Professional Documents
Culture Documents
H18480.4
Configuration Guide
Abstract
This configuration guide describes how to configure PowerProtect DD
systems used with the Dell PowerProtect Cyber Recovery solution.
The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect
to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular
purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2020 - 2022 Dell Inc. or its subsidiaries. Published in the USA 11/22 Configuration Guide H18480.4.
Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change
without notice.
Contents
Chapter 1 Introduction 5
Overview ...............................................................................................................6
Terminology ..........................................................................................................6
We value your feedback ........................................................................................6
Chapter 3 DD Hardening 14
Review settings ...................................................................................................15
Follow best practices...........................................................................................16
Set a valid system passphrase .........................................................................17
Multifactor authentication for sysadmin and security-officer authorization .........18
Set access controls .............................................................................................18
Review access control security .........................................................................19
Configure SSH and UI access timeout ..............................................................19
Access control ..................................................................................................20
User authorization.............................................................................................20
Secure login through HTTPS ............................................................................20
NTP services ....................................................................................................21
Securing the air gap ............................................................................................23
Minimum required DD ports ..............................................................................23
Data security control .........................................................................................26
Other security settings ......................................................................................29
Perform hardening procedures ............................................................................30
Configure administrator access.........................................................................30
Follow password policy .....................................................................................30
Set up accounts ................................................................................................31
Configure authentication settings ......................................................................31
Configure mail server settings...........................................................................31
Configure IPMI settings.....................................................................................32
Chapter 1 Introduction
Overview ..............................................................................................................6
Terminology ........................................................................................................6
Overview
The PowerProtect Cyber Recovery solution maintains mission-critical business data and
technology configurations in a secure, air-gapped 'vault' environment that can be used for
recovery or analysis. The Cyber Recovery Vault (CR Vault) is physically isolated from an
unsecure system or network.
The Cyber Recovery solution uses DD systems to replicate data from the production
system to the CR Vault through a dedicated replication data link.
Terminology
The following table provides definitions for some of the terms that are used in this
document.
Table 1. Terminology
Term Definition
Cyber Recovery Vault (CR Secure location, which is the target for DD MTree replication.
Vault) The CR Vault requires at least one DD and a dedicated
network.
DD system summary.........................................................................................11
Description Slot
4 x 10 GbE RJ-45 6
Serial port 9
Description Slot
Description Slot
16 GB NVRAM, FH 3
Description Slot
16 GB NVRAM, FH 2
Description Slot
QLogic, 41164 4 Port, 10 GbE SFP+ PCIe, full height 6, 8, 4, 10, 3, 13, 5
16 GB NVRAM, FH 11
Note: For information about cabling and the SFP module requirements, see the setup and
installation guide for the specific DD system model.
DD system summary
Complete the following table to list the target DD system summary:
Component Notes
Location
Name
Serial number
Domain name
DDOS version
Model number
Default gateway
Primary DNS Recommended for setting up an isolated DNS server in the CR Vault; not shared with other
environments
NTP server Optional; if used, ensure that it is isolated and not shared with other environments
IP address
Netmask
Duplex Full
Media Fiber
Speed 10 GB/s
ethMe ethMf
IP address
Netmask
Duplex Full
Media Fiber
Speed 10 GB/s
eth0a eth0b
IP address
Netmask 255.255.255.0
Duplex Full
Component Notes
Media Fiber
Speed 10 GB/s
b. Verify that there is SSH connectivity from the Cyber Recovery management
host to the target DD system:
# ssh sysadmin@<CR Vault DD management IP address>
We do not recommend a firewall on the isolated management network. All IP ports are
accessible when the connection is verified.
Note: Optionally, you can use a firewall, a bi-directional data diode, or Unisys Stealth
software on the replication path. Only replication port 2051 must be open between the
source and target DD systems.
2. Confirm that port net filters are open for MTree replication by using elevated
privileges:
# priv set se
# se telnet <source Data Domain address> 2051
Chapter 3 DD Hardening
Follow the recommendations in this section to harden the target DD system in the CR
Vault.
For information that provides background knowledge for hardening the target DD system
in the CR Vault, see the DD OS, PowerProtect DD Virtual Edition, and PowerProtect DD
Management Center Security Configuration Guide.
Review settings
For hardening the target DD system, be familiar with the following:
• System passphrase
• Access control settings
• Log settings
• Communication security settings
• Data security settings
• Secure serviceability settings
• Dell Secure Remote Services
• Security alert system settings
• System hardening (to comply with the DISA STIG standards)
See the DD OS, PowerProtect DD Virtual Edition, and PowerProtect DD
Management Center Security Configuration Guide for both the hardening
procedures and the mitigation steps to comply with federal Defense Information
Systems Agency (DISA) Security Technical Implementation Guides (STIGs) on the
DD system.
Note: The DD OS Command Reference Guide describes how to use the adminaccess
option set password- hash {md5 | sha512} command to set FIPS 140-2-
approved cryptographic hashing. Changing the hash algorithm does not change the hash
value for existing passwords. Any existing passwords that were hashed with MD5 still have
MD5 hash values after changing the password-hash algorithm to SHA512. These
passwords must be reset to compute a new SHA512 hash value.
Note: You can remove Telnet. Run the adminaccess uninstall telnet from the DD
system. However, if you remove Telnet, you cannot add it back to the system.
Set a valid The passphrase is used to encrypt the encryption keys, cloud access, secure keys,
system imported host certificate private keys, and DD Boost token keys. It enables a system to be
passphrase transported with encryption keys on the system but without the passphrase being stored
on it. The system uses the passphrase to encrypt imported host private keys and DD
Boost token keys. If the system is stolen in transit, an attacker cannot easily recover the
data, and at most, they can recover the encrypted user data and the encrypted keys.
Data at rest encryption keys require this passphrase, and therefore, the use of a stronger
passphrase is mandatory. A valid passphrase must contain:
• A minimum of nine characters
• A minimum of one lowercase character
• A minimum of one uppercase character
• A minimum of one numeral
• A minimum of one special character
• No spaces
Passphrase security
The passphrase is encrypted and stored in a file on the head unit of the DD or
PowerProtect system. The encryption key that is used to encrypt the passphrase is hard
coded.
Note: If the system is configured to not store the passphrase, there is no way to recover it if it is
lost.
Use the following hidden sysadmin command to choose to not store the passphrase on
disk:
A side-effect of not storing the passphrase is that you must unlock the file system every
time that you reboot the system. Until the file system is unlocked, all backup jobs and
replication are impacted.
Note: If multifactor authentication is enabled, the security officer must enter an RSA SecurID
token after their password.
If there is no concern that an attacker can gain physical access to the appliance in the
environment, then store the passphrase on disk.
Multifactor The system requires additional authorization for certain commands to promote better
authentication security and protection. Therefore, sysadmin or security-officer credentials are required to
for sysadmin run these commands.
and security-
officer When multifactor authentication (MFA) is enabled, the system prompts for the MFA
authorization passcode in addition to sysadmin or security-officer credentials for certain commands to
promote better security and protection. An MFA passcode is usually a time-based one-
time password (TOTP) that changes every 30 or 60 seconds.
Different MFA providers support different ways of generating TOTP. Common MFA
providers include RSA SecurID, Google Authenticator/ Microsoft Authenticator, and Authy.
DD supports RSA SecurID as the MFA provider.
The following CLIs are protected with MFA and require sysadmin or security-officer
authorization:
• filesys destroy
• cloud unit delsystem sanitize
• authentication mfa rsa-securid disable
• filesys encryption lock (also supported through the UI)
• system passphrase option set store-on-disk no
This section lists the security items that you must check on each target DD system.
Review access Use the following table to verify and record the access control security settings for the DD
control security system.
Are users’ accounts defined for We recommend that you create separate Admin and
each user? Security Officer accounts to manage the DD system in the
CR Vault. Do not share the same accounts for production or
other environments. Do not use the sysadmin, SE, or root
account to manage any DD environment.
Document accounts in the Account Details table.
Is there a syslog server? Forward the syslog to the management host. Use VPN or
another secured mechanism such as a data diode or Unisys
Stealth to push the logs from the target DD system to the
secured external management host.
Is an encryption key manager in If the target DD system has several MTrees and uses
the CR Vault design? encryption, consider using RSA Data Protection Manager
(DPM) or a similar product in the CR Vault to manage
encryption keys.
Configure SSH By default, SSH, HTTP, and secure browsing (HTTPS) are enabled on the DD system.
and UI access
timeout We recommend that you:
• Disable SSH access to target DD systems for all clients except Cyber Recovery
Management host using
• We recommend that you disable HTTP by running the adminaccess disable
http command from the CLI.
• Use an imported certificate to log in to the DD UI using a jump box.
• Configure session timeout values to ensure that users are automatically logged out
of the system after the session is over.
Access control Access control and user authentication to the DD system is controlled by either local
users, NIS environments, LDAP, or in an AD domain environment. Ensure that you add
only trusted domain accounts and local users to the target DD system.
User User authorization settings control rights or permissions that are granted to a user for
authorization accessing a resource that manages the target DD system. The following roles are
available for DD users:
• admin
• limited-admin
• user
• security officer
• backup-operator
• none
• tenant-admin
• tenant-user
Note: Certain user accounts are created on the target DD system to enable implementation of the
Cyber Recovery software. We recommend that you do not create additional roles. If additional
roles are necessary, ensure that you follow the principles of least privilege.
Secure login Secure login with HTTPS requires a digital certificate to validate the identity of the DD OS
through HTTPS system and to support bi-directional encryption between DD System Manager and a
browser. DD OS includes a self-signed certificate and allows you to import your own
certificate.
To enhance security, allow only adminaccess by using HTTPS to a single IP or host in the
CR Vault. Add a single host in the CR Vault, or add Jumpbox IP or host details to ensure
that only a single machine can securely log in to DD System Manager:
Add one or more hosts to the HTTP or HTTPS list. You can identify a host using a fully
qualified hostname, an IPv4 address, or an IPv6 address
1. Ensure that you have a user account on the target DD system. You can use either
a local user or a name service user (NIS/AD). For a name service user, configure
your group-to-role mapping on the protection system.
2. Import the public key from the CA that issued the certificate:
adminaccess certificate import ca application login-auth
Note: Using certificates to log in to the DD system is optional and is not implemented as a
standard practice. This option is only valid for login to the target DD system.
Two-factor authentication
Ensure that you have a user account on the target system. You can use either a local user
or a name service user (NIS/AD). For a name service user, configure your group-to-role
mapping on the protection system.
Common Access Card (CAC)/Personal Information Verification (PIV) cards offer two
factor authentication. A plug-in extracts the user certificate from the CAC card and into the
browser. It also provides the password to access the CAC card. When the user certificate
is loaded into the browser, log in to DD System Manager by using the certificates.
Note: Using two-factor authentication to log in to the DD system is optional and is not
implemented as a standard practice. This option is only valid for login to the target DD system.
NTP services Network Time Protocol (NTP) provides an automated method of managing and
coordinating system clocks. Computer clocks can drift over time, and having clocks
synchronized between systems is crucial to transaction processing systems. The
requirement for NTP in the CR Vault is limited. It is used as a time source for the compute
resources, scheduling, password expiration, and Retention Lock.
Note: You must have sysadmin and security officer credentials to add an NTP server.
In a traditional NTP infrastructure, local NTP servers service local time requests. Local
NTP servers connect to regional public servers as a time authority to guard against the
time drift of local NTP servers. The use of an NTP Server that connects outside the CR
Vault opens a potential attack vector and is potentially vulnerable to denial of service
attacks.
In terms of risk, a nefarious actor might mimic public NTP servers and force the CR Vault
hardware clocks to advance and force Retention Locks to expire. There is limited risk as
the DD does not allow the system clock to advance by more the 14 days. However, if the
CR Vault maintains less than 14 days of data, a rogue actor can force the deletion of the
CR Vault data. Also, multiple incremental clock advancements over time present a risk of
negating Retention Locks set in the CR Vault.
Note: Retention Lock-compliant locked copies are susceptible to deletion if time is moved forward.
Configure the system-enforced interval between system time and date changes, and the
maximum allowed amount to advance the system time and date. These values can be set
before enabling DD Retention Lock Compliance and only take effect after DD Retention
Lock Compliance is enabled. A time or date change requires admin and security officer
credentials.
Run the system set date-change-frequency command to set the allowed interval
between system time and date changes:
Run the system set date-change-limit command to set the maximum allowed
advance for a single system time and date change operation:
When the date change limit is set, the system generates an alert when the clock skew
exceeds half of the date change limit. If the alert is displayed, fix the system time and
clear the alert manually. If the alert is not cleared, it is updated for any further increase in
the clock skew (when the clock skew increases by at least half of the system date change
limit).
Typically, a local pool of NTP servers is used to provide high availability (HA), although
you can provision one NTP server with an HA backup. VMware with HA can be used to
host and NTP server. See VMware KB1002864 Using an ESX host as and NTP server for
details about setting up an NTP server on ESX.
• Do not provision an NTP server in the CR Vault or configure an NTP server on the
target DD system.
• Provision local NTP servers that are not connected to the public NTP server
network; that is, the local NTP server is isolated to the CR Vault.
• Follow Dell Technologies recommended best practice and provision a local NTP
server that has an external GPS “Stratum 0” time provider. External GPS USB
solutions can be provisioned at a relatively low price. Raspberry Pi-based and
Secure Spectracom Network time server solutions are available.
• Provision local NTP servers that are connected to the public NTP server network. If
you choose this option, provision a firewall with port 123 open.
If you do not have an external GPS time provider or do not connect to the NTP public
server network, periodically monitor the time on the target DD systems and manually reset
them if needed. If you choose this option, we highly recommend appropriate controls and
governance. Regardless of the chosen option, randomly audit the time-of-day clocks
periodically.
TCP ports
UDP ports
All other ports must be accessible for other operations within the CR Vault. For example,
to create a copy and set a lock, the copy must be mounted on the Cyber Recovery host.
Therefore, the NFS port must be accessible between the Cyber Recovery host and that
target DD system.
Run the following command to show the default rules on the system:
Use the net filter command, using role admin or limited admin, to add a set of
iptables rules on the target DD system:
The following is an example of the command, which only allows the Cyber Recovery
management host to use SSH to the target DD system on management interface ethV0:
Similarly, to disable SSH on the replication interface of the target DD system, run the
following command:
The following example enables replication port 2051 between the source and target DD
system on replication interface ethV1:
net filter add seq-id 3 operation allow protocol tcp ports 2051
clients <srcDD> interfaces ethV1 ipversion ipv4
Communications control
Use the following table to verify the open and closed ports on the DD system:
FTP – Port 21 Port must be OFF; use FTPS or SCP for file transfer.
CIFS(NETBIOS Name Service) Port must be OFF, unless CIFS is being used for validation
– UDP Port 137 or recovery.
CIFS(NETBIOS Datagram Port must be OFF unless CIFS is being used for validation or
Service) – UDP Port 138 recovery.
CIFS (NETBIOS Session Port must be OFF unless CIFS is being used for validation or
Service) – TCP Port 139 recovery.
CIFS (Microsoft-DS) – Port 445 Port must be OFF unless CIFS is being used for validation or
recovery.
DD Boost/NFS – Port 2049 Port must be ON; Retention Lock scripts rely on NFS.
NFS – Port 2052 Port must be ON if NFS is being used: use Kerberos with
NFS.
DDMC – Port 3009 Do not install DDMC in the CR Vault. Dell Technologies
does not recommend that you install DDMC.
Data security Use the following table to verify and document the data security controls (described in the
control following sections) on the DD system:
Data at rest encryption We recommend that you enable data at rest encryption
using the Key Manager in the CR Vault.
Is Retention Lock enabled? This option is required for target DD systems in the CR
Vault. For systems outside of the CR Vault, set this option
according to business requirements.
DD Encryption software encrypts all incoming data before it writes the data to the physical
storage media. The data is physically stored in an encrypted manner and cannot be
accessed on the existing system or in any other environment without decrypting it first.
Encryption of all data at rest helps satisfy IT governance and compliance.
Configure encryption
1. Add the encryption license key.
2. Enable the encryption feature:
Important: You are prompted for a passphrase. Do not lose or forget this passphrase.
DD support cannot recover the passphrase. Without the passphrase, you cannot change
encryption configuration without a USB installation, which deletes all data.
If the algorithm is changed from the default, another file system restart is required for
DDFS to start using the new algorithm.
Note: This step makes the next clean cycle considerably longer and more resource intensive.
Only perform this step on systems with plenty of free space, otherwise the DD system might
become full before the cleaning completes.
Replication encryption
Enable the Replication Encryption option in the CR Vault. This option ensures that data
that is replicating to the target DD system is encrypted over the network. If data is already
encrypted on the source DD system, enabling Replication Encryption adds another layer
of encryption before it transmits the data over the network. For environments that do not
use a VPN for secure connections between sites, it can securely encapsulate its
replication payload over SSL with AES 256-bit encryption for secure transmission. This
process is also known as encrypting data in flight.
To enable replication encryption on the source DD system, run the following command:
If replication is already running, disable replication on the source and target DD systems
before modifying the encryption setting.
Modify the replication contexts so that they are protected by the Cyber Recovery software
and Replication Encryption.
If both the DD Encryption software and the over-the-wire encryption feature are enabled
on both the source and destination DD systems, the encrypted data is encrypted a second
time by the DD Replicator before it is replicated over the network.
On the target DD system, the DD Replicator removes one layer of encryption. The data is
stored on disk in an encrypted format by using the encryption key on the target DD
system.
To use two-way authentication, ensure that port 3009 and replication Port 2051 are open
between the DD systems:
1. Confirm that the hostname of the remote system can be resolved or contacted:
# net ping <hostname of remote DDR>
3. Restart DDFS on both the source and target DD systems to ensure that mutual
trust is fully established:
# filesys restart
4. On the source and the destination systems, run the following command to enable
two-way authentication along with encryption while adding replication context:
# replication add source mtree://[source DD host name]/data/col1/[source mtree
name] destination mtree://[destination DD host name]/data/col1/[destination mtree
name] encryption enabled authentication mode {anonymous | one-way | two-way}
Retention Lock
DD Retention Lock software provides immutable file locking and secure data retention
capabilities to meet both corporate governance and compliance standards, such as SEC
17a-4(f). DD Retention Lock Governance edition and DD Retention Lock Compliance
edition can co-exist on the same DD system to enable different retention periods for
different classes of archive data.
For a Cyber Recovery deployment, we recommend that you set Retention Lock
Compliance for additional security. Compliance mode is stricter and adheres to several
common regulatory standards. For example:
• Locks against files cannot be reverted.
• The DDR must be configured with a “security officer” user who must authenticate
certain commands
• There are various restrictions on other functionality to prevent locked data from
being removed or locks being reverted early.
Dual sign-on requirement
When DD Retention Lock Compliance is enabled on a DD system, additional
administrative security is provided in the form of “dual” sign-on. Dual sign-on requires
sign-on by the system administrator and sign-on by a second authorized authority (the
security officer). The dual sign-on mechanism of the DD Retention Lock Compliance
edition acts as a safeguard against any actions that can compromise the integrity of
locked files before the expiration of the retention period.
Consider a process to protect the security officer password through a shared secret
scheme, in which a single person does not know or have access to the password.
Other security The following table is used to verify and document miscellaneous security settings for the
settings DD system:
Configure To set connection access, go to Administration > Access > Administrator Access and
administrator apply the following settings:
access
• FTP—Disabled
• FTPS—Disabled
• HTTP—Disabled
• HTTPS—Disabled (We recommend using the CLI through SSH connections;
enable if you do not want to use the CLI exclusively.)
• SCP—Disabled (shares the same port with SSH)
• SSH—Enable (Allow only Cyber Recovery management host access)
• Telnet—Disable
Follow password Use AD to maintain all users other than sysadmin, ddboost, and security officer. The
policy following recommended rule settings apply to the sysadmin, ddboost, and security officer
login IDs.
Go to Administration > Access > More Tasks > Change Login Options and apply the
following settings:
Set up accounts Go to Administration > Access > Local Users and refer to the following table, which
lists account details:
Table 13. Account details
Other users admin Users managing the target DD system must have their own accounts.
This account is used to add the target DD system to the CR Vault.
Configure Go to Administration > Access > Authentication and apply the following settings:
authentication
• Activity Directory/Kerberos Authentication—Disabled (default)
settings
• Workgroup Authentication—Enabled (default)
• LDAP Authentication—Disabled (default)
• Single Sign-On—Disabled (default)
• NIS Authentication—Disabled (default)
Configure mail Go to Administration > Settings and apply the following settings:
server settings
• Mail Server—Complete this setting because email notification is key for detecting
issues. Configure the local mail server in the CR Vault or use data diodes or Unisys
Stealth software to send email notifications outside the CR Vault to a secured
external management host.
• Time and Date—Provide a reliable NTP server for time synchronization.
• System Properties—Set the appropriate values.
• SNMP—Disable if not required in the Cyber Recovery environment.
Configure IPMI Go to Maintenance > IPMI and apply the following settings:
settings
1. Disable IPMI if not in use.
2. If IPMI is used, connect it to an isolated network switch dedicated for OOB (out-of-
band) management traffic only.
3. Set up an IPMI user account for each user and ensure that the password is 20
characters.
4. Change the sysadmin password to 20 characters and store it in the secure safe.