VPLEX Security

This guide provides an overview of VPLEX security configuration settings, including secure deployment and usage settings needed to securely use VPLEX. Topics include:

◆ VPLEX overview ......................................................................................................... 2◆ VPLEX management server operating system and networking .......................... 4◆ IP addresses and component IDs .............................................................................. 8◆ Security configuration settings................................................................................ 12◆ Log file settings.......................................................................................................... 16◆ Communication security settings ........................................................................... 17◆ Data security settings................................................................................................ 20

EMC® VPLEX™

Security Configuration GuideP/N 300-010-493

Rev A05

June 7, 2011

1

2

VPLEX overview

VPLEX overviewAn EMC® VPLEX™ cluster consists of one, two, or four engines (each containing two directors), and a management server. A dual-engine or quad-engine cluster also contains a pair or Fibre Channel switches for communication between directors.

Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an uninterruptible power supply (UPS). (In a dual-engine or quad-engine cluster, the management server also gets power from a UPS.)

The management server has a public Ethernet port, which provides cluster management services when connected to the customer network. The management server can also provide call-home services through the public Ethernet port by connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC personnel to provide remote service.

Three VPLEX implementations are available:

◆ VPLEX Local™ (single cluster)

◆ VPLEX Metro™ (two clusters separated by synchronous distances)

◆ VPLEX Geo™ (two clusters separated by asynchronous distances).

In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over Fibre Channel between the directors, and over IP between the management servers.

VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). A management server in each VPLEX cluster authenticates users against account information kept on its local filesystem or against LDAP/AD server. An authenticated user can manage resources in the local cluster. In a VPLEX Metro or VPLEX Geo implementation, users authenticated by either management server can manage all resources in both clusters. Figure 1 on page 3 shows a VPLEX cluster configuration example.

EMC VPLEX Security Configuration Guide

VPLEX overview

DRAFT

Figure 1 VPLEX cluster configuration

SPS

Engine 1

Engine 2

SPS

SYM-002272

SPS SPS

Management Server

UPS A

FC Switch A

UPS B

FC Switch B

SPS

Engine 3

SPS

SPS SPS

Engine 4

3EMC VPLEX Security Configuration Guide

4

VPLEX management server operating system and networking

VPLEX management server operating system and networking The VPLEX management server’s operating system (OS) is based on a Novell SUSE Linux Enterprise Server 10 distribution. The operating system has been configured to meet EMC security standards by disabling or removing unused services, and protecting access to network services through a firewall.

A management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop, providing access to the same services as a host on the management LAN.

Figure 2 Management server, rear view

Accessing the management server

Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec VPN.

Using SSH to accessthe management

server shell

Users can log in to the management server shell over SSH, through the management server's public Ethernet port or service port. The SSH service is available on the standard port 22.

An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there:

◆ Users can access the VPLEX command line interface (VPlexcli).

◆ An admin account user can create, modify, and delete user accounts.

◆ A service account user can inspect log files, start and stop services, and upgrade firmware and software.

SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. “Using a tunneled VNC connection to access the management server desktop” on page 5 provides more information.

eth

Service cable

Management server

eth1Customer

workstation

Ethernet port

eth3

Customer-providedEthernet cable

CustomerIP network

eth0 eth2



DRAFT

Using HTTPS to accessthe VPLEX GUI

The VPLEX Management Console’s graphical user interface (GUI) is accessible as a web service on the management server's public Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443.

The following URL initiates an HTTPS connection to the GUI:

https://<management_server_public_IP_address>

The GUI encrypts all traffic using a server certificate. “Creating a host certificate” on page 18 provides more information.

Note: The GUI has a timer that logs the user out after 10 minutes if no activity has occurred. If you want to change the timeout setting, contact the EMC Support Center.

Using IPsec VPN in aVPLEX Metro

implementation

The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3.

Figure 3 IPsec VPN connection

Although you might have already secured the network connections between two VPLEX Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management control over the local cluster and its resources.

The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux.

Using SCP to copy files The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by OpenSSH.

Using a tunneled VNCconnection to access

the managementserver desktop

The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source port), and a port on the management server (destination port).

IPsec_VPN

Mgmt server 1 eth0 eth2

eth3

Subnet B128.221.253.32/27

Subnet A128.221.252.32/27

Mgmt server 2 eth0 eth2

eth3

Subnet B128.221.253.64/27

Subnet A128.221.252.64/27

Customer IP network

IPsec tunnel

Cluster 1 Cluster 2


6


Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are RealVNC and TightVNC.

To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must remain running, to allow the SSH tunnel to remain operational.

Follow these steps to establish a tunneled VNC connection using PuTTY:

1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the following:

• Server address — Public IP address of the VPLEX management server.

• Session name — Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you need to reconnect later, eliminating the need to configure the individual parameters again.

• Default settings — Verify, and set as shown if necessary.

Figure 4 PuTTY Configuration window

2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click Add.

PuTTY_VNC

Server address

(default)

(default)

Session name



DRAFT

Figure 5 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the admin account password.

5. Authenticate as usual, and leave the PuTTY window open.

6. Launch the VNC viewer, and connect to localhost:5901.

5901

localhost:5901

tunnels


8

IP addresses and component IDs

IP addresses and component IDsThe IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number).

Figure 6 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the Cluster ID, which depends on the VPLEX implementation:

◆ VPLEX Local - The Cluster ID is always 1.

◆ VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.

VPLEX VS1 hardware

Figure 6 Component IP addresses in Cluster 1

Management network A addresses

Zep-028_1

FC switch A

128.221.252.42128.221.252.41

128.221.252.40128.221.252.39

128.221.252.38128.221.252.37

128.221.252.36128.221.252.35

128.221.253.42128.221.253.41

128.221.253.40128.221.253.39

128.221.252.34

FC switch B 128.221.253.34

128.221.253.38128.221.253.37

128.221.253.36128.221.253.35

Management network B addresses

Cluster IP Seed = 1Enclosure IDs = engine numbers

Engine 4:Director 4BDirector 4A








Management server

Public Ethernet portCustomer-assigned

Service port128.221.252.2

Mgt B port128.221.253.33

Mgt A port128.221.252.33



DRAFT

Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

Zep-028_2

FC switch A

128.221.252.74128.221.252.73

128.221.252.72128.221.252.71

128.221.252.70128.221.252.69

128.221.252.68128.221.252.67

128.221.253.74128.221.253.73

128.221.253.72128.221.253.71

128.221.252.66

FC switch B 128.221.253.66

128.221.253.70128.221.253.69

128.221.253.68128.221.253.67










Management server



Mgt B port128.221.253.65

Mgt A port128.221.252.65

Management network A addressesManagement network B addresses


1


VPLEX VS2 hardware

Figure 8 Component IP addresses in Cluster 1

VPLX-000242

FC switch A 128.221.252.34

FC switch B 128.221.253.34


Management server



Mgt B port128.221.253.33

Mgt A port128.221.252.33

128.221.252.42128.221.253.42

Engine 4:Director 4B, A side:Director 4B, B side:

128.221.252.41128.221.253.41

Engine 4:Director 4A, A side:Director 4A, B side:

128.221.252.40128.221.253.40


128.221.252.39128.221.253.39


128.221.252.38128.221.253.38


128.221.252.37128.221.253.37


128.221.252.36128.221.253.36


128.221.252.35128.221.253.35


0 EMC VPLEX Security Configuration Guide


DRAFT

Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

VPLX-000243

FC switch A 128.221.252.66

FC switch B 128.221.253.66


Management server



Mgt B port128.221.253.65

Mgt A port128.221.252.65

128.221.252.74128.221.253.74


128.221.252.73128.221.253.73


128.221.252.72128.221.253.72


128.221.252.71128.221.253.71


128.221.252.70128.221.253.70


128.221.252.69128.221.253.69


128.221.252.68128.221.253.68


128.221.252.67128.221.253.67



1

Security configuration settings

Security configuration settingsThis section provides an overview of the settings required to use VPLEX securely.

User roles and accounts

Table 1 describes each VPLEX user account.

a. You cannot delete the default management server accounts.

b. The first user who logs in as admin is prompted to change this password, which is required before any user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in “Changing passwords” on page 13, with the exception of step 4 (because you are asked to change the password after you log in).

c. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters.

d. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), the admin account password is password, and there is no service account.

Configuring user authentication

VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). Usernames and passwords are stored on the management server, and cannot be managed by external authentication services. Refer to the VPLEX CLI Guide for information on the commands used to configure user authentication.

Password policy The VPLEX management server uses a pluggable authentication module (pam) infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords.

The command man pam_cracklib on the management server provides more information about how this pam module works. The management server uses all default parameters.

Table 1 VPLEX user roles and accounts

Component Role Default account Default password Privileges

Management server

Service a service Mi@Dim7T • Access to the management server desktop, VPlexcli, and Management Console GUI

• Ability to start and stop management server services

• Access to most files on the filesystem

Administrator a admin teS6nAX2 b • Ability to create, modify, and delete VPLEX user accounts

• Access to management server desktop, VPlexcli, and GUI

• Ability to start and stop management server services

Fibre Channel COM switches c

Service service d Mi@Dim7T • Access to the switch interface• Ability to start and stop switch services• Access to most files on the switch

Administrator admin Ry3fog4M d • Access to the switch interface• Ability to add and delete other accounts• Ability to change passwords

User user jYw13ABn • Access to the switch interface



DRAFT

pam_cracklib applies the following rules:

◆ Minimum password length of eight characters, including numbers, upper-case and lower-case letters, and special characters

◆ No dictionary words

◆ Comparison to the previous password: checks for palindromes, case-only changes, password similarity and rotation, to prevent users from using an old password with only a slight change

Adding user accounts A user with an admin account can create a new account as follows:

1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server.

2. Log in with username admin.

3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:

• If VPLEX GeoSynchrony 4.0.x is running on the cluster:

telnet localhost 49500

• If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with username admin.

4. From the VPlexcli prompt, type the following command:

user add -u <username>

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in “Password policy” on page 12.

c. When prompted, retype the new password.

Note: The new user must change the password the first time he or she logs in.

Changing passwords Any user with an admin or service account can change his/her own password as follows:


2. Log in with the applicable username: admin or service.





vplexcli

Log in with the applicable username: admin or service.


1



user passwd -u <username>

a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in “Password policy” on page 12.


Resetting passwords A user with an admin account can reset passwords for other users as follows:







vplexcli



user reset -u <username>

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in “Password policy” on page 12.


Note: The user must change the password the next time he or she logs in.

Changing the serviceaccount password

Customers who want the service password to be different from the default password must ask the EMC representative installing VPLEX to modify the password. Because the service account is used by EMC to provide remote support through the EMC ESRS gateway, the service password must be recorded in the customer service database in order to provide this support.

The service password must be changed in two locations:

◆ Management server

◆ Fibre Channel switches

To change the service password on the Fibre Channel switches, use the switch's passwd command.

Deleting useraccounts

A user with an admin account can delete a different account as follows:



DRAFT







vplexcli



user remove -u <username>

When prompted, type the admin account password.


1

Log file settings

Log file settingsThis section describes log files relevant to security.

Log file location Table 2 lists the name and location of VPLEX component log files relevant to security.

Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

Table 2 VPLEX component log files

Component Location

Management Console /var/log/VPlex/cli/session.log_<username>

management server OS /var/log/messages

ConnectEMC /var/log/ConnectEMC/logs/ConnectEMC.log files

Firewall /var/log/firewall

VPN (ipsec) /var/log/events.log


Communication security settings

DRAFT

Communication security settingsThis section describes the communication security settings that enable you to establish secure communication channels between VPLEX components, as well as VPLEX components and external systems. It provides the following information:

Port usage Table 3 lists each port, its function, and the service that uses the port.

Table 3 Port Usage

Network encryption The VPLEX management server supports SSH through the sshd daemon provided by the OpenSSH package. It supports versions 1 and 2 of the SSH protocol.

When the management server starts for the first time, the sshd daemon generates key-pairs (private and public key) for communication with SSH clients. An rsa1 key-pair is generated to support communication with SSH version 1 clients, and rsa and dsa key-pairs are generated to support communication with SSH version 2 clients. All keys have a 2048 bit length.

Port Function Service

Public port TCP/22Service port TCP/22

Log in to management server OS, copy files to and from the management server using the SCP sub-service, and establish SSH tunnels

SSH

Public port TCP/21Public port TCP/443Public port TCP/5400 to 5413

ESRS (EMC Secure Remote Service) access to VPLEX

ESRS

Public port TCP/50 IPsec VPN ESP

Public port UDP/500 ISAKMP

Public port UDP/4500 IPSEC NAT traversal

Public port UDP/123 Time synchronization service NTP

Public port TCP/161Public port UDP/161

Get performance statistics SNMP

Public port TCP/443Service port TCP/443

Web access to the VPLEX Management Console’s graphical user interface

HTTPS

Localhost TCP/5901 Access to the management server's desktop. Not available on the public network. Must be accessed through SSH tunnel.

VNC

Localhost TCP/49500 VPlexcli. Not available on the public network. Must be accessed through SSH.

Telnet


1


The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host certificate request) is created automatically.

Currently, VPLEX does not support a corporate Certification Authority signing the host certificate requests.

Creating a localCertification Authority

A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing management server certificates.

The VPlexcli command security create-ca-cert creates a CA certificate file and private key protected by a passphrase. By default, this command creates the following:

◆ A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem

◆ A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for 1825 days (5 years)

You must provide a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the VPLEX cluster's serial number (found on the label attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or VPLEX Geo implementation, you can use either cluster's serial number.

Creating a hostcertificate

Note: Creating host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification Authority certificate created in the “Creating a local Certification Authority” on page 18. By default, this command creates the following:

◆ A 2048 key in /etc/ipsec.d/private/hostKey.pem

◆ A host certificate /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days (2 years)

You must provide the CA key passphrase for the host key, the host certificate subject which must be the cluster's serial number (found on the label attached to the top of the VPLEX cabinet).

Installing the hostcertificate for use by

HTTPS

At the Linux shell prompt on the management server, type the following command to transform the X.509 certificate into jks format for use by tomcat:

sudo /opt/emc/VPlex/tools/utils/JKSsetup.pl

You must provide the host certificate's passphrase before converting the host certificate into a format suitable for HTTPS service.

Obtaining hostcertificate and host

key fingerprints

When users first connect to the management server over SSH or by connecting to the GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1 checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine, possibly deployed to harvest logins and passwords for a man-in-the-middle attack.



DRAFT

Once the user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle attacks.

A VPLEX administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used for the GUI and for the host keys used for SSH access to the management server.

To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints:

1. At the Linux shell prompt, type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5

Output example:

MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -sha1

Output example:

SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4

To find the SSH key fingerprint (for SSH users):

1. At the Linux shell prompt, type the following command:

/etc/ssh # ssh-keygen -l -f ssh_host_dsa_key

Output example:

1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub


/etc/ssh # ssh-keygen -l -f ssh_host_rsa_key

Output example:

1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub


/etc/ssh # ssh-keygen -l -f ssh_host_key

Output example:

1024 1f:07:f1:f5:21:f6:fa:ae:74:aa:64:d7:4d:67:d4:c2 root@lsca5216


2

Data security settings

Data security settings

Encryption of data atrest: user passwords

Hashed user passwords are stored in /etc/passwd on the VPLEX directors.

GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.

Copyright © 2011 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.


VPLEX Security

Documents

Transcript of VPLEX Security