EMC VNXe Security Configuration Guide · EMC®VNXe™ Release 2 Security Configuration Guide P/N 300-012-190 Rev 05 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103

EMC®VNXe™Release 2

Security Configuration GuideP/N 300-012-190 Rev 05

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-91031-508-435-1000

www.EMC.com

Copyright © 2011 - 2013 EMC Corporation. All rights reserved.

Published January 2013

EMC believes the information in this publication is accurate as of its publication date. Theinformation is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATIONMAKES NO REPRESENTATIONS ORWARRANTIES OF ANY KINDWITH RESPECT TOTHE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires anapplicable software license.

For the most up-to-date regulatory document for your product line, go to the TechnicalDocumentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks onEMC.com.

All other trademarks used herein are the property of their respective owners.

Corporate Headquarters: Hopkinton, MA 01748-9103

2 EMC VNXe Security Configuration Guide

Contents

Preface.....................................................................................................5

Chapter 1: Introduction...........................................................................7Overview..................................................................................................................8Related documents..................................................................................................8

Chapter 2: Access Control.....................................................................9Access methods......................................................................................................10VNXe factory default management and service accounts...............................11VNXe account management................................................................................12Unisphere for VNXe..............................................................................................12VNXe Unisphere command line interface (CLI)...............................................14VNXe service SSH interface.................................................................................15VNXe service serial port interface.......................................................................17

Chapter 3: Logging...............................................................................19Logging...................................................................................................................20Remote logging options........................................................................................21

Chapter 4: Communication Security...................................................23Port usage...............................................................................................................24

VNXe network ports...................................................................................24Ports the VNXe may contact......................................................................28

VNXe certificate.....................................................................................................30Configuring the management interface using DHCP......................................30

Automatically assign an IP address to your VNXe system...................31

EMC VNXe Security Configuration Guide 3

VNXe interfaces, services, and features that support Internet Protocolversion 6............................................................................................................32

VNXe management interface access using IPv6...............................................34Running the Connection Utility..........................................................................35CIFS encryption.....................................................................................................36

Chapter 5: Data Security Settings........................................................37Data security settings............................................................................................38Data-at-rest-encryption.........................................................................................38

Chapter 6: Security Maintenance........................................................43Secure maintenance...............................................................................................44

License update.............................................................................................44Software upgrade........................................................................................44

Chapter 7: Security Alert Settings........................................................47Alert settings..........................................................................................................48

Configuring alert settings...........................................................................49

Chapter 8: Other Security Settings.......................................................51Data erasure...........................................................................................................52Physical security controls.....................................................................................52Antivirus protection..............................................................................................52


Contents

Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines,EMC periodically releases revisions of its hardware and software. Therefore, some functions describedin this document may not be supported by all versions of the software or hardware currently in use.For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, pleasecontact your EMC representative.


Special notice conventions

EMC uses the following conventions for special notices:

Note: Emphasizes content that is of exceptional importance or interest but does not relate to personalinjury or business/data loss.

Identifies content that warns of potential business or data loss.

Indicates a hazardous situation which, if not avoided, could result in minor ormoderate injury.

Indicates a hazardous situation which, if not avoided, could result in death orserious injury.

Indicates a hazardous situationwhich, if not avoided,will result in death or seriousinjury.

Where to get help

VNXe support, product, and licensing information can be obtained as follows:

Product information — For documentation, release notes, software updates, or forinformation about EMCproducts, licensing, and service, go to the EMCOnline Supportwebsite (registration required) at http://www.emc.com/vnxesupport.

Technical support — For technical support and service requests, go to EMC OnlineSupport. Under Service Center, you will see several options, including one to createa service request. Note that to open a service request, you must have a valid supportagreement. Contact your EMC sales representative for details about obtaining a validsupport agreement or with questions about your account.

Note: Do not request a specific support representative unless one has already been assigned toyour particular system problem.

Your comments

Your suggestionswill help us continue to improve the accuracy, organization, and overallquality of the user publications.

Please send your opinion of this document to:

[email protected]


Preface

http://www.emc.com/vnxesupport

1

Introduction

This chapter briefly describes a variety of security features implementedon the VNXe.

Topics include:◆ Overview on page 8◆ Related documents on page 8


Overview

EMC®VNXe™ uses a variety of security features to control user and network access,monitorsystemaccess anduse, and support the transmission of storage data. This document describesavailable VNXe security features.

This document is intended for administrators responsible for VNXe system configurationand operation.

The guide approaches security settings within the categories shown in Table 1 on page 8:

Table 1. Security settings categories

DescriptionSecurity category

Limiting access by end-user or by other entities to protect hardware,software, or specific product features.

Access control

Managing the logging of events.Logs

Securing product network communications.Communication security

Providing protection for product data.Data security

Maintaining control of product service operations performed by EMCor its service partners.

Serviceability

Assuring security alerts and notifications generation for security-relatedevents.

Alert system

Security settings that do not fall in one of the previous sections, suchas data erasure and physical security.

Other security settings

Related documents

You can find specific configuration instructions within the VNXe documentation that isavailable in the EMC Online Support website at www.emc.com/vnxesupport. This guideincludes references to the following documents where appropriate.

◆ Installing Your VNXe Hardware◆ Unisphere for VNXe Online Help◆ Using the VNXe with CIFS Shared Folders◆ Using the VNXe with NFS Shared Folders◆ Using the VNXe with Microsoft Exchange◆ Using the Celerra VNXe with Generic iSCSI Storage◆ Using the VNXe with VMware Storage◆ VNXe CLI User's Guide


Introduction


2

Access Control

This chapter describes a variety of access control features implementedon the VNXe.

Topics include:◆ Access methods on page 10◆ VNXe factory default management and service accounts on page 11◆ VNXe account management on page 12◆ Unisphere for VNXe on page 12◆ VNXe Unisphere command line interface (CLI) on page 14◆ VNXe service SSH interface on page 15◆ VNXe service serial port interface on page 17


Access methods

VNXe supports the access methods shown in Table 2 on page 10.

Table 2. Access methods

DescriptionType

These accounts have privileges (see Table 6 on page 13) for performing management and monitoringtasks associated with the VNXe system and its storage resources.

Management ac-counts

Passwords are created and managed through the VNXe management interfaces and can be used toaccess either of the following management interfaces:

◆ EMC Unisphere™:

A Web-based graphical interface accessed via HTTPS that provides tools for configuring, managing,and monitoring VNXe storage and system settings.

◆ VNXe Unisphere CLI:

The VNXe Unisphere CLI provides a subset of the functionality available through Unisphere.


Access Control

Table 2. Access methods (continued)

DescriptionType

This account performs specialized service functions. A single account provides access to service in-terfaces using SSH or serial port connection.

Service account

VNXe service interfaces include the following:

◆ Unisphere for VNXe:

Using a management account, type the service password to access the Unisphere service pagefrom which you can perform the following actions:

◆ Collect system service information:

Collect information for the system and save it to a file. EMC service personnel can use thecollected information to analyze your system.

◆ Reinitialize the system :

Reset the VNXe system to the original factory settings. Both Storage Processors (SPs) mustbe installed, operating normally, and be in Service Mode or you cannot perform this action.

Note: Service Mode is a reduced operational mode designed for maintenance and trou-bleshooting. A VNXe system in this mode is restricted to a limited interface through Unisphereas well as a specific CLI interface that allows for isolated problem resolution.

◆ Change the system service password:

Change the Service password for accessing the Service System page.

◆ VNXe Unisphere CLI:

The VNXe Unisphere CLI provides a command line interface for the same functionality availablethrough Unisphere.

◆ VNXe SSH service script interface:

A command line interface that is accessible through an SSH client and provides service-specificfunctions for diagnosing, troubleshooting, and resolving VNXe issues.

◆ VNXe serial port service interface:

Provides the same diagnostic and troubleshooting features as the SSH service interface, exceptaccess is provided through a serial port interface.

VNXe factory default management and service accounts

The VNXe system comes with factory default user account settings to use when initiallyaccessing and configuring the VNXe system. See Table 3 on page 12.

VNXe factory default management and service accounts 11

Access Control

Table 3. Factory default user account settings

PrivilegesPasswordUsernameAccount type

Administrator privileges forresetting default passwords,configure system settings,create user accounts, andallocate storage.

Password123#adminManagement (Unisphere)

Perform service operations.serviceserviceService

Note: During the initial configuration process, you are required to change the password for the defaultadministrator and service accounts.

VNXe account management

Table 4 on page 12 illustrates the ways in which you can manage VNXe accounts.

Table 4. Account management methods

DescriptionAccount roles

After the VNXe initial system configuration process is complete, you can manage VNXemanagement accounts from Unisphere or the VNXe Unisphere CLI.You can create, modify,delete, or reset password settings for VNXe local accounts, and assign or change roles toaccounts that determine the privileges provided to users who use them.

Management

You cannot create or delete VNXe service accounts.You can reset the service accountpassword by using the Change Service Password function from the Unisphere Service page.

Service

Note: You can reset the VNXe system factory default account passwords by pressing the passwordreset button on the VNXe system chassis. The Unisphere Online Help provides more information.

Unisphere for VNXe

Authentication for access to Unisphere is performed based on the credentials of the user(local or LDAP) account. User accounts are created and subsequently managed through theUnisphereManageAdministration page. The authorizations that apply toUnisphere dependon the role associated with the user account.

Session rules

Unisphere sessions have the following characteristics:

◆ Expiration term of one hour


Access Control

◆ Session timeout is not configurable

◆ Session IDs are generated during authentication and used for the duration of eachsession

Password usage

Unisphere account usernames and passwords must meet these requirements, as shownTable 5 on page 13.

Table 5. Unisphere account requirements

Password requirementRestriction

8Minimum number of characters

1Minimum number of uppercase characters

1Minimum number of lowercase characters

1Minimum number of numeric characters

1Minimum number of special charactersSupported special characters include:

!,@#$%^*_~?

40Maximum number of characters

Note: You can change account passwords from Unisphere by clicking Settings > More Configuration>

Manage Administration. When changing a password, you cannot reuse any of the last three passwords.The Unisphere Online Help provides more information.

Authorization

Table 6 on page 13 shows the roles you can assign to VNXe local users and the privilegesassociated with these roles. In addition, you can assign these roles to LDAP users andgroups.

Table 6. Local user roles and privileges

AdministratorStorage adminis-trator

OperatorTask

xxxChange own local login password

xAdd hosts

xxCreate storage

Unisphere for VNXe 13

Access Control

Table 6. Local user roles and privileges (continued)

AdministratorStorage adminis-trator

OperatorTask

xxDelete storage

xxAdd storage objects to storage resources (virtual disks, shares, storagegroups, etc.)

xxxView storage configuration and status

xxView VNXe user accounts

xAdd, delete or modify VNXe user accounts

xxxView current software or license status

xPerform software or license upgrade

xPerform initial configuration

xModify Storage Server configuration

xModify VNXe system settings

xModify VNXe network settings

xxxChange management interface language

Note: You can change account roles in Unisphere by clicking Settings > More Configuration> Manage

Administration. The Unisphere Online Help provides more information.

VNXe Unisphere command line interface (CLI)

The VNXe Unisphere CLI provides a command line interface for the same functionalityavailable through Unisphere.

Running the Unisphere CLI requires special VNXe command line software. You candownload this software from the EMC Online Support website atwww.emc.com/vnxesupport.

Session rules

The Unisphere CLI client does not support sessions. Youmust use command line syntaxto specify the account username and password with each command that you issue.

You can use the Unisphere CLI -saveuser command to save the access credentials(username and password) for a specific account to a local file. After you save the accesscredentials, the CLI automatically applies them to the specified VNXe destination andport each time you run a command.


Access Control


Password usage

Authentication to the Unisphere CLI is performed in accordance with managementaccounts created and managed through Unisphere. The same permissions that apply toUnisphere apply to specific commands depending on the role associatedwith the currentlogin account.

Saved settings

You can save the following settings on the host on which you run Unisphere CLI:

◆ User access credentials, including your username and password, for each system youaccess.

◆ SSL certificates imported from the system.

◆ Information about default system to access through Unisphere CLI, including thesystem name or IP address and the system port number.

Unisphere CLI saves the settings to a secure lockbox that resides locally on the host onwhich Unisphere CLI is installed. The stored data is only available on the host where itwas saved and to the user who saved it. The lockbox resides in the following locations:

◆ OnWindows XP:

C:\Documents and Settings\<account_name>\LocalSettings\ApplicationData\EMC\UEM CLI\

◆ OnWindows 7:

C :\Users\${user_name}\AppData\Local\.EMC\UEM CLI\

◆ On UNIX/Linux:

<home_directory>/EMC/UEM CLI

Locate the files config.xml and config.key. If you uninstall UnisphereCLI, these directoriesand files are not deleted, giving you the option of retaining them; however, for securityreasons, you may want to delete these files.

VNXe service SSH interface

The VNXe SSH service interface provides a command line interface for performing a subsetof functionality available from the Unisphere Service page (Settings > Service System).

The service account enables users to perform the following functions:

◆ Perform specializedVNXe service commands formonitoring and troubleshootingVNXesystem settings and operations.

VNXe service SSH interface 15

Access Control

◆ Operate standard Linux commands as amember of a non-privileged Linux user account.This account does not have access to proprietary system files, configuration files, oruser/customer data.

Sessions

The VNXe SSH service interface sessions are maintained according to the settingsestablished by the SSH client. Session characteristics are determined by the SSH clientconfiguration settings.

Password usage

The service account is an account that EMC service personnel can use to perform basicLinux commands.

The default password for the VNXe service interface is service.When you perform initialconfiguration for the VNXe system, you must change the default service password.Password restrictions are the same as those that apply toUnispheremanagement accounts(see Table 5 on page 13). For information on the VNXe service command,svc_service_password, used to manage the password settings for the VNXe serviceaccount, see the technical notes document, VNXe Service Commands.

Authorization

As shown in Table 7 on page 16, authorization for the service account is defined in twoways.

Table 7. Service account authorization definitions

DescriptionAuthorization type

File system permissions define most of the tasks that the service account can andcannot perform on the VNXe system. For example, most Linux tools and utilities thatmodify system operation in any way require superuser account privileges. Since theservice account does not have such access rights, the service account cannot useLinux tools and utilities to which it does not have execute permissions.

Linux file system permissions

The ACL mechanism on the VNXe uses a list of very specific rules to explicitly grantor deny access to system resources by the service account.These rules specify serviceaccount permissions to other areas of the VNXe system that are not otherwise definedby standard Linux file system permissions.

Access control lists (ACLs)

VNXe service commands

A set of problem diagnostic, system configuration, and system recovery commands areinstalled on the VNXe's operating environment (OE). These commands provide anin-depth level of information and a lower level of system control than is available through


Access Control

Unisphere. The technical notes document, VNXe Service Commands, describes thesecommands and their common use cases.

VNXe service serial port interface

TheVNXe service serial port interface provides the same functions and features as the serviceSSH interface and is also subject to the same restrictions. The difference is that users accessthe interface through a serial port connection rather than an SSH client.

For a list of service commands refer to theVNXe Service Commands Technical Notesdocument.

VNXe service serial port interface 17

Access Control


Access Control

3

Logging

This chapter describes a variety of logging features implemented on theVNXe.

Topics include:◆ Logging on page 20◆ Remote logging options on page 21


Logging

VNXe system maintains the following types of logs for tracking events that occur on thesystem. See Table 8 on page 20.

Table 8. Logs

DescriptionLog type

Information displayed in Unisphere to notify users about VNXe user-actionable events. These records arelocalized according to the default language setting specified for the system. Note that "user-actionableevents" includes audit events. However, not all logged events show up in the GUI. Those audit log entriesthat don't don't meet a certain severity threshold are logged by the system but don't appear in the GUI.

System log

Information used by the Service personnel to diagnose or monitor the VNXe system status or behavior.These records are recorded in English only.

System alert

Viewing and managing logs

The following logging features are available for VNXe systems. See Table 9 on page 20.

Table 9. Logging features

DescriptionFeature

When the VNXe log system accumulates two million log entries, it purges the oldest 500Kentries (as determined by log record time) to return to 1.5 million log entries.You can archive log entries by enabling remote logging so that log entries are uploaded to aremote network node where they can be archived or backed up. The

Log roll-over

dctm://esa/37000001802104c9?DMS_OBJECT_SPEC=RELATION_ID&DMS_AN-CHOR=#R18780 section provides more information.

Logging levels are not configurable for VNXe. Log levels can only be configured for exportedlog files as described in the dctm://esa/37000001802104ca?DMS_OBJECT_SPEC=RELA-TION_ID&DMS_ANCHOR=#R18780 section.

Logging levels

You can view VNXe alert information in the following ways:Alert integration

◆ View alerts only:

In Unisphere, go to System > System Alerts.

◆ View all log events:

Using the VNXe Unisphere CLI, type the command cemcli list event.


Logging

Table 9. Logging features (continued)

DescriptionFeature

You can archive log entries by enabling remote logging so that log entries are uploaded to aremote network node where they can be archived or backed up. There, you can use tools

External log management

such as syslog to filter and analyze log results. Thedctm://esa/37000001802104cb?DMS_OBJECT_SPEC=RELATION_ID&DMS_AN-CHOR=#R18780 section provides more information.

Log time is recorded in GMT format and is maintained according to the VNXe system time(which may be synchronized to the local network time through an NTP server).

Time synchronization

Remote logging options

VNXe supports logging user/auditmessages to a remote network address. By default, VNXetransfers log information on port 514 using UDP. The following remote logging settings areconfigurable through Unisphere. Log into Unisphere and click Settings > ManagementSettings and select the Network tab.

◆ Network name or address where VNXe sends remote log information◆ Type of user-level log messages to send. Use the Facility field to set the type of log

messages. EMC recommends that you select the User-Level Messages options.◆ Port number and type (UDP or TCP) to use for log transmission◆ Language setting for text within log messages

Configuring a host to receive VNXe log messages

Before configuring remote logging for a VNXe system, you must configure a remotesystem running syslog to receive logging messages from the VNXe system. In manyscenarios, a root/administrator on the receiving computer can configure the remote syslogserver to receive log information by editing the syslog-ng.conf file on the remote system.

Note: For more information on setting up and running a remote syslog server, refer to thedocumentation for the operating system running on the remote system.

Remote logging options 21

Logging


Logging

4

Communication Security

This chapter describes a variety of communication security featuresimplemented on the VNXe.

Topics include:◆ Port usage on page 24◆ VNXe certificate on page 30◆ Configuring the management interface using DHCP on page 30◆ VNXe interfaces, services, and features that support Internet Protocol

version 6 on page 32◆ VNXe management interface access using IPv6 on page 34◆ Running the Connection Utility on page 35◆ CIFS encryption on page 36


Port usage

Communications with the Unisphere and CLI interfaces are conducted through HTTPS onport 443. Attempts to access Unisphere on port 80 (through HTTP) are automaticallyredirected to port 443.

VNXe network ports

Table 10 on page 28 outlines the collection of network services (and the corresponding ports)that may be found on the VNXe.

Table 10. VNXe network ports

DescriptionPortProtocolService

Allows SSH access (if enabled) and SFTP(FTP over SSH). SFTP is a client/serverprotocol. Users can use SFTP to performfile transfers on a VNXe system on the localsubnet.

If closed, management connections usingSSH will be unavailable.

22TCPSSH/SSHD/SFTP

Used to transmit DNS queries to the DNSserver in conjunction with the Dynamic HostControl Protocol (DHCP).

If closed, DNS name resolution will notwork.

53UDPDynamic DNS update

Allows the VNXe to act as a DHCP clientduring the initial configuration process andis used to transmit messages from the client(VNXe) to the DHCP server to automaticallyobtain management interface information.Also, used to configure DHCP for the man-agement interface of a VNXe which has al-ready been deployed.

If closed, dynamic IP addresses will not beassigned using DHCP.

67UDPDHCP client



Table 10. VNXe network ports (continued)


Allows the VNXe to act as a DHCP clientduring the initial configuration process andis used to receive messages from DHCPserver to the client (VNXe) to automaticallyobtain its management interface informa-tion. Also, used to configure DHCP for themanagement interface of a VNXe which hasalready been deployed.

If closed, dynamic IP addresses will not beassigned using DHCP.

68UDPDHCP client

Redirect for HTTP traffic to Unisphere andthe VNXe Unisphere CLI.

If closed, management traffic to the defaultHTTP port will be unavailable.

80TCPHTTP

Opened by the standard portmapper orrpcbind service and is an ancillary VNXenetwork service.

It cannot be stopped. By definition, if a clientsystem has network connectivity to the port,it can query it. No authentication is per-formed.

111TCP/UDPrpcbind

(Network infrastructure)

NTP time synchronization.

If closed, time will not be synchronizedamong arrays.

123UDPNTP

The NETBIOS Session Service is associat-ed with VNXe CIFS file sharing servicesand is a core component of that functionali-ty. If CIFS services are enabled, this port isopen. It is specifically required for earlierversions of the Windows OS (pre-Windows2000).

Clients with legitimate access to the VNXeCIFS services must have network connec-tivity to the port for continued operation.

139TCPNETBIOS Session Ser-vice

(CIFS)

SNMP communications.

If closed, VNXe alert mechanisms whichrely on SNMP will not be sent.

161, 162UDPSNMP

Port usage 25




Secure HTTP traffic to the Unisphere andVNXe Unisphere CLI.

If closed, communication with the array willbe unavailable.

443TCPHTTPS

CIFS connectivity port for Windows 2000and later clients. Clients with legitimate ac-cess to the VNXe CIFS services must havenetwork connectivity to the port for contin-ued operation.

445TCPCIFS

Used to receive responses to DNS queriesfrom the DNS server in conjunction with theDynamic Host Control Protocol (DHCP).

If closed, DNS name resolution will notwork.

Dynamically assignedport (above 1024)

UDPDynamic DNS update

Used for the mount service, which is a corecomponent of the NFS service (versions 2and 3).

1234TCPmountd

(NFS)

Used to provide NFS services.2049TCPNFS

PAX is a VNXe archive protocol that workswith standard UNIX tape formats.

This service must bind to multiple internalnetwork interfaces and as a consequence,it binds to the external interface as well.However, incoming requests over the exter-nal network are rejected.

Background information on PAX is con-tained in the relevant EMC documentationon backups and NDMP. There are severaltechnical modules on this topic to deal witha variety of backup tools.

4658TCPPortable Archive Inter-change (PAX)

(Backup Services)

An EMC proprietary protocol similar to (anda precursor of) iSCSI.The NBS service thatopens this port is a core VNXe service andcannot be stopped.

Externally, NBS is used for snapshot andreplication control functions.

5033TCPNetwork Block Service(NBS)

Data Mover-to-Data Mover replicationcommands.

5081TCPReplication services





Associated with replication services.5083TCPReplication services



Statistics monitoring service7777TCPStatistics monitoringservice

Used by the replicator (on the secondaryside). It is left open by the replicator as soonas some data has to be replicated. After itis started, there is no way to stop the ser-vice.

8888TCPRCP

(Replication services)

Enables you to control the backup and re-covery of an NDMP server through a net-work backup application, without installingthird-party software on the server. In aVNXe system, the Data Mover functions asthe NDMP server.

The NDMP service can be disabled if NDMPtape backup is not used.

The NDMP service is authenticated with ausername/password pair. The username isconfigurable. The NDMP documentationdescribes how to configure the passwordfor a variety of environments.

10000TCPNDMP

The usermapper service opens this port. Itis a core service associated with VNXeCIFS services and should not be stoppedin specific environments.

This is the method by which Windows cre-dentials (which are SID-based) are mappedto UNIX-based UID and GID values.

12345TCPusermapper

CIFS

IWD initial configuration daemon.

If closed, initialization of the array will beunavailable through the network.

Dynamically allocatedUDPIWD

The rquotad daemon provides quota infor-mation to NFS clients that have mounted afile system.

Dynamically allocatedTCPrquotad

Port usage 27




Used for NFS file locking. It processes lockrequests from NFS clients and works inconjunction with the status service.

Dynamically allocatedTCPnlockmgr

The NFS file-locking status monitor andworks in conjunction with nlockmgr to pro-vide crash and recovery functions for NFS(which is inherently a stateless protocol).

Dynamically allocatedTCPstatus

Ports the VNXe may contact

The VNXe functions as a network client in several circumstances, for example, incommunicatingwith an LDAP server. In these instances, the VNXe initiates communicationand the network infrastructure will need to support these connections.Table 10 on page 28describes the ports that a VNXe must be allowed to access for the corresponding service tofunction properly. This includes the VNXe Unisphere CLI.

Table 11. Network connections that may be initiated by the VNXe


Allows the system to send email.

If closed, email notifications will be unavailable.

25TCPSMTP

DNS queries.

If closed, DNS name resolution will not work.

53UDPDNS

Allows VNXe to act as a DHCP client.

If closed, dynamic IP addresses will not be assignedusing DHCP.

67-68UDPDHCP

Redirect for HTTP traffic to Unisphere and the VNXeUnisphere CLI.

If closed, management traffic to the default HTTPport will be unavailable.

80TCPHTTP

NTP time synchronization.

If closed, time will not be synchronized among ar-rays.

123UDPNTP



Table 11. Network connections that may be initiatedby the VNXe (continued)


SNMP communications.

If closed, VNXe alert mechanisms which rely onSNMP will not be sent.

161, 162*UDPSNMP

Unsecure LDAP queries.

If closed, Unsecure LDAP authentication queries willbe unavailable. Secure LDAP is configurable as analternative.

389*TCPLDAP

HTTPS traffic to the Unisphere and VNXe UnisphereCLI.

If closed, communication with the array will be un-available.

443TCPHTTPS

All Windows NT domain controllers.445TCPCIFS

All Windows domain controllers.445TCPCIFS

Log system messages to a remote host.

You can configure the log transmission method (UDPor TCP) and the host port that the system uses.

514*UDP or TCPRemote Syslog

Secure LDAP queries.

If closed, secure LDAP authentication will be unavail-able.

639*TCPLDAPS

Used for various internal tasks related to system tosystem replication. Authentication and authorizationare required for all calls made using CIM-XML.

5989TCPCIM XML

IWD initial configuration daemon.

If closed, initialization of the array will be unavailablethrough the network.

Dynamically assignedUDPIWD

The rquotad daemon provides quota information toNFS clients that have mounted a file system.

Dynamically allocatedTCPrquotad

Used for NFS file locking. It processes lock requestsfrom NFS clients and works in conjunction with thestatus service.

Dynamically allocatedTCPnlockmgr

Port usage 29


Table 11. Network connections that may be initiatedby the VNXe (continued)


The NFS file-locking status monitor and works inconjunction with nlockmgr to provide crash and re-covery functions for NFS (which is inherently astateless protocol).

Dynamically allocatedTCPstatus

Note: The LDAP and LDAPSport numbers can be overridden from insideUnispherewhen configuringDirectory Services. The default port number is displayed in an entry box that can be overridden bythe user. Also, the Remote Syslog port number and the SNMP port number can be overridden frominside Unisphere.

VNXe certificate

TheVNXe usesOpenSSL during its first initialization to automatically generate a self-signedcertificate. The certificate is preserved both in NVRAM and on the backend LUN. Later, theVNXe presents it to a client when the client attempts to connect to the VNXe through themanagement port.

The certificate is set to expire after 3 years; however, the VNXewill regenerate the certificateone month before its expiration date. Also, you can upload a new certificate by using thesvc_custom_cert service command. This command installs a specified SSL certificate inPEM format for use with the Unisphere management interface. For more information aboutthis service command, see theVNXe Service Commands Technical Notesdocument. You cannotview the certificate through Unisphere or the VNXe Unisphere CLI; however, you can viewthe certificate through a browser client or aweb tool that tries to connect to themanagementport.

Configuring the management interface using DHCP

After you finish installing, cabling, and powering up the system, an IP address must beassigned to theVNXemanagement interface. If you are runningVNXe on a dynamic networkthat includes a Dynamic Host Control Protocol (DHCP) server and a Domain Name System(DNS) server, the management IP address can be assigned automatically.

Note: If you are not running the VNXe system in a dynamic network environment, or you wouldrather manually assign a static IP address, you must install and run the VNXe Connection Utility (seeRunning the Connection Utility on page 35).

The appropriate network configuration must include setting the range of available IPaddresses, the correct subnet masks, and gateway and name server addresses. Consult your



specific network's documentation for more information on setting up DHCP and DNSservers.

DHCP is a protocol for assigning dynamic Internet Protocol (IP) addresses to devices on anetwork. DHCP allows you to control Internet Protocol (IP) addresses from a centralizedserver and automatically assign a new, unique IP address when a VNXe system is pluggedinto your organization's network. This dynamic addressing simplifies network administrationbecause the software keeps track of IP addresses rather than requiring an administrator tomanage the task.

The DNS server is an IP-based server that translates domain names into IP addresses. Asopposed to numeric IP addresses, domain names are alphabetic and are usually easier toremember. Since an IP network is based on IP addresses, every time you use a domain name,the DNS server must translate the name into a corresponding IP address. For example, thedomain name www.emc.com translates to the IP address 10.250.16.87.

While the DHCP protocol exchange is not inherently secure and the possibility ofcommunicating with a malicious server exists, it is expected that your management IPnetwork is physically secure to control access and help prevent any rogueDHCP exchanges.Also, no administrative information such as user names, passwords, and such are exchangedduring the DHCP/Dynamic DNS configuration.

Configuration of the management IP items (DHCP preference, DNS and NTP serverconfiguration) fall under the existing Unisphere framework related to security. DNS andDHCP events including obtaining a new IP address on lease expiration are recorded inVNXe audit logs. If DHCP is not used for the VNXe management IP configuration, noadditional network ports will be opened.

Automatically assign an IP address to your VNXe system

Before you begin

Ensure you have network connection between the VNXe system, a DHCP server, and aDNSserver.

Procedure

Once yourDHCPnetwork is configured, you can automatically assign an IP address to yourVNXe system:

1. Power on the VNXe system.

The SP fault light on the back of the VNXe illuminates (blue with flashing amber oncein three seconds), indicating that the system is not initialized and a management IPaddress has not been assigned. The DHCP client software running on the VNXe systemrequests an IP address on the local network. The DHCP server will dynamically assignan IP address to the VNXe and send this information to the DNS server. The VNXemanagement IP will be registered in the network domain. Once the IP address has beenassigned, the SP fault light turns off and you can log intoUnisphere to properly configureyour VNXe system. If you want to manually configure the VNXe management IP as astatic IP address, you can still do so even after the IP is automatically assigned and the

Configuring the management interface using DHCP 31


SP fault light has turned off. However, you must do so before accepting the end userlicense agreement (EULA) of the Configuration Wizard.

2. Open a web browser and access the management interface using the following syntax

serial_number.domain

Where:

serial_number is the serial number of your VNXe. This can be found in the packingmaterials that came with your VNXe.

domain is the network domain on which the VNXe system is located.

For example:

FM100000000017.mylab.emc.com.

If a certificate error appears, follow the instructions in your browser to bypass the error.

3. Log into the VNXe system using the default username (admin) and password(Password123#).

The first time you open Unisphere, the Configuration Wizard runs to assist you withconfiguring passwords, DNS and NTP servers, storage pools, storage server settings,and ESRS and ConnectEMC features.

4. Proceed through theConfigurationWizard until theDomainName Server panel appears.

5. In the Domain Name Server (DNS) panel, select Obtain default DNS server addressesautomatically.

6. Continue through the wizard, using the information described in the VNXe Quick Startposter or the online help for assistance.

VNXe interfaces, services, and features that support Internet Protocolversion 6

You can configure the interfaces on a system and use Internet Protocol version 6 (IPv6)addresses to configure different services and features. The following list contains featureswhere IPv6 protocol is supported:

◆ Interfaces (SF, iSCSI) - to statically assign an IPv4 or IPv6 address to an interface◆ Hosts - to enter a network name, an IPv4 address or an IPv6 address of a host◆ Routes - to configure a route for IPv4 or IPv6 protocol



◆ Diagnostics - to initiate a diagnostic ping CLI command using either an IPv4 or IPv6destination address. TheUnisphere Ping Destination screen supports the IPv6 destinationaddresses as well.

All VNXe components support IPv4, andmost support IPv6. The following table shows theavailability of IPv6 support by setting type and component:

IPv6 SupportedComponentSetting Type

YesManagement portUnisphere management settings

YesDomain Name Server (DNS)

YesNTP (network time protocol) server

YesRemote logging server

YesMicrosoft ExchangeUnisphere host configuration setting

YesVMware datastore (NFS)

YesVMware datastore (VMFS)

YesHyper-V datastore

YesSNMP trap destinationsUnisphere alert setting

YesSMTP server

NoConnect EMC

NoEMC Secure Remote Support (ESRS)

YesiSCSI serverStorage server setting

YesShared Folder server

YesNetwork Information Service (NIS) server (forNFS Shared Folder Servers)

YesActive Directory server (for CIFS SharedFolder Servers)

YesInternet Storage Service (iSNS) server

VNXe interfaces, services, and features that support Internet Protocol version 6 33


IPv6 SupportedComponentSetting Type

YesPING destinationsOther

YesRemote log

YesLDAP

NoUnisphere Remote

NoReplication

IPv6 address standard

Internet Protocol version 6 (IPv6) is an Internet Protocol address standard developed bythe Internet Engineering Task Force (IETF) to supplement and eventually replace theIPv4 address standard that most Internet services use today.

IPv4 uses 32-bit IP addresses,which provides approximately 4.3 billion possible addresses.With the explosive growth of Internet users and Internet-connected devices, the availableIPv4 address space is insufficient. IPv6 solves the address shortage issue, because it uses128-bit addresses, which provides approximately 340 trillion addresses. IPv6 also solvesother IPv4 issues, includingmobility, autoconfiguration, and overall extensibility issues.

An IPv6 address is a hexadecimal value that contains eight, 16-bit, colon-separated fields:

hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh

Each digit in an IPv6 address can be a number from 0-9 or a letter from A-F.

For more information about the IPv6 standard, see information about the IPv6 standard(RFC 2460) on the IETF website (http://www.ietf.org).

VNXe management interface access using IPv6

When you set upmanagement connections in VNXe, you can configure the system to acceptthe following types of IP addresses:

◆ Static Internet Protocol version 6 (IPv6) addresses, IPv4 addresses obtained throughDHCP, and static IPv4 addresses

◆ IPv4 addresses only

You can statically assign the IPv6 addresses to the management interface. An IPv6 addresson the management interface can be set to one of two modes, manual/static or disabled.When you disable IPv6, the protocol does not unbind from the interface. The disablecommand removes any unicast IPv6 addresses assigned to the management interface andthe VNXe will no longer answer requests addressed over IPv6. IPv6 is disabled by default.



http://www.ietf.org

After you finish installing, cabling, and powering up the system, an IP address must beassigned to the VNXe management interface. If you are not running VNXe on a dynamicnetwork, or if you would rather manually assign a static IP address, you must download,install, and run the VNXe Connection Utility. For more information about the ConnectionUtility, see Running the Connection Utility on page 35.

Inbound requests using IPv6 to theVNXe through themanagement interface are supported.You can configure themanagement interface on aVNXe to operate in an IPv4-only, IPv6-only,or a combined IPv4 and IPv6 environment and you can manage the VNXe using UnisphereUI and the command line interface (CLI).

Outbound services such as Network Time Protocol (NTP) and Domain Naming System(DNS) support IPv6 addressing either by using explicit IPv6 addresses or by using DNSnames. If a DNS name resolves to both IPv6 and IPv4, the VNXewill communicate with theserver over IPv6.

The manage network interface set and show CLI commands that are used to manage themanagement interfaces include attributes related to IPv6. For more information about thesemanage network interface commands and attributes, refer to the VNXe Unisphere CLI UserGuide.

Running the Connection Utility

Note: If you are running the VNXe system in a dynamic network environment that includes a DHCPserver and a DNS server, you do not have to use the VNXe Connection Utility and instead canautomatically assign a dynamic IP address (IPv4 only) for the VNXe management interface (seeConfiguring the management interface using DHCP on page 30). When a VNXe system uses a staticIP address, it is manually configured with the Connection Utility to use a specific IP address. Oneproblemwith static assignment, which can result from a mistake or inattention to detail, occurs whentwo VNXe systems are configured with the same management IP address. This creates a conflict thatcould result in loss of network connectivity. UsingDHCP to dynamically assign IP addressesminimizesthese types of conflicts. VNXe systems configured to use DHCP for IP assignment do not need to usestatically assigned IP addresses.

Connection Utility installation software is available from the EMCOnline Support website.After you download the software, install the program on a Windows host. When you runthe Connection Utility from a computer on the same subnet as the VNXe, the ConnectionUtility automatically discovers any unconfigured VNXe systems. If you run the ConnectionUtility on a different subnet, you can save the configuration to a USB drive and then transferit to the VNXe system.

Note: You cannot change the management IP address when both of the Storage Processors (SP) are inService mode.

After you run the Connection Utility and transfer the configuration to your VNXe system,you can connect to the VNXe system through a web browser using the IP address that youassigned to the VNXe management interface.

Running the Connection Utility 35



The first time you connect to the VNXe system, the VNXe ConfigurationWizard starts. TheConfiguration Wizard lets you set up the initial configuration of the VNXe system so thatyou can start to create storage resources.

CIFS encryption

SMB 3.0 andWindows 2012 support on the VNXe provides CIFS encryption for those hostscapable of using CIFS. CIFS Encryption provides secure access to data on CIFS file shares.This encryption provides security to data on untrusted networks, that is, it provides end toend encryption of SMB data sent between the array and the host. The data is protected fromeavesdropping/snooping attacks on untrusted networks.

CIFS Encryption can be configured per share. Once a share is defined as encrypted, anySMB3 client must encrypt all its requests related to the share; otherwise, access to the sharewill be denied.

To enable CIFS Encryption, you either set the CIFS Encryption option when you add a CIFSserver or set it through the create and set commands for CIFS shares. Also, you set theCIFS Encryption option when you create a CIFS Shared Folder. There is no setting requiredon the SMB client.

Note: For more information about setting CIFS encryption, refer to the Unisphere for VNXe onlinehelp and the VNXe Unisphere CLI User Guide.



5

Data Security Settings

This chapter describes the security features that are available on the VNXefor supported storage types.

Topics include:◆ Data security settings on page 38◆ Data-at-rest-encryption on page 38


Data security settings

Table 12 on page 38 shows security features available for supported VNXe storage types.

Table 12. Security features

Security settingsProtocolPortStorage type

◆ iSCSI host (initiator) level access control is available throughUnisphere (allowing clients to access primary storage, snap-shots, or both).

◆ CHAP authentication is supported so that VNXe iSCSIServers (targets) can authenticate iSCSI hosts (initiators) thatattempt to access iSCSI-based storage.

◆ Mutual CHAP authentication is supported so that iSCSI hosts(initiators) can authenticate VNXe iSCSI Servers.

TCP3260iSCSI storage

TCP, UDP445CIFS storage ◆ Authentication for domain and administrative actions is pro-vided through Active Directory user and group accounts.

◆ File and share access controls are provided through Windowsdirectory services.

◆ Security signatures are supported through SMB signing.

◆ CIFS encryption is provided through SMB 3.0 and Windows2012 for those hosts capable of using CIFS. See CIFS en-cryption on page 36 for information on CIFS encryption.

◆ Supports optional file-level retention services through add-onsoftware. See Antivirus protection on page 52 for informationon EMC Common AntiVirus Agent (CAVA).

◆ Share-based access control provided through Unisphere.

◆ Support for NFS authentication and access control methodsidentified in NFS versions 2 and 3.

◆ Supports optional file-level retention services through add-onsoftware.

TCP2049NFS storage

◆ NDMP security can be implemented based on NDMP sharedsecrets.

Backup and re-store

Data-at-rest-encryption

Encryption is the process of transforming data tomake it unreadable to anyone except thosepossessing specialized knowledge. Self-Encrypting Drives (SEDs) in a VNXe system useAES-256 bit encryption. The encryption is done within each drive before the data is written



to the media. This protects the data on the drive against theft, hardware loss, and attemptsto read the drive directly by physically de-constructing the drive using methods such as adrive recovery service. The encryption also provides a means to quickly and securely eraseinformation on a drive without the need to overwrite it multiple times in order to ensurethat the information is not recoverable.

Reading encrypted data requires the authentication key for the SED to unlock the drive.Only authenticated SEDs will be unlocked and accessible. Once the drive is unlocked, theSED decrypts the encrypted data back to its original form.

Self-Encrypting Drives

VNXe systems support data at rest encryption through the use of Self-EncryptingDrives(SEDs). All data on a SED is encrypted by the data encryption key that is stored on thedrive. Encryption is set at the factory before shipment and cannot be reversed once set.The SED encryption/decryption process is transparent and automatic, and does notdegrade performance.

Access control to a SED is enforced through the use of an authentication key. Theauthentication key is used to lock/unlock the drive and to encrypt/decrypt the dataencryption key that is stored on the drive. On power-cycle, a SED that is part of auser-defined storage pool comes up in a locked state and does not permit access. Theauthentication key is used to unlock the drive and to gain access to user data.

An embedded Key Manager on the storage processor (SP) provides key managementfor the authentication key. Key management responsibilities include:

◆ authentication key generation

◆ secure key storage

◆ self-managed key life cycle

◆ synchronization of redundant key copies

A VNXe system contains either all SEDs or all non-self-encrypting drives. You cannotadd a non-self-encrypting drive to a VNXe SED system. If you try to do this, the systemraises an error. Likewise, you cannot add a SED to a VNXe non-self-encrypting drivesystem.

Secure array

A secure array is one that can only have SEDs installed in the array. You cannot intermixSEDs with non-encrypted drives in a VNXe. All SEDs in the VNXe are unlocked bydefault and only become locked once a storage pool is associated with them. Anauthorization key is created and applied to all drives while locking them and is requiredfor any future interactions. Conversely, if all storage pools associated with a drive aredestroyed, all the data on the drive is cryptographically destroyed (authorization key isdeleted, making the data unrecoverable) and the drive is unlocked.

Once a SED is included in a storage pool, access control is enabled and the authenticationkey is set. The drive may then be used only with the authentication key stored on the

Data-at-rest-encryption 39


array. User data on the drive will not be accessible on a different array or externally.With the exception of the first four drives in the Disk Processor Enclosure (DPE), a drivemay be re-purposed for use on another array by destroying any storage pool it maybelong to. Destroying the storage pool will cryptographically erase any user data on thedrive, disable access control on these drives, and reset all passwords to themanufacturer'ssecure ID. Drives that do not belong to a storage pool do not hold user data and do nothave access restrictions. These drives may be moved without issues.

If you inadvertently delete a storage pool with a drive missing, that drive will remaininaccessible until it is reverted to the factory default. Reverting a drive cryptographicallyerases the data on the drive and disables authentication. To revert a SED to its factorydefault, use the svc_key_restore service command. For information on this servicecommand, see the technical notes document, VNXe Service Commands. For additionalinformation and help to revert a SED to the factory default, contact your serviceprovider.

When a new SED is introduced in the VNXe, either as a replacement of an existing driveor as a part of an array expansion, it is automatically detected and included in the array.If the new drive replaces an old drive that was a part of a storage pool, access controlwill be enabled and the authentication key will be set on the new drive.

Note: Removing drives can degrade storage pools and reduce the redundancy of that storage pool.

With regards to a system with SEDs, certain hardware part replacements impact SEDoperation:

◆ Replacing both SPs and the chassis at the same time is not supported. Theauthentication key will become inaccessible.

EMC highly recommends that you back up the authentication key to an externaldrive as soon as the key is created. If the master copy of the authentication key ismissing or corrupted, the data stored on the system will become inaccessible. Forinstructions to back up the authentication key, refer to the VNXe Unisphere onlinehelp or the VNXe Unisphere CLI User Guide .

◆ Array conversion, in which all the drives are removed and inserted in a new array,is not supported.

Authentication key

The Key Manager randomly generates the authentication key for SEDs automaticallythe first time you create a storage pool on a VNXe SED system. The same authenticationkey will apply to all drives in the VNXe system, including those added to the systemlater on.

VXNe encrypts the authentication key and stores it in a secured area on the system driveunder a triple mirrored redundancy scheme. You can back up the authentication key toan external device by using either a Unisphere UI option or Unisphere CLI command.



EMChighly recommends that you back up the authentication key to an external driveas soon as the key is created. If the master copy of the authentication key is missingor corrupted, the data stored on the system will become inaccessible. For instructionsto back up the authentication key, refer to the VNXe Unisphere online help or theVNXe Unisphere CLI User Guide .

If you receive an alert for a corrupt authentication key, you must restore the key. Placeboth SPs in the VNXe into service mode and run the svc_key_restore service commandon one of the SPs in the VNXe.

Note: For instructions for placing SPs into service mode, refer to the VNXe Unisphere online help.For information about the svc_key_restore service command, see the VNXe Service CommandsTechnical Notes .

With the following exception, if all the storage pools on the VNXe system are deleted,themaster copy of the authentication keywill also be deleted. However, if you reinitializea system containing storage pools, the authentication key will still be valid when thesystem comes back up, even though the storage pools were deleted.

The backup authentication keys are useless after all the storage pools on the VNXesystem are deleted (with the exception of reinitializing a system containing storagepools). When the first new storage pool is subsequently created, a new master copyof the authentication key is automatically generated. In this case all existing backupauthentication keys of the previous authentication key are invalid, and a new backupauthentication key should be made.

Data-at-rest-encryption 41




6

Security Maintenance

This chapter describes a variety of security maintenance featuresimplemented on the VNXe.

Topics include:◆ Secure maintenance on page 44


Secure maintenance

VNXe provides the following secure functions for performing remote system maintenanceand update tasks:

◆ VNXe license activation◆ VNXe software upgrade◆ VNXe software Hotfixes

License update

TheVNXe license update feature allows users to obtain and install licenses for specific VNXefunctionality, such as file-level retention or RepliStor™ replication. Table 13 on page 44shows security features that are associated with the VNXe license update feature.

Table 13. VNXe license update security features

SecurityProcess

License acquisition is performed from within an authen-ticated session on the EMC Online Support website(www.emc.com/vnxesupport).

Obtaining licenses from the EMC Online Supportwebsite

Licenses are sent to an email address specified withinan authenticated EMC Online Support website(www.emc.com/vnxesupport) transaction.

Receiving license files

License file uploads to the VNXe system occur withinUnisphere sessions authenticated through HTTPS.

VNXe system validates received license files usingdigital signatures. Each licensed feature is validatedby a unique signature within the license file.

Uploading and installing licenses through Unisphereclient to the VNXe system

Software upgrade

TheVNXe software update feature allows users to obtain and install software for upgradingor updating the software running on the VNXe system. Table 14 on page 45 shows securityfeatures that are associated with the VNXe software upgrade feature.





Table 14. Software upgrade security features

DescriptionProcess

License acquisition is performed from within an au-thenticated session on the EMC Online Supportwebsite (www.emc.com/vnxesupport).

Downloading VNXe software from the EMC OnlineSupport website

Software upload to the VNXe system occurs withinan authenticated Unisphere session through HTTPS.

Uploading VNXe software

Secure maintenance 45





7

Security Alert Settings

This chapter describes the different methods available to notifyadministrators of alerts that occur on the VNXe.

Topics include:◆ Alert settings on page 48


Alert settings

VNXe alerts inform administrators of actionable events that occur on the VNXe system.VNXe events can be reported as shown in Table 15 on page 48.

Table 15. Alert settings

DescriptionAlert type

Displays informational pop-up messages when users log in to the interface and in real-timeto indicate when alert conditions occur. Pop-ups provide basic information about the alertcondition.You can obtain additional information from the System > System Alerts page.

Visual notification

Note: VNXe visual alert notifications are not configurable.

Enables you to specify one or more email addresses to which to send alert messages.Youcan configure the following settings:

◆ Email addresses to which to send VNXe system alerts.

◆ Severity level (emergency, error, or information) required for email notification.

Note: For VNXe alert email notification to work, you must configure a target SMTP serverfor the VNXe system.

Email notification

Transfer alert information to designated hosts (trap destinations) that act as repositoriesfor generated alert information by the VNXe network system.

You can configure SNMP traps through Unisphere. Settings include:

◆ IP address of a network SNMP trap destination

◆ Port number on which the trap destination receives traps

◆ Optional security settings for trap data transmission

◆ Authentication protocol: Hashing algorithm used for SNMP traps (SHA or MD5)

◆ Privacy protocol: Encryption algorithm used for SNMP traps (DES, AES, AES192,or AES256)

The Unisphere Online Help provides more information.

SNMP traps

Automatically sends alert notifications to EMC for help in diagnosing product issues.

Note: For ConnectEMC notification to work, you must configure a target SMTP server forthe VNXe system.

ConnectEMC



Table 15. Alert settings (continued)

DescriptionAlert type

ESRS provides an IP-based connection that enables EMC Support to receive error filesand alert messages from your VNXe system, and to perform remote troubleshooting resultingin a fast and efficient time to resolution.

Note: Available with VNXe operating environment (OE) version 2 or later. For ESRS towork, you must enable it on the VNXe system.

EMC Secure Remote Sup-port (ESRS)

Configuring alert settings

You can configure VNXe alert settings for email notifications and SNMP traps from theVNXe.

Configure email notification alert settings

Using Unisphere:

1. Select Settings > More Configuration > Alert Settings.

2. In the Email Alerts section, configure the severity level at which alert email messages aregenerated to one of the following:

◆ Information◆ Warning◆ Error◆ Critical◆ Emergency

Note: For the VNXe alert email mechanism to work, a target SMTP server must be configured forthe VNXe system.

Configure SNMP traps alert settings

Using Unisphere:

1. Select Settings > More Configuration > Alert Settings.

2. In the Alerts Settings section, configure the severity level at which SNMP traps aregenerated to one of the following:

Alert settings 49


◆ Information◆ Warning◆ Error◆ Critical◆ Emergency



8

Other Security Settings

This chapter contains other information that is relevant for ensuring thesecure operation of the VNXe.

Topics include:◆ Data erasure on page 52◆ Physical security controls on page 52◆ Antivirus protection on page 52


Data erasure

Objects deleted cannot be reconstructed. However, in the cases where data erasure is arequirement, EMC offers data erasure services.

Physical security controls

The area where the VNXe system resides must be chosen and modified to provide for thephysical security of the VNXe system. These include basic measures such as providingsufficient doors and locks, permitting only authorized andmonitored physical access to thesystem, providing reliable power source, and following standard cabling best practices.

In addition, the following VNXe system components require particular care:

◆ Password reset button: Temporarily resets the factory default passwords for both theVNXe default administrator account and service account - until an administrator resetsthe password.

◆ Serial port connector: Allows authenticated access through serial port connection.

Antivirus protection

The VNXe supports EMC Common AntiVirus Agent (CAVA). CAVA, a component of VNXEvent Enabler (VEE) 4.9.3.0, provides an antivirus solution to clients using a VNXe system.It uses an industry-standard CIFS protocol in a Microsoft Windows Server environment.CAVA uses third-party antivirus software to identify and eliminate known viruses beforethey infect files on the VNXe system. The VEE installer, which contains the CAVA installer,and the VEE release notes are available in Downloads > VNXe product support at the EMCOnline Support website.


Other Security Settings