys/security set -fips140Enabled no will set it to non-FIPS 140-2 mode.

    Use the following CLI command to determine the current FIPS 140-2 mode for the storage system:

    uemcli /sys/security show

    When you change the FIPS 140-2 mode setting on a storage system, both SPs are automatically rebooted in sequence in order to apply the new setting. When the first SP has completed rebooting, the other SP is rebooted. The system will only operate fully in the configured FIPS 140-2 mode after both SPs have completed rebooting.

    Management support for SSL communications

    Management communication into and out of the storage system is encrypted using SSL. As a part of this process, the client and the storage system negotiate an SSL protocol to use. By default, the storage system supports TLS 1.0, TLS 1.1, and TLS 1.2 protocols for SSL communications. The storage system includes an administrative setting to disable TLS 1.0 from the system. Disabling the TLS 1.0 protocol using this setting means that the storage system will only support SSL communications using the TLS 1.1 and TLS 1.2 protocols and TLS 1.0 will not be considered a valid protocol.

    Note:   Disabling TLS 1.0 may impact existing client applications which are not compatible with TLS 1.1 or TLS 1.2 protocols. In this case, TLS 1.0 support should remain enabled. The following functionality will not work when TLS 1.0 is disabled:
    • Technical advisories
    • Software, drive firmware, and language pack upgrade notifications
    • Replication from OE versions earlier than 4.3 to OE version 4.3
    Managing TLS 1.0 on the storage system

    Only the Administrator or Security Administrator have the privileges to manage the TLS 1.0 enable setting. Use the following command to set the TLS 1.0 enable setting on a storage system:

    uemcli /sys/security set -tls1Enabled yes enables the use of the TLS 1.0 protocol.

    uemcli /sys/security set -tls1Enabled no disables the use of the TLS 1.0 protocol.

    For more information about this command, refer to the Unisphere Command Line Interface User Guide.

    Management support for restricted shell (rbash) mode

    The storage system SSH service interface is hardened with restricted shell (rbash) mode. This feature is enabled by default for the service account upon upgrading to Unity OE version 4.5 or later. Although temporarily disabling restricted shell mode is possible, it is not persistent and it will be automatically re-enabled when one of the following occurs:

    • The primary Service Processor is re-booted.
    • 24 hours elapse since restricted shell mode was disabled.

    This feature enhances the security posture of the Unity storage system by restricting service account users to the following functions:

    • Operate only a limited set of commands that are assigned to a member of a non-privileged Linux user account in restricted shell mode. The service user account does not have access to proprietary system files, configuration files, or user or customer data.
    • Restricts service users from executing untrusted code that could be potentially leveraged to exploit local privilege escalation vulnerabilities.

    Besides service scripts, a white list contains basic commands that are available to service personnel. These are the safe commands or the commands with security control from which users cannot escape the restricted shell mode. These commands are essential for Dell EMC service personnel to provide maintenance service without elevating the privilege to root. For information about these commands, see Knowledge Based Article 528422.

    NOTICE  A network vulnerability scan cannot be performed with restricted shell by default. Unisphere Admin users need to disable restricted shell mode in order to facilitate a security scan. For maximum system security, it is highly recommended to leave the restricted shell mode enabled at all times unless it is needed to perform a security scan. To ensure that the system is not exposed to local privilege escalation vulnerabilities, enable restricted shell mode as soon as the security scan completes.
    Managing restricted shell mode on the storage system

    Only the Administrator has the privileges to manage the restricted shell mode setting. Use the following CLI command to set the restricted shell mode setting on a storage system:

    uemcli /sys/security set -rbashEnabled yes enables restricted shell mode for service user mode.

    uemcli /sys/security set -rbashEnabled no disables restricted shell mode.

    Use the following CLI command to determine the current restricted shell mode for the storage system:

    uemcli /sys/security show