Security Configuration Guide · 2020. 9. 4. · implementing, administering, or auditing security controls in environments containing IDPA solutions. The primary audience is technical,

Dell EMC Integrated Data ProtectionApplianceVersion 2.4.1

Security Configuration GuideRev 01

November 2019

Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property

of their respective owners. Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Dell EMC Integrated Data Protection Appliance Security Configuration Guide

5

7

9

Security quick reference 15Deployment models........................................................................................... 16

Product and subsystem security 19Security controls map.......................................................................................20Authentication.................................................................................................. 22

Login security settings......................................................................... 22Authentication types and setup............................................................23User credential management............................................................... 25Authentication to external systems......................................................29

Authorization.................................................................................................... 30General authorization settings............................................................. 30Role-based access control (RBAC)...................................................... 32

Network security.............................................................................................. 34Network exposure................................................................................34Communication security settings......................................................... 36Firewall settings................................................................................... 36

Data security.....................................................................................................36Hardening.............................................................................................37Data-at-rest encryption....................................................................... 37Data erasure ........................................................................................37

Cryptography....................................................................................................38Cryptographic configuration options....................................................38Certified cryptographic modules.......................................................... 39Certificate management...................................................................... 40

Auditing and logging......................................................................................... 40Logs......................................................................................................41Log management options......................................................................41Log protection..................................................................................... 42Log format........................................................................................... 42Alerting................................................................................................ 43

Physical security............................................................................................... 43Physical interfaces...............................................................................43Physical security options......................................................................44Customer service access......................................................................44Tamper evidence and resistance.......................................................... 44Statements of volatility........................................................................45

Serviceability.................................................................................................... 45Maintenance aids................................................................................. 45Responsible service use....................................................................... 46

Figures

Tables

Preface

Chapter 1

Chapter 2

CONTENTS

Dell EMC Integrated Data Protection Appliance Security Configuration Guide 3

Security updates and patching.............................................................46Customer requirements for updates.....................................................47

Miscellaneous configuration and management elements 49Protecting authenticity and integrity................................................................ 50Installing client software................................................................................... 50

Network ports 51Backup Server (Avamar and Avamar Virtual Edition)........................................ 52Protection Storage (Data Domain)................................................................... 52IDPA System Manager (Data Protection Central).............................................59Search...............................................................................................................61

Add an Avamar source server to Search.............................................. 62Reporting and Analytics (Data Protection Advisor)...........................................63Secure Remote Services...................................................................................66Remote server management (iDRAC)............................................................... 67Data Domain Cloud Disaster Recovery..............................................................68

69

Chapter 3

Appendix

Index

Contents


Model DP4400...................................................................................................................17Security controls map - Avamar and Data Domain............................................................. 21

12

FIGURES


Figures


Revision history.................................................................................................................. 9Typographical conventions................................................................................................ 12Login banner configuration............................................................................................... 22Failed login behavior..........................................................................................................22Emergency user lockout....................................................................................................23Configuring local authentication sources...........................................................................23Configuring Active Directory.............................................................................................24Certificate/key-based authentication............................................................................... 24Digital certificates and SSH keys...................................................................................... 25Default accounts...............................................................................................................25Default management accounts..........................................................................................26Default credentials............................................................................................................26How to disable local accounts........................................................................................... 28Managing credentials........................................................................................................ 28Configuring remote connections....................................................................................... 29Remote component authentication................................................................................... 29Configuring authorization rules......................................................................................... 30Default authorizations.......................................................................................................30External authorization associations....................................................................................31Role-based access control................................................................................................ 32Default roles......................................................................................................................32Configuring roles...............................................................................................................33Role mapping.................................................................................................................... 33External role associations..................................................................................................34Network ports...................................................................................................................35Default IP addresses ........................................................................................................ 36Communication security settings...................................................................................... 36Firewall settings................................................................................................................36Data-at-rest encryption.................................................................................................... 37Data erasure .....................................................................................................................37Cryptographic configuration options.................................................................................38Certified cryptographic modules....................................................................................... 39Certificate management................................................................................................... 40Logs...................................................................................................................................41Log management options...................................................................................................41Log protection.................................................................................................................. 42Log format........................................................................................................................ 42Alerting............................................................................................................................. 43Physical interfaces............................................................................................................43Physical security options...................................................................................................44Customer service access.................................................................................................. 44Tamper evidence and resistance....................................................................................... 44Statements of volatility.....................................................................................................45Maintenance aids.............................................................................................................. 45Responsible service use.................................................................................................... 46Security updates and patching..........................................................................................46Customer requirements for updates..................................................................................47Protecting authenticity and integrity................................................................................ 50Installing client software................................................................................................... 50Port requirements.............................................................................................................52Data Domain system inbound communication ports.......................................................... 52Data Domain system outbound communication ports........................................................54Ports that Data Domain uses for inbound traffic...............................................................55

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253

TABLES


Ports that Data Domain systems for outbound traffic.......................................................57Outbound ports.................................................................................................................59Inbound ports....................................................................................................................60Default ports..................................................................................................................... 61DPA application ports settings.......................................................................................... 63DPA datastore port settings..............................................................................................64DPA agent port settings....................................................................................................64DPA cluster port settings..................................................................................................65Port requirements.............................................................................................................66Ports iDRAC listens for connections................................................................................. 67Ports iDRAC uses as client................................................................................................67Required Data Domain Cloud Disaster Recovery ports......................................................68

545556575859606162636465

Tables


Preface

Overview

The Integrated Data Protection Appliance Security Configuration Guide provides an overview ofsecurity configuration settings available for this solution, and best practices for using thosesettings to ensure secure operation of the product.

Table 1 Revision history

Revision number Date Description

01 November 2019 First release of this document forIDPA 2.4.1

Scope of document

This publication provides a survey of security topics that are related to the Integrated DataProtection Appliance (IDPA). The content is not associated with a specific compliance regime.

Topics specific to the security of individual components that are contained within the IDPA,including Avamar, Data Domain, Data Protection Advisor (DPA), Search, Data Protection Central ,and Cloud Disaster Recovery (CDR) are contained within the security and administration guidesfor each component, which are listed in Document references on page 10.

As the IDPA is a solution-level product, content from these guides is not repeated here. Instead,tables within each topic lead you to the correct location in the referenced publications, whereapplicable.

Audience

The information in this publication is intended for customers who are responsible for the planning,implementing, administering, or auditing security controls in environments containing IDPAsolutions. The primary audience is technical, but this publication addresses the needs of a range ofsecurity professionals.

Legal disclaimers

As part of an effort to improve its product lines, Dell EMC periodically releases revisions of itssoftware and hardware. Therefore, some versions of the software or hardware currently in usemay not support all functions that are described in this document. The product release notesprovide the most up-to-date information about product features.

Contact your Dell EMC representative if a product does not function correctly or does not functionas described in this document.

NOTICEThis document was accurate at publication time. New versions of this document might bereleased on the Online Support website. To ensure that you are using the latest version of thisdocument, check the Online Support at https://www.dell.com/support.

Dell EMC websites may contain links to third-party sites. Content contained on any website that islinked to any Dell EMC website is not the responsibility of Dell EMC and Dell EMC is notresponsible for the accuracy, or reliability of any content on such websites. Further, the presenceof a link to a third-party site does not mean that Dell EMC endorses that site, its products, orviews expressed there. Dell EMC provides these links merely for convenience and the presence ofsuch third-party links are not an endorsement or recommendation by Dell EMC.


https://www.dell.com/support

Reporting vulnerabilities

Dell EMC takes reports of potential vulnerabilities in our products very seriously. For the latest onhow to report a security issue to Dell EMC, see the Product Security Response Center onEMC.com.

Document references

The following documents provide additional information:

Avamar 18.2:

l Avamar Product Security GuideThis publication discusses various aspects of Avamar product security.

l Avamar Administration GuideThis publication describes how to configure, administer, monitor, and maintain an Avamarserver.

l Avamar Operational Best Practices GuideThis publication describes operational best practices for both single-node and multi-nodeservers in small and large heterogeneous client environments.

Data Domain 6.2:

l Data Domain Product Security GuideThis publication describes the key security features of Data Domain systems and provides theprocedures that are required to ensure data protection and appropriate access control.

l Data Domain Operating System Administration GuideThis publication explains how to manage Data Domain systems with an emphasis on proceduresusing the Data Domain System Manager.

l Data Domain Operating System Command Reference GuideThis publication explains how to manage Data Domain systems by using the Data Domaincommand line.

l Data Domain Operating System Initial Configuration GuideThis publication explains how to perform the post-installation initial configuration of a DataDomain system.

l Data Domain Statement of Volatility for the Data Domain DD6300, DD6800 and DD9300 SystemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can be cleared.

l Data Domain Statement of volatility for Data Domain DD9500 and DD9800 systemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can be cleared.

Data Protection Advisor 18.2:

l Data Protection Advisor Security Configuration GuideThis publication provides an overview of the security configuration settings available in DataProtection Advisor (DPA). These settings include the secure deployment and usage settings,and secure maintenance and physical security controls required to ensure secure operation ofDPA.

l Data Protection Advisor Installation and Administration GuideThis publication provides an overview of the process of administering DPA.

Search 19.1:

l Search Security Configuration GuideThis publication describes the security features and settings of Search.

l Search Installation and Administration GuideThis publication provides an overview of the process of administering Search.

Preface


http://www.emc.com/products/security/product-security-response-center.htm

http://www.emc.com/products/security/product-security-response-center.htm

IDPA System Manager (DPC) 18.2:

l IDPA System Manager Security Configuration GuideThis publication describes the security features and settings of IDPA System Manager.

l IDPA System Manager Getting Started GuideThis publication provides an overview of the process of administering IDPA System Manager.

l IDPA System Manager Release NotesThis publication provides the release information for IDPA System Manager.

Cloud Disaster Recovery 19.1:

The Data Domain Cloud Disaster Recovery Installation and Administration Guide describes the securityfeatures as well as the settings of Cloud Disaster Recovery.

Secure Remote Services:

l Secure Remote Services Technical DescriptionThis document provides a technical overview of Secure Remote Services.

l Secure Remote Services Installation and Operations GuideThis publication provides an overview of the process of installing, configuring, operating, andtroubleshooting Secure Remote Services. The publication also describes customerresponsibilities for maintaining Secure Remote Services.

l Secure Remote Support Security Management and Certificate Policy Frequently Asked QuestionsThis publication provides answers to frequently asked questions about Secure RemoteServices and Secure Remote Services security, as well as the Secure Remote ServicesCertificate Practice Statement (CPS) and policy for the Dell EMC Internal Secure RemoteServices2CA.

l Secure Remote Services Port RequirementsThis publication contains information about port usage for communication between SecureRemote Services and Dell EMC, Policy Manager, and Dell EMC devices.

Dell PowerEdge R740:

These publications are available at https://www.dell.com/support/home.

l The Dell PowerEdge R740 Owner's Manual or Dell EMC PowerEdge R740xd Installation and ServiceManual

l iDRAC Version 9 User's Guide

l Statement of Volatility - Dell PowerEdge R740

VMware vSphere 6.5:

l VMware vSphere 6.5 Documentation CenterThis publication is available at https://pubs.vmware.com/vsphere-6-5/index.jsp

l vSphere 6.5 Hardening GuideThis publication is available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

l vSphere 6.5 Installation and SetupThis publication is available at https://docs.vmware.com

Preface


https://www.dell.com/support/home

https://pubs.vmware.com/vsphere-6-5/index.jsp

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

https://docs.vmware.com

Special notice conventions used in this document

We use these conventions for special notices.

DANGER A danger notice indicates a hazardous situation, which if not avoided, will result inserious injury or death.

WARNING A warning indicates a hazardous situation, which if not avoided, could result inserious injury or death.

CAUTION A caution indicates a hazardous situation, which if not avoided, could result in minoror moderate injury.

NOTICE A notice identifies content that warns of potential business or data loss.

Note: A note contains information that is incidental, but not essential, to the topic.

Typographical conventions

These type style conventions are used in this document.

Table 2 Typographical conventions

Bold Used for names of interface elements, such as names of windows,dialog boxes, buttons, fields, tab names, key names, and menu paths(what the user specifically selects or clicks)

Italic Used for full titles of publications referenced in text

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, filenames, prompts, and syntax

l Commands and options

Monospace italic Used for variables

Monospace bold Used for user input

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{ } Braces enclose content that the user must specify, such as x or y orz

... Ellipses indicate nonessential information omitted from the example

Getting help

The IDPA support page provides access to licensing information, product documentation,advisories, and downloads, as well as how-to and troubleshooting information. This informationmay enable you to resolve a product issue before you contact Customer Support.

To access the IDPA support page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, select theproduct.

3. (Optional) Add the product to the My Saved Products list by clicking Add to My SavedProducts in the upper right corner of the Support by Product page.

Preface


https://www.dell.com/support

Knowledgebase

The Knowledgebase contains applicable solutions that you can search for either by solutionnumber (for example, esgxxxxxx) or by keyword.

To search the Knowledgebase:

1. Click Search at the top of the page.

2. Type either the solution number or keywords in the search box.

3. (Optional) Limit the search to specific products by typing a product name in the Scope byproduct box and then selecting the product from the list that appears.

4. Select Knowledgebase from the Scope by resource list.

5. (Optional) Specify advanced options by clicking Advanced options and specifying values inthe available fields.

6. Click Search.

Facilitating support

ConnectEMC and Email Home are enabled on IDPA automatically. Secure Remote Services areenabled automatically for Data Domain (Protection Storage), Avamar (Backup Server), DataProtection Advisor, and Appliance Configuration Manager.

Comments and suggestions

Comments and suggestions help us to continue to improve the accuracy, organization, and overallquality of the user publications. Send comments and suggestions about this document to [email protected].

Please include the following information:

l Product name and version

l Document name, part number, and revision (for example, 01)

l Page numbers

l Other details to help address documentation issues

Any information that is provided to Dell EMC in connection with any Dell EMC website shall beprovided by the submitter and received by Dell EMC on a non-confidential basis. Such informationshall be considered non-confidential and property of Dell EMC. By submitting any such informationto Dell EMC you agree to a no-charge assignment to Dell EMC of all worldwide rights, title, andinterest in copyrights and other intellectual property rights to the information. Dell EMC shall befree to use such information about an unrestricted basis.

Preface


mailto:[email protected]

Preface


CHAPTER 1

Security quick reference

This chapter provides quick-reference information for deployment of the IDPA.

This chapter contains the following topics:

l Deployment models................................................................................................................16


Deployment modelsThe DP4400 is a fully integrated 2U appliance with different capacities ranging from 8 TB to 24 TBand 24 TB to 96 TB respectively.

Before deployment

When building the IDPA, the factory performs the following actions:

l Install Dell EMC customized ESXi image.

l Assign private, non-routable IP addresses.

l Set default passwords and configure all default management accounts.

l Complete basic configuration to provide a platform for final deployment at the customer site.

During deployment

When deploying the appliance, customers must perform the following actions:

l Connect the appliance to the customer network environment.

l Register the appliance with the Secure Remote Services system.

l Assign new passwords for management accounts.

The IDPA deployment process makes no security-related assumptions about the customerenvironment. Customers are expected to provide suitable power and data connections, andphysical security to protect the appliance components.

The Appliance Configuration Manager interface does not provide security-specific configurationoptions or support additional configurations. All appliance components are deployed using the bestpractices that are defined in the security configuration guides for each component. The interfaceenforces an optimal environment for correct operation of the appliance components.

After deployment

The IDPA contains many externally accessible interfaces for use by data protection andmanagement clients. Customers should take care to apply appropriate access restrictions toprevent unauthorized use. As per the customer security requirements, all forms of access shouldbe regularly monitored and audited.

Models

The following diagrams illustrate the IDPA at maximal configuration for each model.



Figure 1 Model DP4400



Figure 1 Model DP4400 (continued)

Cloud Disaster Recovery Add-on (CDRA)Data Protection Advisor (DPA)Data Protection Search (DPS)Avamar Virtual Edition (AVE)Appliance Configuration Manager (ACM)Data Protection Central (DPC)vCenter (VC)Data Domain Virtual Edition (DDVE)Integrated Dell Remote Access Controller (iDRAC)

Note: Customers can choose either the Copper network ports or the Optical network ports.

Encryption

l The management traffic is encrypted using SSL and TLS.

l The backup data and metadata are both encrypted using SSL and TLS.

l The replication traffic is encrypted using SSL and TLS.

l The Secure Remote Services traffic is encrypted using AES and TLS.

l The authentication can be administered using Active Directory and LDAP.

Secure Remote Services

l When Secure Remote Services is implemented, external communication to and from SecureRemote Services is conducted through the TLS tunnel using the AES-256 SHA1 encryptionand RSA key exchange with bilateral authentication, with certificates stored in an RSA lockbox.If TLS tunnel is unavailable, the messages are forwarded through FTPS or encrypted email.

l Secure Remote Services data includes diagnostic, system health, and remote access sessioninformation for IDPA system components (DDVE, AVE, Search, and so on).

l Secure Remote Services information can be selectively streamed to remote nodes using theSecure Remote Services Policy Manager which controls the Secure Remote Services trafficflow.

l You can use the Secure Remote Services Policy Manager to configure policies that governpermitted remote access sessions, notifications, and diagnostic script executions.



CHAPTER 2

Product and subsystem security


l Security controls map........................................................................................................... 20l Authentication.......................................................................................................................22l Authorization.........................................................................................................................30l Network security...................................................................................................................34l Data security......................................................................................................................... 36l Cryptography........................................................................................................................ 38l Auditing and logging.............................................................................................................. 40l Physical security................................................................................................................... 43l Serviceability.........................................................................................................................45


Security controls mapThe following diagram details the connections between the IDPA components and the securitycontrols on each link.

Note: vSwitch0 shown in the previous figure replaces the physical switch in the DP4400.



Figure 2 Security controls map - Avamar and Data DomainP

roduct and subsystem security

Dell E

MC

Integrated Data P

rotection Appliance S

ecurity Configuration G

uide21

AuthenticationThis section describes default settings and configuration options for how users or processesauthenticate to the IDPA components.

By default, all components of the IDPA authenticate using the management accounts that areincluded with each component and the common password that is configured during deployment.The manufacturing process sets a default password for each management account that iscontained within the IDPA components. A customer-provided common password replaces thedefault during deployment.

The Appliance Configuration Manager (ACM) manages the IDPA common passwords afterdeployment.

Note: As a security consideration, Dell EMC recommends that you change your appliancepassword after the appliance software is successfully upgraded.

Login security settingsThe following publications provide information on configuring the login security settings for IDPAcomponents.

Login banner configurationRefer to the following publications for information about configuring the login banners for theIDPA components.

Table 3 Login banner configuration

Component Reference Publication Topic

AVE Avamar Product Security Guide Custom ssh banner not supported

Remote servermanagement

iDRAC Version 9 User's Guide Logging in to iDRAC

ESXi VMware vSphere Security Manage the Login Banner

Failed login behaviorRefer to the following publications for information about configuring the login behavior for theIDPA components.

Table 4 Failed login behavior


AVE Avamar Product Security Guide Additional operating systemhardening

Additional password hardening



ESXi VMware vSphere Security vCenter Password Requirementsand Lockout Behavior



Table 4 Failed login behavior (continued)


Edit the vCenter Single Sign-OnLockout Policy

ESXi Passwords and AccountLockout

Cloud DisasterRecovery

Data Domain Cloud DisasterRecovery Installation andAdministration Guide

Cloud DR server user accounts.

Emergency user lockoutRefer to the following publications for information about locking out users for the IDPAcomponents.

Table 5 Emergency user lockout


ESXi VMware vSphere Security Cryptographic OperationsPrivileges

Authentication types and setupThis section includes authentication source and type configuration options for the IDPA.

Configuring local authentication sourcesRefer to the following publications for information on using the authentication databases on theIDPA components.

Table 6 Configuring local authentication sources


Avamar and AVE Avamar Product Security Guide Avamar internal authentication

Avamar Administration Guide User Management andAuthentication

Data Domain Data Domain Operating SystemAdministration Guide

Local user account management

The ACM authenticates using the local username and password, and provides only one account.No other authentication sources are available.



Configuring Active DirectoryRefer to the following publications for information on configuring the IDPA components to useLDAP and Active Directory authentication.

Table 7 Configuring Active Directory


Avamar and AVE Avamar Administration Guide Directory service authentication


Directory user and groupmanagement

Enabling Active Directory


Search Search Installation andAdministration GuideSearchSecurity Configuration Guide

Configure external OpenLDAP andActive Directory servers

Configure LDAP and AD users

DP Advisor Data Protection Advisor SecurityConfiguration Guide

External authentication, LDAPintegration, and binding

Integrated DataProtection ApplianceSystem Manager

IDPA System Manager GettingStarted Guide

Configuring LDAP


iDRAC Version 9 User's Guide Configuring user accounts andprivileges

ESXi VMware vSphere Security Using Active Directory to ManageESXi Users

Certificate/key-based authenticationRefer to the following publications for information on the use of digital certificates and SSH keysto authenticate human users for the IDPA components.

Table 8 Certificate/key-based authentication


Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys

Avamar Operational Best PracticesGuide

Changing passwords

Data Domain Data Domain Product Security Guide System access

Refer to the following publications for information on the use of digital certificates and SSH keysto authenticate inter-component and inter-process communication for IDPA components.



Table 9 Digital certificates and SSH keys


Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication

Secure RemoteServices

Secure Remote Support SecurityManagement and Certificate PolicyFrequently Asked Questions

SRS Certificate Policy

Unauthenticated interfacesFor Avamar and AVE, the client download and help areas do not require authentication.

User credential managementThe following topics discuss default accounts and credentials, enabling and disabling accounts,credential management options, and credential security, including password management.

Default accountsRefer to the following publications for lists of default accounts for each IDPA component.

Table 10 Default accounts


Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts

Data Domain Data Domain Product Security Guide User authentication

User authorization

SearchNote: Aftersuccessfulconfiguration ofSearch in IDPA,the accounts aresame as theSearch defaultconfiguration.IDPA adds its ownLDAPconfiguration intothe database.

Search Security Configuration Guide Default accounts



Pre-loaded accounts

IDPA System ManagerAdministration Guide

Unlock a Data Protection Centraluser account





Table 10 Default accounts (continued)




Cloud DR Server user accounts

Refer to the following table for the default management accounts and additional accounts that areassociated with each IDPA component.

Note: This table mentions the additional user accounts that are created during configuration.Refer to the corresponding section of each IDPA product for a complete list of accounts.

Table 11 Default management accounts

Component Default managementaccounts

Additional accounts

Avamar nodes root

Data Domain sysadmin

Compute node iDRAC (IPMI)interface

root

VMware vCenter Server idpauser root

VMware ESXi hosts idpauser root

Appliance Configuration Manager root Idpauser, idpauser ldap),manager (ldap)

Cloud Disaster Recovery admin

Default credentialsRefer to the following publications for lists of default credentials for each IDPA component.

Table 12 Default credentials


Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts

Data Domain Data Domain Product Security Guide User authentication

User authorization

SearchNote:Search userinterface usesLDAPauthentication.

For accessingSearch:

Search Security Configuration Guide Default accounts



Table 12 Default credentials (continued)


l username:idpauser

password:commonappliancepassword

l username:admin(defaultaccountinheritedSearch)

password:applianceCommonPassword


Note: When theappliance isconfigured, [email protected] accountpassword is set tothe commonappliancepassword.Thereafter, theACM does notmanage thepassword for thisaccount.Customers haveto manage thepassword for [email protected] account.

IDPA System Manager SecurityConfiguration Guide

User and credential management

IDPA System ManagerAdministration Guide

Change password



Credentials for DD Cloud DRdeployment

ApplianceConfigurationManager

root - customer set password

idpauser - common appliancepassword

VMware ESXi root - random complex password



Table 12 Default credentials (continued)



VMware vCenter root - random complex password


How to disable local accountsRefer to the following publications for information on disabling and removing local accounts forIDPA components.

Table 13 How to disable local accounts



Enabling and disabling local users

Deleting a local user

ESXi VMware vSphere Security ESXi Passwords and AccountLockout

Disable Authorized (SSH) Keys

Managing credentialsRefer to the following publications for information on configuring the login and password securitysettings for IDPA components.

Table 14 Managing credentials


Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys

ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks

For iDRAC, passwordis set to default afterinstallation. Customercan change it later.

Integrated Dell Remote AccessController 9 Version 3.34.34.34User's Guide

Secure default password

Password complexityEnsure that the password meets the following criteria:

l A maximum of 20 characters

l A minimum of nine characters

l Must not start with a hyphen (-)



l Contains at least one upper-case and one lower-case letter

l Contains at least one number

l Must not include common names and usernames like 'root' or 'admin'

l Contains at least one special character

Valid special characters include:

n period (.)

n hyphen (-)

n underscore (_)

Authentication to external systemsThe following topics discuss how to configure authentication of components outside the IDPA,including components providing services to the IDPA and remote clients.

Configuring remote connectionsRefer to the following publications for information on configuring connections from the IDPA toexternal components.

Table 15 Configuring remote connections



Managing DD Boost client accessand encryption

System access management

Remote component authenticationRefer to the following publications for information on how to provide credentials for remotecomponents to use when connecting to the IDPA.

Table 16 Remote component authentication



Setting the system passphrase

Managing certificates for DDBoost

Importing CA certificates

Key manager setup

Configuring SMB signing

Data Domain Product Security Guide Certificates for cloud providers


Secure Remote Services TechnicalDescription

Digital Certificate Management

Communication to EMC



AuthorizationThis section describes default settings and configuration options for how users or processesauthenticate to the IDPA components.

General authorization settingsThe following topics discuss basic information about user privileges within the IDPA.

Configuring authorization rulesRefer to the following publications for information on the basic process of configuringauthorization for users with permission to access the IDPA.

Table 17 Configuring authorization rules


Avamar and AVE Avamar Product Security Guide User Authentication andAuthorization

Avamar Administration Guide Overview of Avamar useraccounts

Roles

Data Domain Data Domain Product Security Guide User Authentication

Search Search Installation andAdministration Guide

Managing Roles and Users

Search Security Configuration Guide Authentication Configuration

DP Advisor Data Protection Advisor Installationand Administration Guide

Users and security

Data Protection Advisor SecurityConfiguration Guide

User roles and privileges



Cloud DR Add-on System andUser Management

ESXi VMware vSphere Security Understanding Authorization invSphere

Default authorizationsRefer to the following publications for lists of default authorizations supplied with the IDPA.

Table 18 Default authorizations


Avamar and AVE Avamar Product Security Guide Roles

Default authorizations and useraccounts



Table 18 Default authorizations (continued)


Avamar Administration Guide Overview of Avamar useraccounts

Roles

Data Domain Data Domain Product Security Guide User authorization


System Administrator role

Application Administrator role

Search Security Configuration Guide System Administrator role


Full Access Search (Global) role

Index specific search roles

Default accounts



Pre-loaded accounts


Users and Security




Cloud DR Add-on System andUser Management

ESXi VMware vSphere Security Understanding Authorization invSphere

External authorization associationsRefer to the following publications for information about mapping LDAP and AD authentication tolevels of authorization for components of the IDPA.

Table 19 External authorization associations


Avamar and AVE Avamar Administration Guide Directory service authentication





Search Security Configuration Guide Configure LDAP and AD users


External authentication, LDAPintegration, and binding



Table 19 External authorization associations (continued)


ESXi VMware vSphere Security Using Active Directory to ManageESXi Users

Role-based access control (RBAC)The IDPA uses the default roles available for individual components.

Refer to the following publications for information about authorization through assigned roles:

Table 20 Role-based access control




Managing access control


About roles

Managing roles




iDRAC Version 9 User's Guide Configuring user accounts andprivileges

Default rolesRefer to the following publications for information about pre-configured roles and privileges forcomponents of the IDPA.

Table 21 Default roles




Role-based access control

Local user account management



Application Administrator role

Full Access Search (Global) role

Index specific search roles



ESXi VMware vSphere Security vCenter Server System Roles



Table 21 Default roles (continued)


IDPA SystemManager


Default accounts

Configuring rolesRefer to the following publications for information about how to select or configure the capabilitiesof roles that can be assigned to users of the IDPA:

Table 22 Configuring roles


Avamar and AVE Avamar Administration Guide User Management andAuthentication


Role-based access control

SearchSearch Search Installation andAdministration Guide


Data ProtectionAdvisor

Data Protection Advisor SecurityConfiguration Guide



IDPA SystemManager


Default accounts

Role mappingRefer to the following publications for mapping users and groups to specific roles for componentsof the IDPA.

Table 23 Role mapping


Avamar and AVE Avamar Administration Guide User Management andAuthentication


System access management








Table 23 Role mapping (continued)


IDPA SystemManager


Default accounts

External role associationsRefer to the following publications for information on mapping LDAP and AD authentication tospecific access roles for components of the IDPA.

Table 24 External role associations


Avamar and AVE Avamar Administration Guide LDAP directory serviceauthentication


Configuring Active Directory andKerberos authentication




Creating a new user account withLDAP authentication

ESXi VMware vSphere Security Managing ESXi Roles in theVMware Host Client

IDPA SystemManager


Configuring LDAP

Network securityThis section describes the exposed network interfaces in use by the IDPA.

The DP4400 directly connects to the customer-provided network switch.

Network exposureThe following sections indicate where to obtain information on exposed network interfaces andports for each component of the IDPA. Refer to the listed topics in each publication for a moredetailed description and for further instructions.

For maximum security, customers should disable all network ports and interfaces that are notrequired for their environment.

Network portsThe following references provide information about the network ports that are opened by eachcomponent of the IDPA.

For more information about the network ports for the corresponding components, see Networkports on page 51.



Table 25 Network ports


Avamar and AVE Avamar Product Security Guide Port Requirements appendixa

Session security features

Data Domain Data Domain Product Security Guide Communication security settings

Data Domain Operating SystemInitial Configuration Guide

Configuring the system with theconfiguration wizard

Search Search Security Configuration Guide Port usage

Firewall rules

Search Installation andAdministration Guide

Add an Avamar source server toSearch



Network Security


8543 and 8009: Application server

5672: Rabbitmq

9443: for upgrade operation

22: ssh

636: LDAP over SSL (for internalldap)


Communication settings

Data Protection Advisor Installationand Administration Guide

DPA port settings


Secure Remote Services PortRequirements

Not applicable

VMware ESXi andvCenter

VMware vSphere Security Additional vCenter Server TCPand UDP Ports


iDRAC Version 9 User's Guide iDRAC port information



Required Data Domain CloudDisaster Recovery ports

a. This reference includes information on network ports that are used by all possible Avamarconfigurations.

Network interfacesThe following tables provide information about the default IP addresses for the network interfaceson IDPA appliance. The default IP addresses are configured in the factory and are for only internaluse of the IDPA appliance.

Note: The below-listed IP addresses are not exposed outside of the appliance and are only forinternal communication. For these interfaces, the subnet mask is 255.255.255.0.



Table 26 Default IP addresses

Component IP address Subnet mask

Appliance Configuration Manager 192.168.100.100 255.255.255.0

ESXi 192.168.100.101 255.255.255.0

The IP address for interfaces that are exposed to the customer network are configured at the timeof the IDPA appliance configuration.

Communication security settingsThe following references provide information about options for securing communications betweeneach component of the IDPA and remote systems.

Table 27 Communication security settings



Data Domain Data Domain Product Security Guide Communication security settings

Firewall settingsThe following references provide information on configuring the firewall functionality of eachcomponent of the IDPA.

Table 28 Firewall settings


Avamar and AVE Avamar Product Security Guide Additional firewall hardening(avfirewall)

Data Domain Data Domain Operating SystemInitial Configuration Guide

Configuring security and firewalls(NFS and CIFS access)

Search Search Security Configuration Guide Firewall rules


Communications settings in DPA



Security and Networking

No additional customer firewall configuration is required.

Data securityThis section describes how the IDPA protects customer data stored on its components.



HardeningAfter the IDPA configuration is completed, customers can optionally stop bind server on ACMusing following commands:

service named stopchkconfig named off

Data-at-rest encryptionRefer to the following publications for information about the encryption capabilities for Data-at-rest on components of the IDPA.

Table 29 Data-at-rest encryption


Avamar and AVE Avamar Product Security Guide Data-at-rest encryption


DD Encryption

Data Domain Product Security Guide Data encryption

The ACM uses Java keystores to secure the encryption keys.

Data erasureRefer to the following publications for information about securely erasing data from componentsof the IDPA.

Table 30 Data erasure


Avamar and AVE Avamar Product Security Guide Data erasurea


Destroying the file system

Data Domain Product Security Guide Data erasure

System sanitization


iDRAC Version 9 User's Guide Erasing PCIe SSD device data

ESXi VMware vSphere Security Use vmkfstools to Erase SensitiveData

a. Avamar servers can also be restored to factory default conditions by a process called re-kickstarting. This process is performed by Dell EMC service personnel.



CryptographyThe following sections indicate where to obtain information on the uses of cryptography in theIDPA. Refer to the listed topics in each publication for a more detailed description and for furtherinstructions.

Cryptographic configuration optionsThe following references provide information about ciphers, encryption, and other data integritymechanisms for each component of the IDPA.

Table 31 Cryptographic configuration options


Avamar and AVE Avamar Product Security Guide Data-in-flight encryption

Data-at-rest encryption

Disabling SSLv2 and weak ciphers

Disabling privileges for CipherSuite 0

Data Domain Data Domain Product Security Guide Data encryption

Data Domain Operating SystemAdministration Guide

DD Encryption chapter


iDRAC Version 9 User's Guide Setting up iDRAC communication

ESXi VMware vSphere Security ESXi SSH Keys

The ACM communicates with the other IDPA components using TLS 1.2.

Disable TLS 1.1 and earlier versions

To reduce the security vulnerability, disable the weak protocols and ciphers on ACM, vCenter, andESX. TLS Reconfiguration Utility is used to manage the TLS protocols on vCenter andESX. To download and install the utility, see VMware KB article 2147469.

To disable weak protocols on vCenter and ESX using the TLS Reconfiguration Utility:

l ACM (internal LDAP):

1. SSH to ACM.

2. Edit the file /etc/openldap/slapd.d/cn=config.ldif.

3. Update the parameter olcTLSProtocolMin from 0.0 to 3.3.

4. Update the parameter olcTLSCipherSuite with the following value:olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Note: Add this parameter and its value at the end of the file in case if it is not existing.

5. Restart the slapd service using following commands:

n service slapd stop



n service slapd startl ACM (SSH service):

1. Login to ACM using SSH client such as putty.

2. Edit the file /etc/ssh/sshd_config using any file editor such as vi, and add followinglines at the end of the file:ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected] hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected]

3. Save the file.

4. Restart the sshd service using the command # service sshd restart.

l vCenter:

1. SSH to vCenter.

2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator

3. Run ./reconfigureVc update -p TLSv1.2.

l ESX:

1. SSH to vCenter.

2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

3. Run ./reconfigureEsx vCenterCluster -c <cluster-name> -u root -pTLSv1.2.

4. Reboot IDPA appliance.

Certified cryptographic modulesThe following references provide information about the cryptographic modules available for eachcomponent of the IDPA.

Table 32 Certified cryptographic modules


Search Search Security Configuration Guide Cryptographic modules



Certificate Management





Security and Networking



Certificate managementThe following references provide information on the use and management of certificates for eachcomponent of the IDPA.

Table 33 Certificate management



Data Security and Integrity

Avamar Administration Guide ConnectEMC

Data Domain Data Domain Product Security Guide Data Domain system security

Data security settings


DD Encryption

Search Search Security Configuration Guide Access Control



Certificate Management


Encryption of the DPA Applicationserver


iDRAC Version 9 User's Guide Configuring iDRAC

ESXi VMware vSphere Security vSphere Security Certificates


IDPA Product Guide Adding a CA-signed certificate

The ACM ships with a default self-signed RSA SHA-256 certificate. The Integrated Data ProtectionAppliance Product Guide provides details for replacing the default certificate with a CA-signedcertificate.

Auditing and loggingThis section describes how the IDPA components log events and protect against tampering.



LogsRefer to the following publications for information about log locations and usage for IDPAcomponents.

Table 34 Logs


Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging

Avamar Administration Guide Server Monitoring

Replication


Log file management

Data Domain Product Security Guide Log settings


Log files



Auditing and Logging



Logging



ESXi VMware vSphere Security ESXi Log Files



Troubleshooting > Collect Logs

ACM server execution logs are stored on the ACM in /usr/local/dataprotection/var/configmgr/server_data/logs/server.log.

Log management optionsRefer to the following publications for information about managing logs for IDPA components.

Table 35 Log management options


Avamar and AVE Avamar Administration Guide Server Monitoring


iDRAC Version 9 User's Guide Managing logs



Log file management



Log protectionRefer to the following publications for information about securing log contents for IDPAcomponents.

Table 36 Log protection



Log message transmission toremote systems


Log formatRefer to the following publications for information about understanding the formatting of logs forIDPA components.

Table 37 Log format




Replication


Log file management

Learning more about log messages


Managing Logs


The ACM log file appends the most recent entries, to a maximum file size of 5120KB, and amaximum backup index1 of 19. ACM log entries use the following format:

%d %-5p [%t]-%C{2}: %m%nwhere:

l %d %-5p is the date

l %t is the thread name

l %C{2} is the Java class name

l %m%n is the logged message

1. Backup index is the number of most recent files saved on ACM.



AlertingRefer to the following publications for information about monitoring and managing security alertsfor various IDPA components.

Table 38 Alerting




Data Domain Data Domain Product Security Guide Security alert system settings


Alert notification management


iDRAC Version 9 User's Guide Configuring iDRAC to send alerts

ESXi vSphere Monitoring andPerformance

Monitoring Events, Alarms, andAutomated Actions

DP Advisor DP Advisor Product Guide Alerts in DPA

DP Advisor Installation andAdministration Guide

dpa application support

Physical securityThe IDPA is composed of a single piece of hardware with unique interfaces and physical securityrequirements. The following topics detail where to find further information on securing the IDPAhardware.

Refer to Deployment models on page 16 for the locations of individual appliance components.

Physical interfacesRefer to the following publications for information on the accessible physical interfaces of theIDPA components.

Table 39 Physical interfaces


Compute nodes Dell PowerEdge R740 Owner'sManual

Ports and connectorsspecifications



Physical security optionsRefer to the following publications for information about physical security controls that can beapplied to the IDPA components.

Table 40 Physical security options


Data Domain Data Domain Product Security Guide Physical Security Controls

Dell EMC reminds customers to review and frequently audit all operational policies, and verify thatpersonnel, site, and perimeter security are secure.

Customer service accessRefer to the following publications for information about physical interfaces and devices that arerestricted for use by Customer Support.

Table 41 Customer service access



Pre-operating systemmanagement applications >System Security

Tamper evidence and resistanceRefer to the following publications for information about tamper-evident and tamper-resistantfeatures that are found in the IDPA components.

Table 42 Tamper evidence and resistance


Avamar Avamar Product Security Guide Advanced Intrusion DetectionEnvironment (AIDE)

The auditd service


System clock

RPM signature verification


Pre-operating systemmanagement applications >System Security



Statements of volatilityRefer to the following publications for information on information-storing components of the IDPA.

Table 43 Statements of volatility

Component Reference Publication

Compute nodes Statement of Volatility – Dell PowerEdge R740

NDMP If NDMP node is used with any IDPA model, refer to the correspondingNDMP appliance documentation.

ServiceabilityThe IDPA deployment process includes Secure Remote Services registration for the ApplianceConfiguration Manager, Data Domain, Avamar, and DP Advisor.

The Appliance Configuration Manager virtual machine can be used as a bridge by CustomerSupport to access appliance components that are not directly registered with Secure RemoteServices. By default, ConnectEMC is not configured on any appliance component. For moreinformation about ConnectEMC, see Secure Remote Services Operations Guide.

Customer Support and authorized service partners complete all service on the IDPA.

Maintenance aidsRefer to the following publications for information about accounts, tools, and other functionsintended for maintenance use.

Table 44 Maintenance aids


Avamar and AVE Avamar Product Security Guide Security patches

Email home notification usingConnectEMC

Intelligent Platform ManagementInterface

Avamar Operational Best PracticesGuide

Using EMC Secure RemoteSupport solution

Avamar Administration Guide Automatic notifications to AvamarSupport

Data Domain Data Domain Product Security Guide Other security considerations


Network connection management

Autosupport report management

Support bundle management

EMC Support deliverymanagement



Table 44 Maintenance aids (continued)


Remote system powermanagement with IPMI



EMC Enterprise access control

Communication to EMC

Avamar and AVE make use of a Customer Support-only password to run some workflow packagesin the Avamar Installation Manager.

Responsible service useRefer to the following publication for information on responsible service use by Dell EMC.

Table 45 Responsible service use




EMC Enterprise access control

Security updates and patchingThe following references provide information about how to apply security patches for eachcomponent of the IDPA.

Table 46 Security updates and patching


Integrated DataProtection Appliance

Integrated Data ProtectionAppliance Product Guide

Upgrading the appliance

Customers should apply security updates and patches from Dell EMC regularly to prevent zero-dayvulnerability attacks.

Note: A warning on vCenter is displayed about a potential vulnerable issue. CVE-2018-3646 isone of the L1 Terminal Fault (L1TF) speculative execution vulnerabilities and is determined tohave medium vulnerability score.IDPA uses the ESXi version which has the following fixes for this vulnerability, however one ofthem is not enabled by default as it has severe performance impac:

l Mitigation of the Sequential-Context attack vector - this fix is included in IDPA 2.3 andlater releases.

l Mitigation of the Concurrent-Context attack vector - this fix is not enabled by defaultThis fix can be enabled using simple steps on ESXi, but has severe performance penalties ifenabled.

IDPA is a restricted environment where unverified virtual machines are not deployed on theESXi. Also, due to severe performance penalties, it is not recommended to enable the fixon IDPA appliance. However, customers can enable it at their own risk. For moreinformation, see VMware KB article 55806.



Customer requirements for updatesRefer to the following publications for information on periodic security updates that apply to theIDPA components.

Table 47 Customer requirements for updates


Integrated DataProtection Appliance

Integrated Data Protection ApplianceProduct Guide

Upgrading the applicance





CHAPTER 3

Miscellaneous configuration and managementelements


l Protecting authenticity and integrity.....................................................................................50l Installing client software....................................................................................................... 50


Protecting authenticity and integrityRefer to the following publications for information about the use of signing and cryptography toensure the integrity of the IDPA.

Table 48 Protecting authenticity and integrity



RPM signature verification

Dell EMC recommends that customers verify the authenticity of downloads against published MD5and SHA-256 checksums, where provided.

Installing client softwareRefer to the following publications for information about requirements for installing components ofthe IDPA on client computers.

Table 49 Installing client software




Customer site components

Specifications

Miscellaneous configuration and management elements


APPENDIX

Network ports

This appendix contains information about the network ports for the following components:

l Backup Server (Avamar and Avamar Virtual Edition).............................................................52l Protection Storage (Data Domain)........................................................................................52l IDPA System Manager (Data Protection Central)................................................................. 59l Search................................................................................................................................... 61l Reporting and Analytics (Data Protection Advisor)............................................................... 63l Secure Remote Services....................................................................................................... 66l Remote server management (iDRAC)................................................................................... 67l Data Domain Cloud Disaster Recovery.................................................................................. 68


Backup Server (Avamar and Avamar Virtual Edition)The following table lists the port requirements for Avamar and Avamar Virtual Edition:

Table 50 Port requirements

Port/Protocol Source Destination Description

29000/TCP Utility node Storage node Avamar subsystem usingSSL

29000/TCP Storage node Utility node Avamar subsystem usingSSL

30001/TCP Utility node Storage node MCS using SSL

30001/TCP Storage node Utility node MCS using SSL

30002/TCP Avamar server Avamar client Avamar client using SSL

30002/TCP Avamar client Avamar server Avamar client using SSL

30003/TCP Utility node Storage node MCS using SSL

30003/TCP Storage node Utility node MCS using SSL

For detailed information about ports, see the Port Requirements appendix in Avamar ProductSecurity Guide.

Protection Storage (Data Domain)This section lists information about Data Domain network ports.

Communication security settings

Communication security settings enable the establishment of secure communication channelsbetween the product components, and between product components and external systems orcomponents.

The following tables list the input and output ports for TCP and UDP:

Table 51 Data Domain system inbound communication ports

Service Protocol Port PortConfigurable

Default Description

FTP TCP 21 No Disabled Port is used only if FTP isenabled. Runadminaccess show on

the Data Domain system todetermine if it is enabled.

SSH and SCP TCP 22 Yes Enabled Port is used only if SSH isenabled. Runadminaccess show on

the Data Domain system todetermine if it is enabled.SCP is enabled as default.

Network ports


Table 51 Data Domain system inbound communication ports (continued)


Default Description

Telnet TCP 23 No Disabled Port is used only if Telnet isenabled. Runadminaccess show on


HTTP TCP 80 Yes Enabled a Port is used only if HTTP isenabled. Runadminaccess show on


DD Boost/NFS(portmapper)

TCP 111 No Enabled Used to assign a randomport for the mountd servicethat DD Boost and NFS use.Mountd service port can bestatically assigned and canbe run with the nfsoption set mountd-port command.

NTP UDP 123 No Disabled 1. Port is used only if NTPis enabled on the DataDomain system. Runntp status to

determine if it isenabled.

2. Data Domain systemuses this port tosynchronize to a timeserver.

SNMP TCP/UDP 161 No Disabled Port is used only if SNMP isenabled. Run snmpstatus to determine if it is

enabled.

HTTPS TCP 443 Yes Enabled Port is used only if HTTPSis enabled. Runadminaccess show on


CIFS (Microsoft-DS) TCP 445 No Enabled Main port that CIFS usesfor data transfer.

DD Boost/NFS TCP 2049 Yes Enabled Main port that NFS uses.Run the nfs optionshow command on the Data

Domain system todetermine the current NFSserver port.

Network ports


Table 51 Data Domain system inbound communication ports (continued)


Default Description

NFS v3/NFS v4 TCP 2049 Yes Enabled Main port that NFS serviceuses. Run nfs status to

determine if NFS v3 or NFSv4 service is enabled. Runnfs option shownfs3-port or nfsoption show nfs4-port on Data Domain

system to determine thecurrent port that islistening.

Replication TCP 2051 Yes Enabled Port is used only ifreplication is configured onthe Data Domain system.Run replication showconfig to determine if it is

configured. This port can bemodified using thereplication modifycommand.

NFS (mountd) TCP/UDP 2052 Yes Enabled Can be hardcoded using thenfs option setmountd-port command.

(This command is SE mode,which means that only aService Engineer can issuethis command.) Run nfsoption show mountd-port on the Data Domain

system to determine thecurrent port that mountd islistening on.

Data DomainManagement Center Port

TCP 3009 No Enabled This port is used only if theData Domain ManagementCenter manages the DataDomain system. It is notconfigurable.

a. HTTP is enabled by default, but automatically redirects to HTTPS.

Table 52 Data Domain system outbound communication ports


Default Description

SMTP TCP 25 No Disabled Data Domain system usesthis port to send emailautosupports and alerts.

Network ports


Table 52 Data Domain system outbound communication ports (continued)


Default Description

SNMP UDP 162 Yes Disabled Data Domain system usesthis port to send SNMPtraps to SNMP host. Usesnmp show trap-hoststo see destination hosts andsnmp status to display

service status.

Syslog UDP 514 No Disabled If enabled, Data Domainsystem uses this port tosend syslog messages. Uselog host show to display

destination hosts andservice status.

RMCP UDP 623 Open Enabled Remotely access BMCthrough IPMI.

To reach a Data Domain system behind a firewall, you may need to enable these ports defined inthe preceding tables.

Use the net filter functionality to disable all ports that are not used.

Firewall Configuration

Table 53 Ports that Data Domain uses for inbound traffic

Port Service Note

TCP 21 FTP Used only if FTP is enabled(run adminaccess show on

the Data Domain system todetermine).

TCP 22 SSH Used only if SSH is enabled(run adminaccess show on


TCP 23 Telnet Used only if Telnet is enabled(run adminaccess show on


TCP 80 HTTP Used only if HTTP is enabled(run adminaccess show on


TCP 111 DD Boost/NFS (port mapper) Used to assign a random portfor the mountd service thatNFS and DD Boost use.Mountd service port can bestatically assigned.

Network ports


Table 53 Ports that Data Domain uses for inbound traffic (continued)

Port Service Note

UDP 111 DD Boost/NFS (port mapper) Used to assign a random portfor the mountd service thatNFS and DD Boost use.Mountd service port can bestatically assigned.

UDP 123 NTP Used only if NTP is enabled(run ntp status on Data

Domain system to determine).

UDP 137 CIFS (NetBIOS name service) CIFS uses this port forNetBIOS name resolution.

UDP 138 CIFS (NetBIOS datagramservice)

CIFS uses this port forNetBIOS datagram service.

TCP 139 CIFS (NetBIOS sessionservice)

CIFS uses this port forsession information.

UDP 161 SNMP (query) Used only if SNMP is enabled(run snmp status on Data

Domain system to determine).

TCP 389 LDAP The LDAP server monitorsthis port for LDAP clientrequests; by default it usesTCP.

TCP 443 HTTPS Used only if HTTPS is enabled(run adminaccess show on

Data Domain system todetermine).

TCP 445 CIFS (Microsoft-DS) Main port that CIFS uses fordata transfer.

TCP 464 Active Directory Kerberos change/setpassword; this is required tojoin an Active Directorydomain.

TCP 2049 DD Boost/NFS Main port that NFS uses; itcan be modified using the nfsset server-portcommand, which requires SEmode.

TCP 2051 Replication/DD Boost/Optimized Duplication

Used only if replication isconfigured (runreplication showconfig on Data Domain

system to determine).Thisport can be modified usingreplication modify .

Network ports


Table 53 Ports that Data Domain uses for inbound traffic (continued)

Port Service Note

TCP 2052 NFS Mountd/DD Boost/Optimized Duplication

Main port that NFS Mountduses.

TCP 3008 RSS Required when the DataDomain system has anArchive Tier.

TCP 3009 SMS (system management) Used for managing a systemremotely with Data DomainSystem Manager. This portcannot be modified. This portis used only on Data Domainsystems running DD OS 4.7.xor later. This port needs to beopen if you plan to configurereplication within DataDomain System Managerbecause the replicationpartner must be added toData Domain SystemManager.

TCP 5001 iPerf iPerf uses this by default.Changing the port requiresthe -p option from se iperf orthe port option from the netiperf command. The remote

side must listen on the newport.

TCP 10000 NDMP NDMP uses this port.

Table 54 Ports that Data Domain systems for outbound traffic

Port Service Note

TCP 20 FTP Used only if FTP is enabled(run adminaccess show on


TCP 25 SMTP Used only if FTP is enabled(run adminaccess show on


UDP/TCP 53 DNS Used to perform DNS lookupswhen DNS is configured (runnet show dns on the Data

Domain system to reviewDNS configuration).

Network ports


Table 54 Ports that Data Domain systems for outbound traffic (continued)

Port Service Note

TCP 80 HTTP Used to upload log files toEMC Data Domain supportusing support upload.

TCP 443 HTTPS Used to upload the SupportBundle (SUB).

UDP 123 NTP Used to synchronize to a timeserver.

UDP 162 SNMP (trap) Used to send SNMP traps toan SNMP host. Use to seedestination hosts and snmpstatus to display servicestatus. Use the snmp showtrap-hosts command.

UDP 514 Syslog If enabled, Used to sendsyslog messages. Use log hostshow to display destinationhosts and service status.

TCP 2051 Replication/DD Boost/Optimized Duplication

Used only if replication isconfigured (runreplication showconfig on Data Domain

system to determine).

TCP 3009 SMS (system management) Used for managing a systemremotely using Data DomainSystem Manager. This portcannot be modified. This portis used only on Data Domainsystems running DD OS 4.7.xor later.If you plan to configurereplication from within theData Domain SystemManager, this port needs tobe opened. The replicationpartner has to be added tothe Data Domain SystemManager.

TCP 5001 iPerf iPerf uses this port by default.Changing the port requiresentering the -p option from

se iperf or the port optionfrom net iperf. The

remote side must listen on thenew port.

Network ports


Table 54 Ports that Data Domain systems for outbound traffic (continued)

Port Service Note

TCP 27000 Avamar clientcommunications with Avamarserver

Avamar client network hosts.

TCP 27000 Avamar servercommunications withReplicator target server(Avamar proprietarycommunication)

Required if server is used asreplication source.

TCP 28001 Avamar clientcommunications withadministrator server

Avamar clients required.

TCP 28002 Administrator servercommunications with Avamarclient

Optional for browsing clientsand canceling backups fromAvamar Administratormanagement console.

TCP 29000 Avamar client Secure SocketsLayer (SSL) communicationswith Avamar server

Avamar clients required.

TCP 29000 Avamar server SSLcommunications withReplicator target server

Required if server isreplication source.

IDPA System Manager (Data Protection Central)IDPA System Manager uses inbound and outbound ports when communicating with remotesystems.

Table 55 Outbound ports

Port number Layer 4 protocol Service

7 TCP, UDP ECHO

22 TCP SSO

25 TCP SMTP

53 UDP, TCP DNS

67, 68 TCP DHCP

80 TCP HTTP

88 TCP, UDP Kerberos

111 TCP, UDP ONC RPC

123 TCP, UDP NTP

161-163 TCP, UDP SNMP

389 TCP, UDP LDAP

Network ports


Table 55 Outbound ports (continued)


443 TCP HTTPS

448 TCP Data Protection Search Admin RESTAPI

464 TCP, UDP Kerberos

514 TCP, UDP rsh

587 TCP SMPT

636 TCP, UDP LDAPS

902 TCP VMware ESXi

2049 TCP, UDP NFS

2052 TCP, UDP mountd, clearvisn

3009 TCP Data Domain REST API

5672 TCP RabbitMQ over amqp

8443 TCP MCSDK 8443 is an alternative for443

9000 TCP NetWorker Management Console

9002 TCP Data Protection Advisor REST API

9090 TCP NetWorker Authentication Serviceand REST API

9443 TCP Avamar Management Console webservice

Table 56 Inbound ports


22 TCP SSH

80 TCP HTTP

443 TCP HTTPS

5671 TCP RabbitMQ over amqp

Network ports


SearchThis section lists information about Search network ports.

Port usage

Table 57 Default ports

Component Service Protocol Port Description

CommonIndexing Service

NGINX TCP/HTTPS

442 Secure access to Elasticsearch.

Search andAdmin UIs andAPIs

NGINX TCP/HTTPS

443 Admin web application.

Search web application.

Admin REST API.

Search REST API.

CommonIndexing Service

NGINX TCP/HTTPS

445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.

Elasticsearchcluster ports

NGINX TCP/HTTPS

9300–9400

Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.

Puppet Puppet TCP 8140,61613

Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to enable communicationduring an automatic upgrade.

Avamar Client AvamarClient

TCP 28000-29000,30000-31000

Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.

NetWorkerClient

NetWorkerClient

TCP 7937-8100

Ports for NetWorker clientcommunicating with Networker server.

OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.

SSH sshd TCP 22 Client connects to server through ssh.

NFS nfs TCP 111,2049

Ports for communicating with NFS areonly opened internally.

Firewall rules

Search requires access to the following external (worldwide) ports:

l 442:445 (Web/Rest API)

l 28000-29000, 30000-31000 (Avamar Client)

Network ports


l 7937-8100 (NetWorker client)

l 22 (SSH)

Search requires access to the following internal ports:

l 389 (openLDAP)

l 8140 (Puppet Master and Master node only)

l 61613 (Puppet)

l 9300:9400 (Elasticsearch)

l 111, 2049 (NFS)

To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnetis 128.222.162.

Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with otherElasticsearch nodes.

Add an Avamar source server to SearchIn the Search UI, identify one or more Avamar servers to be indexed. Indexing begins automaticallyafter a source has been added.

About this task

You can add an Avamar server only if you have the Application Administrator role.

Procedure

1. In the Manage drop-down list, select Avamar.

2. Click Administration > Sources.

3. To add a source, click .

The Add Source window displays.

4. In the Name field, enter a display name that identifies the Avamar server. The name mustmeet the following requirements:

l One to 50 characters in length

l No spaces

l Combination of lower and uppercase letters, numbers, dashes, and underscores

5. In the Hostname field, enter the fully qualified hostname of the Avamar server by using oneof the following formats:

l IP address

l FQDN

6. In the Port field, leave the default entry unless the Avamar server has been configured witha different port.

7. In the User ID field, enter the account name of the user with the administrator role on theAvamar server that is being added.

For example, MCUser.

8. In the Password field, enter the password for the user who is identified in the User ID field.

9. Select an analyzer.

The default standard analyzers are recommended for most use cases.

Network ports


10. To enable a connection limitation, in the Connection Limitation field, select Enable.

Note: By default, the Connection Limitation option is disabled.

a. In the Indexing field, specify the number of concurrent indexing tasks across the cluster.

b. In the Action field, specify the number of search actions across the cluster, whichinclude download, full content indexing, and restore.

11. To enable a blackout window, in the Blackout Window field, select Enable.

Enabling this option prevents Search from interacting with the source during specific hourseach day. By default, the blackout window applies to all activities including indexing,monitoring, and search actions.

a. Specify the time zone.

b. Specify the time range.

12. Click Connect.

If the source server connection is successful, a summary of the configuration is displayed. Ifnecessary, you can edit the configuration:

l To edit the Avamar domain, click the Domains link.Note: By default, Search selects all existing Avamar domains for indexing, apart fromany replica domains (/REPLICATE). To index replica domains, select the checkboxnext to the replica domain.You cannot index both a replica domain and the original domain that is beingreplicated, in the same Search instance. If there is a requirement to index both, youmust use different Search instances.

l To edit the range of backups to index, click the Backups all will be indexed link.

l To edit the schedule for indexing, click the Indexing will occur... link.

13. On the source summary page, click Done.

The Next Steps page is displayed and lists the administration tasks.

Reporting and Analytics (Data Protection Advisor)The following tables list information about Data Protection Advisor (DPA) network ports.Additional ports can be required for the DPA agents depending on the systems being monitored.

Table 58 DPA application ports settings

Port Description Traffic direction

25 TCP port used for the SMTPservice

Outbound connection toSMTP server.

80 TCP port used for theSharePoint service

Outbound connection toSharePoint server.

161 UDP port used for SNMPservice

Outbound connection toSNMP devices.

389/636 (over SSL) TCP port used for LDAPintegration

Outbound connection toLDAP server.

Network ports


Table 58 DPA application ports settings (continued)


3741 TCP port used for DPAagents communications.

Outbound connection to DPAagents

4447 TCP port used for intra-service communication

Inbound connection


Localhost connection









9002 TCP port used for the HTTPSservice.

Inbound connection over SSLfrom UI, CLI, and REST APIclients.

9003 TCP port used for DPADatastore communications.

Outbound connection to DPADatastore.

9005 TCP port used for JBossManagement




Table 59 DPA datastore port settings



Inbound connection from DPAapplication server.


Outbound connection overSSL to DPA applicationserver.

9003 TCP port used for DPAdatastore communications.


Table 60 DPA agent port settings




Network ports


Table 60 DPA agent port settings (continued)



Outbound connection overSSL to DPA applicationserver.

Table 61 DPA cluster port settings


25 TCP port used for the SMTPservice

Outbound connection toSMTP server.

80 TCP port used for theSharePoint service

Outbound connection toSharePoint server.

161 UDP port used for SNMPservice

Outbound connection toSNMP devices.

389/636 (over SSL) TCP port used for LDAPintegration

Outbound connection toLDAP server.


Outbound connection to DPAagents


Inbound connection






Bidirectional connection forCluster


Bidirectional connection forCluster

7500 Multicast over UDP Bidirectional connection forCluster

7600 Multicast over TCP Inbound connection forCluster




Inbound connection over SSLfrom UI, CLI, and REST APIclients.

9003 TCP port used for DPAdatastore communications.

Outbound connection to DPAdatastore.



Network ports


Table 61 DPA cluster port settings (continued)


9876 Multicast over TCP Bidirectional connection forCluster












Secure Remote ServicesSecure Remote Services runs its services on the following ports:

The following ports should be opened on the Secure Remote Services (SRS) gateway server VM.The appliance components (AVE, DD, ACM, and DPA) communicate with SRS using these ports.

Table 62 Port requirements

Services Ports

Connect Home support (legacy) - FTP 21

Connect Home support (legacy) - HTTPS 443

Connect Home support (legacy) - SMTP 25

provision, WebUI, RESTful services (such as devicemanagement, RESTful Connect Home, MFT,keepalive, and so on)

9443

Network ports


Remote server management (iDRAC)The following table lists the ports that are required to remotely access iDRAC through firewall.These are the default ports iDRAC listens to for connections.

Table 63 Ports iDRAC listens for connections

Portnumber

Type Function Configurableport

MaximumEncryption Level

22 TCP SSH Yes 256-bit SSL

23 TCP TELNET Yes None

80 TCP HTTP Yes None

161 UDP SNMP Agent Yes None

443 TCP HTTPS Yes 256-bit SSL

623 UDP RMCP/RMCP+ No 128-bit SSL

5900 TCP Virtual console keyboard andmouse redirection, VirtualMedia, Virtual folders, andRemote File Share

Yes 128-bit SSL

5901 TCP VNC Yes 128-bit SSL

Note: Port 5901 opens when VNC feature is enabled.

The following table lists the ports that iDRAC uses as a client:

Table 64 Ports iDRAC uses as client

Portnumber



25 TCP SMTP Yes None

53 UDP DNS No None

68 UDP DHCP-assigned IP address No None

69 TFTP TFTP No None

123 UDP Network Time Protocol (NTP) No None

162 UDP SNMP trap Yes None

445 TCP Common Internet File System(CIFS)

No None

636 TCP LDAP Over SSL (LDAPS) No 256-bit SSL

2049 TCP Network File System (NFS) No None

3269 TCP LDAPS for global catalog (GC) No 256-bit SSL

5353 UDP mDNS No None

Network ports


Table 64 Ports iDRAC uses as client (continued)

Portnumber



Note: When Group Manager is enabled, iDRAC uses mDNS to communicate through port5353. However, when it is disabled, port 5353 is blocked by iDRAC's internal firewall andappears as open|filtered port in the port scans.

514 UDP Remote syslog Yes None

Data Domain Cloud Disaster RecoveryThe following ports should be opened for communication between the specified components:

Table 65 Required Data Domain Cloud Disaster Recovery ports

Port Description

111 Communication between Data Domain and CDRA

443 Communication between CDRA and AWS

443 Communication between CDRA and CDRS

443 Communication between CDRA and vCenter

443 Communication between a local restore VM and AWS

2049 Communication between Data Domain and CDRA

9443 Communication between Avamar and CDRA

Network ports


INDEX

AActive Directory 24alerting 43auditing 40authentication 22, 24, 25, 29authentication, certificates 24authentication, keys 24authentication, local sources 23authentication, remote component 29authentication, role-based 32authentication, setup 23authenticity 50authorization 30authorization, default 30authorization, external 31authorization, rules 30

Ccertificate management 40certificates 24clients 50communications, security 36credential management 25credentials, default 26credentials, managing 28cryptographic modules 39cryptography 38cryptography, certificate management 40cryptography, certified modules 39cryptography, configuration 38customer service access 44

Ddata erasure 37data security 36default accounts 25deployment models 16

Eencryption, data at rest 37

Ffirewall 36

Iintegrity 50interfaces 43

Kkeys 24

LLDAP 24legal disclaimers 9local accounts, deleting 28local accounts, disabling 28lockout, user 23logging 40login banner 22login behavior 22login security 22logs, alerting 43logs, format 42logs, locations 41logs, management 41logs, protection 42logs, usage 41

Mmaintenance aids 45map, security controls 20

Nnetwork exposure 34network interfaces 35network ports 34network security 34networking 34

Ppasswords, complexity 28passwords, managing 28physical interfaces 43physical security 43, 44preface 9

Rremote connections 29requirements, customer 47roles 32roles, configuring 33roles, default 32roles, external association 34roles, mapping 33

Ssecurity controls map 20security updates 46security, communications 36service use, responsible 46serviceability 45statement of volatility 45


Ttampering, evidence 44tampering, resistance 44

Uunauthenticated interfaces 25updates 46, 47

Vvolatility 45

Index


Documents

Security Configuration Guide · 2020. 9. 4. · implementing, administering, or auditing security controls in environments containing IDPA solutions. The primary audience is technical,