manualshive.com logo in svg

EMC EMC Unity All Flash, Security Configuration Manual

The EMC EMC Unity All Flash Security Configuration Manual is a comprehensive guide to optimizing the security settings of your storage system. Download this manual for free from our website to ensure your data is protected at all times. Stay ahead of potential threats with this essential resource.

Share
Download
background image

Single sign-on and NAT support

Single sign-on does not support a NAT configuration. Also, NAT is not supported for
local login through Unisphere to the storage system.

Security on file system objects

In a multiprotocol environment, the storage system uses its security policies to
determine how to reconcile the differences between NFS and SMB access control
semantics.

Unix security model
UNIX access rights are referred to as the mode bits of a file system object. They are
represented by a bit string in which each bit represents an access mode or privilege
granted to the user owning the file, the group associated with the file system object,
and all other users. UNIX mode bits are represented as three sets of concatenated rwx
(read, write, and execute) triplets for each category of users (user, or group, or
other).

Windows security model
The Windows security model is based primarily on per-object rights, which involve the
use of a security descriptor (SD) and its access control list (ACL).

Access to a file system object is based on whether permissions have been set to Allow
or Deny through the use of a security descriptor. The SD describes the owner of the
object and group SIDs for the object along with its ACLs. An ACL is part of the
security descriptor for each object. Each ACL contains access control entries (ACEs).
Each ACE in turn, contains a single SID that identifies a user, group, or computer and a
list of rights that are denied or allowed for that SID.

File systems access in a multiprotocol environment

File access is provided through NAS servers. A NAS server contains a set of file
systems where data is stored. The NAS server provides access to this data for NFS,
SMB, and FTP file protocols by exporting file systems through SMB shares and NFS
shares (also known as NFS exports). The NAS server mode for multiprotocol sharing
allows the sharing of the same data between SMB and NFS. Because the
multiprotocol sharing mode provides simultaneous SMB and NFS access to a file
system, the mapping of Windows users to Unix users and defining the security rules to
use (mode bits, ACL, and user credentials) must be considered and configured
properly for multiprotocol sharing.

Note

For information about configuring and managing NAS servers with regards to
multiprotocol sharing, user mapping, access policies, and user credentials, refer to the
Unisphere online help and the 

Unisphere Command Line Interface User Guide

.

User mapping

In a multiprotocol context, a Windows user needs to be matched to a UNIX user and
conversely, so file system security can be enforced, even if it is not native to the
protocol. The following components are involved in user mapping:

l

UNIX Directory Services

Access Control

22

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA

 

4.0 

 

Security Configuration Guide

Summary of Contents for EMC Unity All Flash

Page 1: ...EMC Unity Family EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA Version 4 0 Security Configuration Guide P N 302 002 564 REV 03...

Page 2: ...AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE USE COPYING AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICA...

Page 3: ...ess in a multiprotocol environment 22 User mapping 22 Access policies for NFS SMB and FTP 23 Credentials for file level security 24 NFS secure 26 Dynamic Access Control 27 Logging 29 Logging 30 Remote...

Page 4: ...ed 55 Data security settings 56 Security Maintenance 57 Secure maintenance 58 License update 58 Software upgrade 58 EMC Secure Remote Services for your storage system 59 Security Alert Settings 61 Ale...

Page 5: ...n Troubleshooting For information about EMC products software updates licensing and service go to EMC Online Support registration required at https Support EMC com After logging in locate the appropri...

Page 6: ...Note Presents information that is important but not hazard related Additional resources 6 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Page 7: ...R 1 Introduction This chapter briefly describes a variety of security features implemented on the storage system Topics include l Overview 8 l Related features and functionality information 8 Introduc...

Page 8: ...product service operations performed by the manufacturer or its service partners Alert system Managing the alerts and notifications generated for security related events Other security settings Securi...

Page 9: ...t management 11 l Unisphere 12 l Unisphere command line interface CLI 14 l Storage system service SSH interface 15 l Storage system SP Ethernet service port and IPMItool 16 l SMI S provider 17 l vSphe...

Page 10: ...alerts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server fo...

Page 11: ...accounts Storage system account management Table 4 on page 11 illustrates the ways in which you can manage the storage system accounts Table 4 Account management methods Account roles Description Man...

Page 12: ...the capabilities of the role assigned to the user LDAP The Lightweight Directory Access Protocol LDAP is an application protocol for querying directory services running on TCP IP networks LDAP provid...

Page 13: ...ation Table 6 on page 13 shows the roles you can assign to the storage system local users and the privileges associated with these roles In addition you can assign these roles to LDAP users and groups...

Page 14: ...e interface CLI The Unisphere CLI provides a command line interface for the same functionality available through Unisphere Running the Unisphere CLI requires special storage system command line softwa...

Page 15: ...system SSH service interface when enabled provides a command line interface for performing related and overlapping functionality to that which is available from the Unisphere Service page under System...

Page 16: ...to which it does not have execute permissions and cannot edit configuration files that require root access to read or modify or both Access control lists ACLs The ACL mechanism on the storage system u...

Page 17: ...A is used by VMware clients rather than Unisphere clients The VP runs on the active Storage Processor SP of the storage system The vSphere user must configure this VP instance as the provider of VASA...

Page 18: ...user The Unisphere credentials used here are only used during this initial step of the connection If the Unisphere credentials are valid for the target storage system the certificate of the vCenter S...

Page 19: ...ntext of the same VASA session If an SSL certificate expires the vSphere administrator must generate a new certificate The vCenter Server will establish a new SSL connection and register the new certi...

Page 20: ...can be a client of the centralized authentication server and participate in the single sign on environment For more information about this command refer to the Unisphere Command Line Interface User Gu...

Page 21: ...original URL that was specified 5 The browser downloads the Unisphere content and Unisphere is instantiated 6 The user then opens another web browser window or tab and specifies the network address o...

Page 22: ...cess control entries ACEs Each ACE in turn contains a single SID that identifies a user group or computer and a list of rights that are denied or allowed for that SID File systems access in a multipro...

Page 23: ...used to associate a Windows account to a UNIX account when the name is different For example if there is a user who has an account called Gerald on Windows but the account on UNIX is called Gerry NTX...

Page 24: ...n granted or denied There is no synchronization between mode bits and the SMB discretionary access list DACL They are independent For FTP authentication with windows or Unix depends on the user name f...

Page 25: ...in the Windows credential When accessing a file system with a UNIX access policy the UID of the user is used to query the UDS to build the UNIX credential similar to building an extended credential fo...

Page 26: ...incipal the server builds the credential of that user by querying the active UDS Since NIS is not secured it is not recommended to use it with NFS secure It is recommended to use Kerberos with LDAP or...

Page 27: ...d in the UDS the configured default UNIX user credential is used instead If the default UNIX user is not set the credential used will be nobody Replication When a NAS server is the target of a replica...

Page 28: ...ountry or department DAC CBAC is enabled on the storage system by default however a service command svc_dac allows you to do the following l Enable or disable the DAC feature when disabled the CAP ass...

Page 29: ...CHAPTER 3 Logging This chapter describes a variety of logging features implemented on the storage system Topics include l Logging 30 l Remote logging options 31 Logging 29...

Page 30: ...tem accumulates two million log entries it purges the oldest 500K entries as determined by log record time to return to 1 5 million log entries You can archive log entries by enabling remote logging s...

Page 31: ...m sends remote log information l Type of log messages to send Use the Facility field to set the type of log messages It is recommended that you select the User Level Messages options l Port number and...

Page 32: ...Logging 32 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Page 33: ...ystem certificate 41 l Storage system interfaces services and features that support Internet Protocol version 6 42 l Storage system management interface access using IPv6 43 l Configuring the manageme...

Page 34: ...VSI TCP 22 Allows SSH access if enabled Also used for VSI plugin If closed management connections using SSH will be unavailable and VSI plugin will not be available Dynamic DNS update TCP UDP 53 Used...

Page 35: ...m has network connectivity to the port it can query it No authentication is performed NTP UDP 123 NTP time synchronization If closed time will not be synchronized among arrays DCE Remote Procedure Cal...

Page 36: ...ectivity port for Windows 2000 and later clients Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation Disabling this por...

Page 37: ...AS lockd services will be unavailable NFS TCP UDP 4002 Used to provide NFS rquotad services The rquotad daemon provides quota information to NFS clients that have mounted a file system If closed NAS r...

Page 38: ...ty software on the server In a storage system the NAS Server functions as the NDMP server l The NDMP service can be disabled if NDMP tape backup is not used l The NDMP service is authenticated with a...

Page 39: ...and VSI plugin will not be available SMTP TCP 25 Allows the system to send email If closed email notifications will be unavailable DNS TCP UDP 53 DNS queries If closed DNS name resolution will not wo...

Page 40: ...UDP 464 Provides Kerberos Password Change and Set If closed impacts SMB Remote Syslog UDP 514a Syslog Log system messages to a remote host You can configure the host port that the system uses LDAPS T...

Page 41: ...ial configuration daemon If closed initialization of the array will be unavailable through the network a The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring Direct...

Page 42: ...tem and use Internet Protocol version 6 IPv6 addresses to configure different services and features The following list contains features where IPv6 protocol is supported l Interfaces SF iSCSI to stati...

Page 43: ...and Internet connected devices the available IPv4 address space is insufficient IPv6 solves the address shortage issue because it uses 128 bit addresses which provides approximately 340 trillion addr...

Page 44: ...information about these manage network interface commands and attributes refer to the Unisphere Command Line Interface User Guide Configuring the management interface using DHCP After you finish inst...

Page 45: ...the Connection Utility and instead can automatically assign a dynamic IP address IPv4 only for the storage system management interface When a storage system uses a static IP address it is manually con...

Page 46: ...ypt all its requests related to the share otherwise access to the share will be denied To enable SMB Encryption you either set the Protocol Encryption option in the advanced SMB share properties in Un...

Page 47: ...ays Whether the client side SMB component requires signing Disabled Microsoft network client Digitally sign communications if server agrees Whether the client side SMB component has signing enabled En...

Page 48: ...need to determine the route to send the reply packets Because reply packets always go out the same interface as the request packets request packets cannot be used to indirectly flood other LANs In cas...

Page 49: ...ace s VLAN ID If the VLAN ID of an interface is set to zero packets are sent without VLAN tags There are two ways to work with VLANs l Configure a switch port with a VLAN identifier and connect a NAS...

Page 50: ...y set fips140Enabled yes will set it to FIPS 140 2 mode uemcli sys security set fips140Enabled no will set it to non FIPS 140 2 mode Use the following CLI command to determine the current FIPS 140 2 m...

Page 51: ...chapter describes the security features that are available on the storage system for supported storage types Topics include l About Data at Rest Encryption physical deployments only 52 l Data security...

Page 52: ...age pool has been added or removed Key backups are performed automatically by the system In addition changes to the configuration of the system that result in changes to the keystore will generate inf...

Page 53: ...d to view the status of the keystore and to determine whether any user operations are required See the Unisphere Command Line Interface User Guide for detailed information about these CLI commands Bac...

Page 54: ...d previously Note As an alternative use the uemcli u username p password download encryption type auditLog entries all or YYYY MM CLI command to download the entire audit log and checksum information...

Page 55: ...ta that may be hidden in obscured locations within the drive will not be overwritten NOTICE If the potential access to data remnants from the previous use of a drive violates your security policy you...

Page 56: ...group accounts l File and share access controls are provided through Windows directory services SMB share access control list ACL can also be configured through an SMI S interface l Security signature...

Page 57: ...nance This chapter describes a variety of security maintenance features implemented on the storage system Topics include l Secure maintenance 58 l EMC Secure Remote Services for your storage system 59...

Page 58: ...oading and installing licenses through Unisphere client to the storage system l License file uploads to the storage system occur within Unisphere sessions authenticated through HTTPS l The storage sys...

Page 59: ...n off array ESRS Gateway The ESRS Gateway is the single point of entry and exit for all IP based EMC remote support activities for the storage systems associated with the gateway The ESRS Gateway is a...

Page 60: ...Security Maintenance 60 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Page 61: ...Settings This chapter describes the different methods available to notify administrators of alerts that occur on the storage system Topics include l Alert settings 62 l Configuring alert settings 63 S...

Page 62: ...ts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server for th...

Page 63: ...ing and Above l Notice and Above l Information and Above Note For the storage system alert email mechanism to work a target SMTP server must be configured for the storage system 4 Under Specify SMTP n...

Page 64: ...l Warning and above l Notice and above l Information and above Security Alert Settings 64 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Page 65: ...is chapter contains other information that is relevant for ensuring the secure operation of the storage system Topics include l Physical security controls physical deployments only 66 l Antivirus prot...

Page 66: ...assword l SP Ethernet service port connector Allows authenticated access through an SP Ethernet service port connection Antivirus protection The storage system supports Common AntiVirus Agent CAVA CAV...

Page 67: ...APPENDIX A TLS cipher suites This appendix lists the TLS cipher suites supported by the storage system Topics include l Supported TLS cipher suites 68 TLS cipher suites 67...

Page 68: ...TLS cipher suites supported on the storage system Cipher Suites Protocols Ports TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 443 8443 8444 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv...

Page 69: ...uites supported on the storage system continued Cipher Suites Protocols Ports TLS_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS_RSA_WITH_3DES EDE CBC SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS ciphe...

Page 70: ...TLS cipher suites 70 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Reviews:

No comments

Related manuals for EMC Unity All Flash

IBM BladeCenter Management Module Installation Manual preview
BladeCenter Management Module
Brand: IBM Pages: 82
Denios PolySafe Depot Type C User Manual preview
PolySafe Depot Type C
Brand: Denios Pages: 8
Seagate ST3000VN0001 Product Manual preview
ST3000VN0001
Brand: Seagate Pages: 27
Frontier WB602201 Manual preview
WB602201
Brand: Frontier Pages: 6
Simplay3 41805 Quick Start Manual preview
41805
Brand: Simplay3 Pages: 2
TRENDnet TS-U100 - NAS Server - USB User Manual preview
TS-U100 - NAS Server - USB
Brand: TRENDnet Pages: 47
TrueNAS M Series Setup Manual preview
M Series
Brand: TrueNAS Pages: 16
GE AccessPoint 001890 User Instructions preview
AccessPoint 001890
Brand: GE Pages: 2
GE Digital Video Storage System User Manual preview
Digital Video Storage System
Brand: GE Pages: 24
GE Monogram ZWVS1000SR Owner'S Manual preview
Monogram ZWVS1000SR
Brand: GE Pages: 40
AA Products SH-4603-GAP Instruction Manual preview
SH-4603-GAP
Brand: AA Products Pages: 8
Toshiba microSDXC UHS-? Manual preview
microSDXC UHS-?
Brand: Toshiba Pages: 5
Huawei SmartLi Series User Manual preview
SmartLi Series
Brand: Huawei Pages: 116
Huawei V100R002 User Manual preview
V100R002
Brand: Huawei Pages: 97
Overland Storage LTO-5 Quick Start Manual preview
LTO-5
Brand: Overland Storage Pages: 4
Overland Storage NEO S-Series Service Manual preview
NEO S-Series
Brand: Overland Storage Pages: 45
Overland Tandberg LTO Series User Manual preview
LTO Series
Brand: Overland Tandberg Pages: 84
G-Technology G-RAID with Thunderbolt Product Manual preview
G-RAID with Thunderbolt
Brand: G-Technology Pages: 52

Brands by name

Popular brands

Load more brands