Dokumen - Tips - Emc Vnxe Security Configuration Emcvnxe Release 2 Security Configuration

EMC® VNXe™
Release 2
Security Configuration Guide

P/N 300-012-190 Rev 05
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright © 2011 - 2013 EMC Corporation. All rights reserved.
Published January 2013
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date regulatory document for your product line, go to the Technical
Documentation and Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on
EMC.com.
All other trademarks used herein are the property of their respective owners.
Corporate Headquarters: Hopkinton, MA 01748-9103
2 EMC VNXe Security Configuration Guide

Contents
Preface.....................................................................................................5
Chapter 1: Introduction...........................................................................7
Overview..................................................................................................................8
Related documents..................................................................................................8
Chapter 2: Access Control.....................................................................9

Access methods......................................................................................................10
VNXe factory default management and service accounts...............................11
VNXe account management................................................................................12
Unisphere for VNXe..............................................................................................12
VNXe Unisphere command line interface (CLI)...............................................14
VNXe service SSH interface.................................................................................15
VNXe service serial port interface.......................................................................17
Chapter 3: Logging...............................................................................19
Logging...................................................................................................................20
Remote logging options........................................................................................21
Chapter 4: Communication Security...................................................23

Port usage...............................................................................................................24
VNXe network ports...................................................................................24
Ports the VNXe may contact......................................................................28
VNXe certificate.....................................................................................................30
Configuring the management interface using DHCP......................................30
Automatically assign an IP address to your VNXe system...................31
EMC VNXe Security Configuration Guide 3

Contents
VNXe interfaces, services, and features that support Internet Protocol

version 6............................................................................................................32
VNXe management interface access using IPv6...............................................34
Running the Connection Utility..........................................................................35
CIFS encryption.....................................................................................................36
Chapter 5: Data Security Settings........................................................37

Data security settings............................................................................................38
Data-at-rest-encryption.........................................................................................38
Chapter 6: Security Maintenance........................................................43

Secure maintenance...............................................................................................44
License update.............................................................................................44
Software upgrade........................................................................................44
Chapter 7: Security Alert Settings........................................................47

Alert settings..........................................................................................................48
Configuring alert settings...........................................................................49
Chapter 8: Other Security Settings.......................................................51

Data erasure...........................................................................................................52
Physical security controls.....................................................................................52
Antivirus protection..............................................................................................52

Preface
As part of an effort to improve and enhance the performance and capabilities of its product lines,
EMC periodically releases revisions of its hardware and software. Therefore, some functions described
in this document may not be supported by all versions of the software or hardware currently in use.
For the most up-to-date information on product features, refer to your product release notes.
If a product does not function properly or does not function as described in this document, please
contact your EMC representative.

Preface
Special notice conventions

EMC uses the following conventions for special notices:
Note: Emphasizes content that is of exceptional importance or interest but does not relate to personal
injury or business/data loss.
Identifies content that warns of potential business or data loss.
Indicates a hazardous situation which, if not avoided, could result in minor or

moderate injury.
Indicates a hazardous situation which, if not avoided, could result in death or

serious injury.
Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
Where to get help

VNXe support, product, and licensing information can be obtained as follows:
Product information — For documentation, release notes, software updates, or for

information about EMC products, licensing, and service, go to the EMC Online Support
website (registration required) at http://www.emc.com/vnxesupport.
Technical support — For technical support and service requests, go to EMC Online
Support. Under Service Center, you will see several options, including one to create
a service request. Note that to open a service request, you must have a valid support
agreement. Contact your EMC sales representative for details about obtaining a valid
support agreement or with questions about your account.
Note: Do not request a specific support representative unless one has already been assigned to
your particular system problem.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications.
Please send your opinion of this document to:
techpubcomments@EMC.com

1
Introduction
This chapter briefly describes a variety of security features implemented

on the VNXe.
Topics include:
◆ Overview on page 8
◆ Related documents on page 8

Introduction
Overview
EMC® VNXe™ uses a variety of security features to control user and network access, monitor
system access and use, and support the transmission of storage data. This document describes
available VNXe security features.
This document is intended for administrators responsible for VNXe system configuration
and operation.
The guide approaches security settings within the categories shown in Table 1 on page 8:
Table 1. Security settings categories
Security category Description

Access control Limiting access by end-user or by other entities to protect hardware,
software, or specific product features.
Logs Managing the logging of events.
Communication security Securing product network communications.
Data security Providing protection for product data.
Serviceability Maintaining control of product service operations performed by EMC
or its service partners.
Alert system Assuring security alerts and notifications generation for security-related
events.
Other security settings Security settings that do not fall in one of the previous sections, such
as data erasure and physical security.
Related documents
You can find specific configuration instructions within the VNXe documentation that is
available in the EMC Online Support website at www.emc.com/vnxesupport. This guide
includes references to the following documents where appropriate.
◆ Installing Your VNXe Hardware
◆ Unisphere for VNXe Online Help
◆ Using the VNXe with CIFS Shared Folders
◆ Using the VNXe with NFS Shared Folders
◆ Using the VNXe with Microsoft Exchange
◆ Using the Celerra VNXe with Generic iSCSI Storage
◆ Using the VNXe with VMware Storage
◆ VNXe CLI User's Guide

2
Access Control
This chapter describes a variety of access control features implemented

on the VNXe.
Topics include:
◆ Access methods on page 10
◆ VNXe factory default management and service accounts on page 11
◆ VNXe account management on page 12
◆ Unisphere for VNXe on page 12
◆ VNXe Unisphere command line interface (CLI) on page 14
◆ VNXe service SSH interface on page 15
◆ VNXe service serial port interface on page 17

Access Control
Access methods
VNXe supports the access methods shown in Table 2 on page 10.
Table 2. Access methods
Type Description
Management ac- These accounts have privileges (see Table 6 on page 13) for performing management and monitoring
counts tasks associated with the VNXe system and its storage resources.
Passwords are created and managed through the VNXe management interfaces and can be used to
access either of the following management interfaces:
◆ EMC Unisphere™:
A Web-based graphical interface accessed via HTTPS that provides tools for configuring, managing,
and monitoring VNXe storage and system settings.
◆ VNXe Unisphere CLI:

The VNXe Unisphere CLI provides a subset of the functionality available through Unisphere.

Access Control
Table 2. Access methods (continued)
Type Description
Service account This account performs specialized service functions. A single account provides access to service in-
terfaces using SSH or serial port connection.
VNXe service interfaces include the following:
◆ Unisphere for VNXe:

Using a management account, type the service password to access the Unisphere service page
from which you can perform the following actions:
◆ Collect system service information:

Collect information for the system and save it to a file. EMC service personnel can use the
collected information to analyze your system.
◆ Reinitialize the system :

Reset the VNXe system to the original factory settings. Both Storage Processors (SPs) must
be installed, operating normally, and be in Service Mode or you cannot perform this action.
Note: Service Mode is a reduced operational mode designed for maintenance and trou-
bleshooting. A VNXe system in this mode is restricted to a limited interface through Unisphere
as well as a specific CLI interface that allows for isolated problem resolution.
◆ Change the system service password:

Change the Service password for accessing the Service System page.
◆ VNXe Unisphere CLI:

The VNXe Unisphere CLI provides a command line interface for the same functionality available
through Unisphere.
◆ VNXe SSH service script interface:

A command line interface that is accessible through an SSH client and provides service-specific
functions for diagnosing, troubleshooting, and resolving VNXe issues.
◆ VNXe serial port service interface:

Provides the same diagnostic and troubleshooting features as the SSH service interface, except
access is provided through a serial port interface.
VNXe factory default management and service accounts

The VNXe system comes with factory default user account settings to use when initially
accessing and configuring the VNXe system. See Table 3 on page 12.
VNXe factory default management and service accounts 11

Access Control
Table 3. Factory default user account settings
Account type Username Password Privileges

Management (Unisphere) admin Password123# Administrator privileges for
resetting default passwords,
configure system settings,
create user accounts, and
allocate storage.
Service service service Perform service operations.
Note: During the initial configuration process, you are required to change the password for the default
administrator and service accounts.
VNXe account management

Table 4 on page 12 illustrates the ways in which you can manage VNXe accounts.
Table 4. Account management methods
Account roles Description

Management After the VNXe initial system configuration process is complete, you can manage VNXe
management accounts from Unisphere or the VNXe Unisphere CLI. You can create, modify,
delete, or reset password settings for VNXe local accounts, and assign or change roles to
accounts that determine the privileges provided to users who use them.
Service You cannot create or delete VNXe service accounts. You can reset the service account
password by using the Change Service Password function from the Unisphere Service page.
Note: You can reset the VNXe system factory default account passwords by pressing the password
reset button on the VNXe system chassis. The Unisphere Online Help provides more information.
Unisphere for VNXe

Authentication for access to Unisphere is performed based on the credentials of the user
(local or LDAP) account. User accounts are created and subsequently managed through the
Unisphere Manage Administration page. The authorizations that apply to Unisphere depend
on the role associated with the user account.
Session rules
Unisphere sessions have the following characteristics:
◆ Expiration term of one hour

Access Control
◆ Session timeout is not configurable

◆ Session IDs are generated during authentication and used for the duration of each
session
Password usage
Unisphere account usernames and passwords must meet these requirements, as shown
Table 5 on page 13.
Table 5. Unisphere account requirements
Restriction Password requirement
Minimum number of characters 8
Minimum number of uppercase characters 1
Minimum number of lowercase characters 1
Minimum number of numeric characters 1
Minimum number of special characters 1

Supported special characters include:
!,@#$%^*_~?
Maximum number of characters 40
Note: You can change account passwords from Unisphere by clicking Settings > More Configuration>
Manage Administration. When changing a password, you cannot reuse any of the last three passwords.
The Unisphere Online Help provides more information.
Authorization
Table 6 on page 13 shows the roles you can assign to VNXe local users and the privileges
associated with these roles. In addition, you can assign these roles to LDAP users and
groups.
Table 6. Local user roles and privileges
Task Operator Storage adminis- Administrator

trator
Change own local login password x x x
Add hosts x
Create storage x x
Unisphere for VNXe 13

Access Control
Table 6. Local user roles and privileges (continued)
Task Operator Storage adminis- Administrator

trator
Delete storage x x
Add storage objects to storage resources (virtual disks, shares, storage x x

groups, etc.)
View storage configuration and status x x x
View VNXe user accounts x x
Add, delete or modify VNXe user accounts x
View current software or license status x x x
Perform software or license upgrade x
Perform initial configuration x
Modify Storage Server configuration x
Modify VNXe system settings x
Modify VNXe network settings x
Change management interface language x x x
Note: You can change account roles in Unisphere by clicking Settings > More Configuration> Manage
Administration. The Unisphere Online Help provides more information.
VNXe Unisphere command line interface (CLI)

The VNXe Unisphere CLI provides a command line interface for the same functionality
available through Unisphere.
Running the Unisphere CLI requires special VNXe command line software. You can
download this software from the EMC Online Support website at
www.emc.com/vnxesupport.
Session rules
The Unisphere CLI client does not support sessions. You must use command line syntax
to specify the account username and password with each command that you issue.
You can use the Unisphere CLI -saveuser command to save the access credentials
(username and password) for a specific account to a local file. After you save the access
credentials, the CLI automatically applies them to the specified VNXe destination and
port each time you run a command.

Access Control
Password usage
Authentication to the Unisphere CLI is performed in accordance with management
accounts created and managed through Unisphere. The same permissions that apply to
Unisphere apply to specific commands depending on the role associated with the current
login account.
Saved settings
You can save the following settings on the host on which you run Unisphere CLI:
◆ User access credentials, including your username and password, for each system you
access.
◆ SSL certificates imported from the system.
◆ Information about default system to access through Unisphere CLI, including the
system name or IP address and the system port number.
Unisphere CLI saves the settings to a secure lockbox that resides locally on the host on
which Unisphere CLI is installed. The stored data is only available on the host where it
was saved and to the user who saved it. The lockbox resides in the following locations:
◆ On Windows XP:
C:\Documents and Settings\<account_name>\Local
Settings\ApplicationData\EMC\UEM CLI\
◆ On Windows 7:
C :\Users\${user_name}\AppData\Local\.EMC\UEM CLI\
◆ On UNIX/Linux:
<home_directory>/EMC/UEM CLI
Locate the files config.xml and config.key. If you uninstall Unisphere CLI, these directories
and files are not deleted, giving you the option of retaining them; however, for security
reasons, you may want to delete these files.
VNXe service SSH interface

The VNXe SSH service interface provides a command line interface for performing a subset
of functionality available from the Unisphere Service page (Settings > Service System).
The service account enables users to perform the following functions:
◆ Perform specialized VNXe service commands for monitoring and troubleshooting VNXe
system settings and operations.
VNXe service SSH interface 15

Access Control
◆ Operate standard Linux commands as a member of a non-privileged Linux user account.

This account does not have access to proprietary system files, configuration files, or
user/customer data.
Sessions
The VNXe SSH service interface sessions are maintained according to the settings
established by the SSH client. Session characteristics are determined by the SSH client
configuration settings.
Password usage
The service account is an account that EMC service personnel can use to perform basic
Linux commands.
The default password for the VNXe service interface is service. When you perform initial
configuration for the VNXe system, you must change the default service password.
Password restrictions are the same as those that apply to Unisphere management accounts
(see Table 5 on page 13). For information on the VNXe service command,
svc_service_password, used to manage the password settings for the VNXe service
account, see the technical notes document, VNXe Service Commands.
Authorization
As shown in Table 7 on page 16, authorization for the service account is defined in two
ways.
Table 7. Service account authorization definitions
Authorization type Description
Linux file system permissions File system permissions define most of the tasks that the service account can and
cannot perform on the VNXe system. For example, most Linux tools and utilities that
modify system operation in any way require superuser account privileges. Since the
service account does not have such access rights, the service account cannot use
Linux tools and utilities to which it does not have execute permissions.
Access control lists (ACLs) The ACL mechanism on the VNXe uses a list of very specific rules to explicitly grant
or deny access to system resources by the service account.These rules specify service
account permissions to other areas of the VNXe system that are not otherwise defined
by standard Linux file system permissions.
VNXe service commands

A set of problem diagnostic, system configuration, and system recovery commands are
installed on the VNXe's operating environment (OE). These commands provide an
in-depth level of information and a lower level of system control than is available through

Access Control
Unisphere. The technical notes document, VNXe Service Commands, describes these
commands and their common use cases.
VNXe service serial port interface

The VNXe service serial port interface provides the same functions and features as the service
SSH interface and is also subject to the same restrictions. The difference is that users access
the interface through a serial port connection rather than an SSH client.
For a list of service commands refer to the VNXe Service Commands Technical Notes document.
VNXe service serial port interface 17

Access Control

3
Logging
This chapter describes a variety of logging features implemented on the

VNXe.
Topics include:
◆ Logging on page 20
◆ Remote logging options on page 21

Logging
Logging
VNXe system maintains the following types of logs for tracking events that occur on the
system. See Table 8 on page 20.
Table 8. Logs
Log type Description

System log Information displayed in Unisphere to notify users about VNXe user-actionable events. These records are
localized according to the default language setting specified for the system. Note that "user-actionable
events" includes audit events. However, not all logged events show up in the GUI. Those audit log entries
that don't don't meet a certain severity threshold are logged by the system but don't appear in the GUI.
System alert Information used by the Service personnel to diagnose or monitor the VNXe system status or behavior.
These records are recorded in English only.
Viewing and managing logs

The following logging features are available for VNXe systems. See Table 9 on page 20.
Table 9. Logging features
Feature Description
Log roll-over When the VNXe log system accumulates two million log entries, it purges the oldest 500K
entries (as determined by log record time) to return to 1.5 million log entries.
You can archive log entries by enabling remote logging so that log entries are uploaded to a
remote network node where they can be archived or backed up. The
dctm://esa/37000001802104c9?DMS_OBJECT_SPEC=RELATION_ID&DMS_AN-
CHOR=#R18780 section provides more information.
Logging levels Logging levels are not configurable for VNXe. Log levels can only be configured for exported
log files as described in the dctm://esa/37000001802104ca?DMS_OBJECT_SPEC=RELA-
TION_ID&DMS_ANCHOR=#R18780 section.
Alert integration You can view VNXe alert information in the following ways:
◆ View alerts only:

In Unisphere, go to System > System Alerts.
◆ View all log events:

Using the VNXe Unisphere CLI, type the command cemcli list event.

Logging
Table 9. Logging features (continued)
Feature Description
External log management You can archive log entries by enabling remote logging so that log entries are uploaded to a
remote network node where they can be archived or backed up. There, you can use tools
such as syslog to filter and analyze log results. The
dctm://esa/37000001802104cb?DMS_OBJECT_SPEC=RELATION_ID&DMS_AN-
CHOR=#R18780 section provides more information.
Time synchronization Log time is recorded in GMT format and is maintained according to the VNXe system time
(which may be synchronized to the local network time through an NTP server).
Remote logging options

VNXe supports logging user/audit messages to a remote network address. By default, VNXe
transfers log information on port 514 using UDP. The following remote logging settings are
configurable through Unisphere. Log into Unisphere and click Settings > Management
Settings and select the Network tab.
◆ Network name or address where VNXe sends remote log information

◆ Type of user-level log messages to send. Use the Facility field to set the type of log
messages. EMC recommends that you select the User-Level Messages options.
◆ Port number and type (UDP or TCP) to use for log transmission
◆ Language setting for text within log messages
Configuring a host to receive VNXe log messages

Before configuring remote logging for a VNXe system, you must configure a remote
system running syslog to receive logging messages from the VNXe system. In many
scenarios, a root/administrator on the receiving computer can configure the remote syslog
server to receive log information by editing the syslog-ng.conf file on the remote system.
Note: For more information on setting up and running a remote syslog server, refer to the
documentation for the operating system running on the remote system.
Remote logging options 21

Logging

4
Communication Security
This chapter describes a variety of communication security features

implemented on the VNXe.
Topics include:
◆ Port usage on page 24
◆ VNXe certificate on page 30
◆ Configuring the management interface using DHCP on page 30
◆ VNXe interfaces, services, and features that support Internet Protocol
version 6 on page 32
◆ VNXe management interface access using IPv6 on page 34
◆ Running the Connection Utility on page 35
◆ CIFS encryption on page 36

Port usage
Communications with the Unisphere and CLI interfaces are conducted through HTTPS on
port 443. Attempts to access Unisphere on port 80 (through HTTP) are automatically
redirected to port 443.
VNXe network ports

Table 10 on page 28 outlines the collection of network services (and the corresponding ports)
that may be found on the VNXe.
Table 10. VNXe network ports
Service Protocol Port Description
SSH/SSHD/SFTP TCP 22 Allows SSH access (if enabled) and SFTP

(FTP over SSH). SFTP is a client/server
protocol. Users can use SFTP to perform
file transfers on a VNXe system on the local
subnet.
If closed, management connections using
SSH will be unavailable.
Dynamic DNS update UDP 53 Used to transmit DNS queries to the DNS
server in conjunction with the Dynamic Host
Control Protocol (DHCP).
If closed, DNS name resolution will not
work.
DHCP client UDP 67 Allows the VNXe to act as a DHCP client

during the initial configuration process and
is used to transmit messages from the client
(VNXe) to the DHCP server to automatically
obtain management interface information.
Also, used to configure DHCP for the man-
agement interface of a VNXe which has al-
ready been deployed.
If closed, dynamic IP addresses will not be
assigned using DHCP.

Table 10. VNXe network ports (continued)
DHCP client UDP 68 Allows the VNXe to act as a DHCP client

during the initial configuration process and
is used to receive messages from DHCP
server to the client (VNXe) to automatically
obtain its management interface informa-
tion. Also, used to configure DHCP for the
management interface of a VNXe which has
already been deployed.
If closed, dynamic IP addresses will not be
assigned using DHCP.
HTTP TCP 80 Redirect for HTTP traffic to Unisphere and

the VNXe Unisphere CLI.
If closed, management traffic to the default
HTTP port will be unavailable.
rpcbind TCP/UDP 111 Opened by the standard portmapper or

rpcbind service and is an ancillary VNXe
(Network infrastructure)
network service.
It cannot be stopped. By definition, if a client
system has network connectivity to the port,
it can query it. No authentication is per-
formed.
NTP UDP 123 NTP time synchronization.

If closed, time will not be synchronized
among arrays.
NETBIOS Session Ser- TCP 139 The NETBIOS Session Service is associat-
vice ed with VNXe CIFS file sharing services
and is a core component of that functionali-
(CIFS)
ty. If CIFS services are enabled, this port is
open. It is specifically required for earlier
versions of the Windows OS (pre-Windows
2000).
Clients with legitimate access to the VNXe
CIFS services must have network connec-
tivity to the port for continued operation.
SNMP UDP 161, 162 SNMP communications.

If closed, VNXe alert mechanisms which
rely on SNMP will not be sent.
Port usage 25
HTTPS TCP 443 Secure HTTP traffic to the Unisphere and

VNXe Unisphere CLI.
If closed, communication with the array will
be unavailable.
CIFS TCP 445 CIFS connectivity port for Windows 2000

and later clients. Clients with legitimate ac-
cess to the VNXe CIFS services must have
network connectivity to the port for contin-
ued operation.
Dynamic DNS update UDP Dynamically assigned Used to receive responses to DNS queries
port (above 1024) from the DNS server in conjunction with the
Dynamic Host Control Protocol (DHCP).
If closed, DNS name resolution will not
work.
mountd TCP 1234 Used for the mount service, which is a core
component of the NFS service (versions 2
(NFS)
and 3).
NFS TCP 2049 Used to provide NFS services.
Portable Archive Inter- TCP 4658 PAX is a VNXe archive protocol that works
change (PAX) with standard UNIX tape formats.
(Backup Services) This service must bind to multiple internal
network interfaces and as a consequence,
it binds to the external interface as well.
However, incoming requests over the exter-
nal network are rejected.
Background information on PAX is con-
tained in the relevant EMC documentation
on backups and NDMP. There are several
technical modules on this topic to deal with
a variety of backup tools.
Network Block Service TCP 5033 An EMC proprietary protocol similar to (and
(NBS) a precursor of) iSCSI.The NBS service that
opens this port is a core VNXe service and
cannot be stopped.
Externally, NBS is used for snapshot and
replication control functions.
Replication services TCP 5081 Data Mover-to-Data Mover replication

commands.

Replication services TCP 5083 Associated with replication services.
Statistics monitoring TCP 7777 Statistics monitoring service

service
RCP TCP 8888 Used by the replicator (on the secondary

side). It is left open by the replicator as soon
(Replication services)
as some data has to be replicated. After it
is started, there is no way to stop the ser-
vice.
NDMP TCP 10000 Enables you to control the backup and re-
covery of an NDMP server through a net-
work backup application, without installing
third-party software on the server. In a
VNXe system, the Data Mover functions as
the NDMP server.
The NDMP service can be disabled if NDMP
tape backup is not used.
The NDMP service is authenticated with a
username/password pair. The username is
configurable. The NDMP documentation
describes how to configure the password
for a variety of environments.
usermapper TCP 12345 The usermapper service opens this port. It

is a core service associated with VNXe
CIFS
CIFS services and should not be stopped
in specific environments.
This is the method by which Windows cre-
dentials (which are SID-based) are mapped
to UNIX-based UID and GID values.
IWD UDP Dynamically allocated IWD initial configuration daemon.

If closed, initialization of the array will be
unavailable through the network.
rquotad TCP Dynamically allocated The rquotad daemon provides quota infor-
mation to NFS clients that have mounted a
file system.
Port usage 27
nlockmgr TCP Dynamically allocated Used for NFS file locking. It processes lock
requests from NFS clients and works in
conjunction with the status service.
status TCP Dynamically allocated The NFS file-locking status monitor and
works in conjunction with nlockmgr to pro-
vide crash and recovery functions for NFS
(which is inherently a stateless protocol).
Ports the VNXe may contact

The VNXe functions as a network client in several circumstances, for example, in
communicating with an LDAP server. In these instances, the VNXe initiates communication
and the network infrastructure will need to support these connections.Table 10 on page 28
describes the ports that a VNXe must be allowed to access for the corresponding service to
function properly. This includes the VNXe Unisphere CLI.
Table 11. Network connections that may be initiated by the VNXe
SMTP TCP 25 Allows the system to send email.

If closed, email notifications will be unavailable.
DNS UDP 53 DNS queries.

If closed, DNS name resolution will not work.
DHCP UDP 67-68 Allows VNXe to act as a DHCP client.

If closed, dynamic IP addresses will not be assigned
using DHCP.
HTTP TCP 80 Redirect for HTTP traffic to Unisphere and the VNXe
Unisphere CLI.
If closed, management traffic to the default HTTP
port will be unavailable.
NTP UDP 123 NTP time synchronization.

If closed, time will not be synchronized among ar-
rays.

Table 11. Network connections that may be initiated

by the VNXe (continued)
SNMP UDP 161, 162* SNMP communications.

If closed, VNXe alert mechanisms which rely on
SNMP will not be sent.
LDAP TCP 389* Unsecure LDAP queries.

If closed, Unsecure LDAP authentication queries will
be unavailable. Secure LDAP is configurable as an
alternative.
HTTPS TCP 443 HTTPS traffic to the Unisphere and VNXe Unisphere
CLI.
If closed, communication with the array will be un-
available.
CIFS TCP 445 All Windows NT domain controllers.
CIFS TCP 445 All Windows domain controllers.
Remote Syslog UDP or TCP 514* Log system messages to a remote host.
You can configure the log transmission method (UDP
or TCP) and the host port that the system uses.
LDAPS TCP 639* Secure LDAP queries.

If closed, secure LDAP authentication will be unavail-
able.
CIM XML TCP 5989 Used for various internal tasks related to system to
system replication. Authentication and authorization
are required for all calls made using CIM-XML.
IWD UDP Dynamically assigned IWD initial configuration daemon.

If closed, initialization of the array will be unavailable
through the network.
rquotad TCP Dynamically allocated The rquotad daemon provides quota information to
NFS clients that have mounted a file system.
nlockmgr TCP Dynamically allocated Used for NFS file locking. It processes lock requests
from NFS clients and works in conjunction with the
status service.
Port usage 29
Table 11. Network connections that may be initiated

by the VNXe (continued)
status TCP Dynamically allocated The NFS file-locking status monitor and works in
conjunction with nlockmgr to provide crash and re-
covery functions for NFS (which is inherently a
stateless protocol).
Note: The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring
Directory Services. The default port number is displayed in an entry box that can be overridden by
the user. Also, the Remote Syslog port number and the SNMP port number can be overridden from
inside Unisphere.
VNXe certificate
The VNXe uses OpenSSL during its first initialization to automatically generate a self-signed
certificate. The certificate is preserved both in NVRAM and on the backend LUN. Later, the
VNXe presents it to a client when the client attempts to connect to the VNXe through the
management port.
The certificate is set to expire after 3 years; however, the VNXe will regenerate the certificate
one month before its expiration date. Also, you can upload a new certificate by using the
svc_custom_cert service command. This command installs a specified SSL certificate in
PEM format for use with the Unisphere management interface. For more information about
this service command, see the VNXe Service Commands Technical Notes document. You cannot
view the certificate through Unisphere or the VNXe Unisphere CLI; however, you can view
the certificate through a browser client or a web tool that tries to connect to the management
port.
Configuring the management interface using DHCP

After you finish installing, cabling, and powering up the system, an IP address must be
assigned to the VNXe management interface. If you are running VNXe on a dynamic network
that includes a Dynamic Host Control Protocol (DHCP) server and a Domain Name System
(DNS) server, the management IP address can be assigned automatically.
Note: If you are not running the VNXe system in a dynamic network environment, or you would
rather manually assign a static IP address, you must install and run the VNXe Connection Utility (see
Running the Connection Utility on page 35).
The appropriate network configuration must include setting the range of available IP
addresses, the correct subnet masks, and gateway and name server addresses. Consult your

specific network's documentation for more information on setting up DHCP and DNS
servers.
DHCP is a protocol for assigning dynamic Internet Protocol (IP) addresses to devices on a
network. DHCP allows you to control Internet Protocol (IP) addresses from a centralized
server and automatically assign a new, unique IP address when a VNXe system is plugged
into your organization's network. This dynamic addressing simplifies network administration
because the software keeps track of IP addresses rather than requiring an administrator to
manage the task.
The DNS server is an IP-based server that translates domain names into IP addresses. As
opposed to numeric IP addresses, domain names are alphabetic and are usually easier to
remember. Since an IP network is based on IP addresses, every time you use a domain name,
the DNS server must translate the name into a corresponding IP address. For example, the
domain name www.emc.com translates to the IP address 10.250.16.87.
While the DHCP protocol exchange is not inherently secure and the possibility of
communicating with a malicious server exists, it is expected that your management IP
network is physically secure to control access and help prevent any rogue DHCP exchanges.
Also, no administrative information such as user names, passwords, and such are exchanged
during the DHCP/Dynamic DNS configuration.
Configuration of the management IP items (DHCP preference, DNS and NTP server
configuration) fall under the existing Unisphere framework related to security. DNS and
DHCP events including obtaining a new IP address on lease expiration are recorded in
VNXe audit logs. If DHCP is not used for the VNXe management IP configuration, no
additional network ports will be opened.
Automatically assign an IP address to your VNXe system

Before you begin
Ensure you have network connection between the VNXe system, a DHCP server, and a DNS
server.
Procedure
Once your DHCP network is configured, you can automatically assign an IP address to your
VNXe system:
1. Power on the VNXe system.

The SP fault light on the back of the VNXe illuminates (blue with flashing amber once
in three seconds), indicating that the system is not initialized and a management IP
address has not been assigned. The DHCP client software running on the VNXe system
requests an IP address on the local network. The DHCP server will dynamically assign
an IP address to the VNXe and send this information to the DNS server. The VNXe
management IP will be registered in the network domain. Once the IP address has been
assigned, the SP fault light turns off and you can log into Unisphere to properly configure
your VNXe system. If you want to manually configure the VNXe management IP as a
static IP address, you can still do so even after the IP is automatically assigned and the
Configuring the management interface using DHCP 31

SP fault light has turned off. However, you must do so before accepting the end user
license agreement (EULA) of the Configuration Wizard.
2. Open a web browser and access the management interface using the following syntax
serial_number.domain
Where:
serial_number is the serial number of your VNXe. This can be found in the packing
materials that came with your VNXe.
domain is the network domain on which the VNXe system is located.
For example:
FM100000000017.mylab.emc.com.
If a certificate error appears, follow the instructions in your browser to bypass the error.
3. Log into the VNXe system using the default username (admin) and password
(Password123#).
The first time you open Unisphere, the Configuration Wizard runs to assist you with
configuring passwords, DNS and NTP servers, storage pools, storage server settings,
and ESRS and ConnectEMC features.
4. Proceed through the Configuration Wizard until the Domain Name Server panel appears.
5. In the Domain Name Server (DNS) panel, select Obtain default DNS server addresses
automatically.
6. Continue through the wizard, using the information described in the VNXe Quick Start
poster or the online help for assistance.
VNXe interfaces, services, and features that support Internet Protocol

version 6
You can configure the interfaces on a system and use Internet Protocol version 6 (IPv6)
addresses to configure different services and features. The following list contains features
where IPv6 protocol is supported:
◆ Interfaces (SF, iSCSI) - to statically assign an IPv4 or IPv6 address to an interface
◆ Hosts - to enter a network name, an IPv4 address or an IPv6 address of a host
◆ Routes - to configure a route for IPv4 or IPv6 protocol

◆ Diagnostics - to initiate a diagnostic ping CLI command using either an IPv4 or IPv6
destination address. The Unisphere Ping Destination screen supports the IPv6 destination
addresses as well.
All VNXe components support IPv4, and most support IPv6. The following table shows the
availability of IPv6 support by setting type and component:
Setting Type Component IPv6 Supported
Unisphere management settings Management port Yes
Domain Name Server (DNS) Yes
NTP (network time protocol) server Yes
Remote logging server Yes
Unisphere host configuration setting Microsoft Exchange Yes
VMware datastore (NFS) Yes
VMware datastore (VMFS) Yes
Hyper-V datastore Yes
Unisphere alert setting SNMP trap destinations Yes
SMTP server Yes
Connect EMC No
EMC Secure Remote Support (ESRS) No
Storage server setting iSCSI server Yes
Shared Folder server Yes
Network Information Service (NIS) server (for Yes

NFS Shared Folder Servers)
Active Directory server (for CIFS Shared Yes

Folder Servers)
Internet Storage Service (iSNS) server Yes
VNXe interfaces, services, and features that support Internet Protocol version 6 33
Setting Type Component IPv6 Supported
Other PING destinations Yes
Remote log Yes
LDAP Yes
Unisphere Remote No
Replication No
IPv6 address standard

Internet Protocol version 6 (IPv6) is an Internet Protocol address standard developed by
the Internet Engineering Task Force (IETF) to supplement and eventually replace the
IPv4 address standard that most Internet services use today.
IPv4 uses 32-bit IP addresses, which provides approximately 4.3 billion possible addresses.
With the explosive growth of Internet users and Internet-connected devices, the available
IPv4 address space is insufficient. IPv6 solves the address shortage issue, because it uses
128-bit addresses, which provides approximately 340 trillion addresses. IPv6 also solves
other IPv4 issues, including mobility, autoconfiguration, and overall extensibility issues.
An IPv6 address is a hexadecimal value that contains eight, 16-bit, colon-separated fields:
hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh
Each digit in an IPv6 address can be a number from 0-9 or a letter from A-F.
For more information about the IPv6 standard, see information about the IPv6 standard
(RFC 2460) on the IETF website (http://www.ietf.org).
VNXe management interface access using IPv6

When you set up management connections in VNXe, you can configure the system to accept
the following types of IP addresses:
◆ Static Internet Protocol version 6 (IPv6) addresses, IPv4 addresses obtained through
DHCP, and static IPv4 addresses
◆ IPv4 addresses only
You can statically assign the IPv6 addresses to the management interface. An IPv6 address
on the management interface can be set to one of two modes, manual/static or disabled.
When you disable IPv6, the protocol does not unbind from the interface. The disable
command removes any unicast IPv6 addresses assigned to the management interface and
the VNXe will no longer answer requests addressed over IPv6. IPv6 is disabled by default.

After you finish installing, cabling, and powering up the system, an IP address must be
assigned to the VNXe management interface. If you are not running VNXe on a dynamic
network, or if you would rather manually assign a static IP address, you must download,
install, and run the VNXe Connection Utility. For more information about the Connection
Utility, see Running the Connection Utility on page 35.
Inbound requests using IPv6 to the VNXe through the management interface are supported.
You can configure the management interface on a VNXe to operate in an IPv4-only, IPv6-only,
or a combined IPv4 and IPv6 environment and you can manage the VNXe using Unisphere
UI and the command line interface (CLI).
Outbound services such as Network Time Protocol (NTP) and Domain Naming System
(DNS) support IPv6 addressing either by using explicit IPv6 addresses or by using DNS
names. If a DNS name resolves to both IPv6 and IPv4, the VNXe will communicate with the
server over IPv6.
The manage network interface set and show CLI commands that are used to manage the
management interfaces include attributes related to IPv6. For more information about these
manage network interface commands and attributes, refer to the VNXe Unisphere CLI User
Guide.
Running the Connection Utility
Note: If you are running the VNXe system in a dynamic network environment that includes a DHCP
server and a DNS server, you do not have to use the VNXe Connection Utility and instead can
automatically assign a dynamic IP address (IPv4 only) for the VNXe management interface (see
Configuring the management interface using DHCP on page 30). When a VNXe system uses a static
IP address, it is manually configured with the Connection Utility to use a specific IP address. One
problem with static assignment, which can result from a mistake or inattention to detail, occurs when
two VNXe systems are configured with the same management IP address. This creates a conflict that
could result in loss of network connectivity. Using DHCP to dynamically assign IP addresses minimizes
these types of conflicts. VNXe systems configured to use DHCP for IP assignment do not need to use
statically assigned IP addresses.
Connection Utility installation software is available from the EMC Online Support website.
After you download the software, install the program on a Windows host. When you run
the Connection Utility from a computer on the same subnet as the VNXe, the Connection
Utility automatically discovers any unconfigured VNXe systems. If you run the Connection
Utility on a different subnet, you can save the configuration to a USB drive and then transfer
it to the VNXe system.
Note: You cannot change the management IP address when both of the Storage Processors (SP) are in
Service mode.
After you run the Connection Utility and transfer the configuration to your VNXe system,
you can connect to the VNXe system through a web browser using the IP address that you
assigned to the VNXe management interface.
Running the Connection Utility 35

The first time you connect to the VNXe system, the VNXe Configuration Wizard starts. The
Configuration Wizard lets you set up the initial configuration of the VNXe system so that
you can start to create storage resources.
CIFS encryption
SMB 3.0 and Windows 2012 support on the VNXe provides CIFS encryption for those hosts
capable of using CIFS. CIFS Encryption provides secure access to data on CIFS file shares.
This encryption provides security to data on untrusted networks, that is, it provides end to
end encryption of SMB data sent between the array and the host. The data is protected from
eavesdropping/snooping attacks on untrusted networks.
CIFS Encryption can be configured per share. Once a share is defined as encrypted, any
SMB3 client must encrypt all its requests related to the share; otherwise, access to the share
will be denied.
To enable CIFS Encryption, you either set the CIFS Encryption option when you add a CIFS
server or set it through the create and set commands for CIFS shares. Also, you set the
CIFS Encryption option when you create a CIFS Shared Folder. There is no setting required
on the SMB client.
Note: For more information about setting CIFS encryption, refer to the Unisphere for VNXe online
help and the VNXe Unisphere CLI User Guide.

5
Data Security Settings
This chapter describes the security features that are available on the VNXe
for supported storage types.
Topics include:
◆ Data security settings on page 38
◆ Data-at-rest-encryption on page 38

Data security settings

Table 12 on page 38 shows security features available for supported VNXe storage types.
Table 12. Security features
Storage type Port Protocol Security settings
iSCSI storage 3260 TCP ◆ iSCSI host (initiator) level access control is available through
Unisphere (allowing clients to access primary storage, snap-
shots, or both).
◆ CHAP authentication is supported so that VNXe iSCSI
Servers (targets) can authenticate iSCSI hosts (initiators) that
attempt to access iSCSI-based storage.
◆ Mutual CHAP authentication is supported so that iSCSI hosts
(initiators) can authenticate VNXe iSCSI Servers.
CIFS storage 445 TCP, UDP ◆ Authentication for domain and administrative actions is pro-
vided through Active Directory user and group accounts.
◆ File and share access controls are provided through Windows
directory services.
◆ Security signatures are supported through SMB signing.
◆ CIFS encryption is provided through SMB 3.0 and Windows
2012 for those hosts capable of using CIFS. See CIFS en-
cryption on page 36 for information on CIFS encryption.
◆ Supports optional file-level retention services through add-on
software. See Antivirus protection on page 52 for information
on EMC Common AntiVirus Agent (CAVA).
NFS storage 2049 TCP ◆ Share-based access control provided through Unisphere.
◆ Support for NFS authentication and access control methods
identified in NFS versions 2 and 3.
◆ Supports optional file-level retention services through add-on
software.
Backup and re- ◆ NDMP security can be implemented based on NDMP shared
store secrets.
Data-at-rest-encryption
Encryption is the process of transforming data to make it unreadable to anyone except those
possessing specialized knowledge. Self-Encrypting Drives (SEDs) in a VNXe system use
AES-256 bit encryption. The encryption is done within each drive before the data is written

to the media. This protects the data on the drive against theft, hardware loss, and attempts
to read the drive directly by physically de-constructing the drive using methods such as a
drive recovery service. The encryption also provides a means to quickly and securely erase
information on a drive without the need to overwrite it multiple times in order to ensure
that the information is not recoverable.
Reading encrypted data requires the authentication key for the SED to unlock the drive.
Only authenticated SEDs will be unlocked and accessible. Once the drive is unlocked, the
SED decrypts the encrypted data back to its original form.
Self-Encrypting Drives
VNXe systems support data at rest encryption through the use of Self-Encrypting Drives
(SEDs). All data on a SED is encrypted by the data encryption key that is stored on the
drive. Encryption is set at the factory before shipment and cannot be reversed once set.
The SED encryption/decryption process is transparent and automatic, and does not
degrade performance.
Access control to a SED is enforced through the use of an authentication key. The
authentication key is used to lock/unlock the drive and to encrypt/decrypt the data
encryption key that is stored on the drive. On power-cycle, a SED that is part of a
user-defined storage pool comes up in a locked state and does not permit access. The
authentication key is used to unlock the drive and to gain access to user data.
An embedded Key Manager on the storage processor (SP) provides key management
for the authentication key. Key management responsibilities include:
◆ authentication key generation

◆ secure key storage
◆ self-managed key life cycle
◆ synchronization of redundant key copies
A VNXe system contains either all SEDs or all non-self-encrypting drives. You cannot
add a non-self-encrypting drive to a VNXe SED system. If you try to do this, the system
raises an error. Likewise, you cannot add a SED to a VNXe non-self-encrypting drive
system.
Secure array
A secure array is one that can only have SEDs installed in the array. You cannot intermix
SEDs with non-encrypted drives in a VNXe. All SEDs in the VNXe are unlocked by
default and only become locked once a storage pool is associated with them. An
authorization key is created and applied to all drives while locking them and is required
for any future interactions. Conversely, if all storage pools associated with a drive are
destroyed, all the data on the drive is cryptographically destroyed (authorization key is
deleted, making the data unrecoverable) and the drive is unlocked.
Once a SED is included in a storage pool, access control is enabled and the authentication
key is set. The drive may then be used only with the authentication key stored on the
Data-at-rest-encryption 39
array. User data on the drive will not be accessible on a different array or externally.
With the exception of the first four drives in the Disk Processor Enclosure (DPE), a drive
may be re-purposed for use on another array by destroying any storage pool it may
belong to. Destroying the storage pool will cryptographically erase any user data on the
drive, disable access control on these drives, and reset all passwords to the manufacturer's
secure ID. Drives that do not belong to a storage pool do not hold user data and do not
have access restrictions. These drives may be moved without issues.
If you inadvertently delete a storage pool with a drive missing, that drive will remain
inaccessible until it is reverted to the factory default. Reverting a drive cryptographically
erases the data on the drive and disables authentication. To revert a SED to its factory
default, use the svc_key_restore service command. For information on this service
command, see the technical notes document, VNXe Service Commands. For additional
information and help to revert a SED to the factory default, contact your service
provider.
When a new SED is introduced in the VNXe, either as a replacement of an existing drive
or as a part of an array expansion, it is automatically detected and included in the array.
If the new drive replaces an old drive that was a part of a storage pool, access control
will be enabled and the authentication key will be set on the new drive.
Note: Removing drives can degrade storage pools and reduce the redundancy of that storage pool.
With regards to a system with SEDs, certain hardware part replacements impact SED
operation:
◆ Replacing both SPs and the chassis at the same time is not supported. The
authentication key will become inaccessible.
EMC highly recommends that you back up the authentication key to an external
drive as soon as the key is created. If the master copy of the authentication key is
missing or corrupted, the data stored on the system will become inaccessible. For
instructions to back up the authentication key, refer to the VNXe Unisphere online
help or the VNXe Unisphere CLI User Guide .
◆ Array conversion, in which all the drives are removed and inserted in a new array,
is not supported.
Authentication key
The Key Manager randomly generates the authentication key for SEDs automatically
the first time you create a storage pool on a VNXe SED system. The same authentication
key will apply to all drives in the VNXe system, including those added to the system
later on.
VXNe encrypts the authentication key and stores it in a secured area on the system drive
under a triple mirrored redundancy scheme. You can back up the authentication key to
an external device by using either a Unisphere UI option or Unisphere CLI command.

EMC highly recommends that you back up the authentication key to an external drive
as soon as the key is created. If the master copy of the authentication key is missing
or corrupted, the data stored on the system will become inaccessible. For instructions
to back up the authentication key, refer to the VNXe Unisphere online help or the
VNXe Unisphere CLI User Guide .
If you receive an alert for a corrupt authentication key, you must restore the key. Place
both SPs in the VNXe into service mode and run the svc_key_restore service command
on one of the SPs in the VNXe.
Note: For instructions for placing SPs into service mode, refer to the VNXe Unisphere online help.
For information about the svc_key_restore service command, see the VNXe Service Commands
Technical Notes .
With the following exception, if all the storage pools on the VNXe system are deleted,
the master copy of the authentication key will also be deleted. However, if you reinitialize
a system containing storage pools, the authentication key will still be valid when the
system comes back up, even though the storage pools were deleted.
The backup authentication keys are useless after all the storage pools on the VNXe
system are deleted (with the exception of reinitializing a system containing storage
pools). When the first new storage pool is subsequently created, a new master copy
of the authentication key is automatically generated. In this case all existing backup
authentication keys of the previous authentication key are invalid, and a new backup
authentication key should be made.
Data-at-rest-encryption 41

6
Security Maintenance
This chapter describes a variety of security maintenance features

implemented on the VNXe.
Topics include:
◆ Secure maintenance on page 44

Secure maintenance
VNXe provides the following secure functions for performing remote system maintenance
and update tasks:
◆ VNXe license activation
◆ VNXe software upgrade
◆ VNXe software Hotfixes
License update
The VNXe license update feature allows users to obtain and install licenses for specific VNXe
functionality, such as file-level retention or RepliStor™ replication. Table 13 on page 44
shows security features that are associated with the VNXe license update feature.
Table 13. VNXe license update security features
Process Security
Obtaining licenses from the EMC Online Support License acquisition is performed from within an authen-
website ticated session on the EMC Online Support website
(www.emc.com/vnxesupport).
Receiving license files Licenses are sent to an email address specified within
an authenticated EMC Online Support website
(www.emc.com/vnxesupport) transaction.
Uploading and installing licenses through Unisphere License file uploads to the VNXe system occur within
client to the VNXe system Unisphere sessions authenticated through HTTPS.
VNXe system validates received license files using
digital signatures. Each licensed feature is validated
by a unique signature within the license file.
Software upgrade
The VNXe software update feature allows users to obtain and install software for upgrading
or updating the software running on the VNXe system. Table 14 on page 45 shows security
features that are associated with the VNXe software upgrade feature.

Table 14. Software upgrade security features
Process Description
Downloading VNXe software from the EMC Online License acquisition is performed from within an au-
Support website thenticated session on the EMC Online Support
website (www.emc.com/vnxesupport).
Uploading VNXe software Software upload to the VNXe system occurs within
an authenticated Unisphere session through HTTPS.
Secure maintenance 45

7
Security Alert Settings
This chapter describes the different methods available to notify

administrators of alerts that occur on the VNXe.
Topics include:
◆ Alert settings on page 48

Alert settings
VNXe alerts inform administrators of actionable events that occur on the VNXe system.
VNXe events can be reported as shown in Table 15 on page 48.
Table 15. Alert settings
Alert type Description

Visual notification Displays informational pop-up messages when users log in to the interface and in real-time
to indicate when alert conditions occur. Pop-ups provide basic information about the alert
condition. You can obtain additional information from the System > System Alerts page.
Note: VNXe visual alert notifications are not configurable.
Email notification Enables you to specify one or more email addresses to which to send alert messages.You
can configure the following settings:
◆ Email addresses to which to send VNXe system alerts.

◆ Severity level (emergency, error, or information) required for email notification.
Note: For VNXe alert email notification to work, you must configure a target SMTP server
for the VNXe system.
SNMP traps Transfer alert information to designated hosts (trap destinations) that act as repositories
for generated alert information by the VNXe network system.
You can configure SNMP traps through Unisphere. Settings include:
◆ IP address of a network SNMP trap destination

◆ Port number on which the trap destination receives traps
◆ Optional security settings for trap data transmission
◆ Authentication protocol: Hashing algorithm used for SNMP traps (SHA or MD5)
◆ Privacy protocol: Encryption algorithm used for SNMP traps (DES, AES, AES192,
or AES256)
The Unisphere Online Help provides more information.
ConnectEMC Automatically sends alert notifications to EMC for help in diagnosing product issues.
Note: For ConnectEMC notification to work, you must configure a target SMTP server for
the VNXe system.

Table 15. Alert settings (continued)
Alert type Description

EMC Secure Remote Sup- ESRS provides an IP-based connection that enables EMC Support to receive error files
port (ESRS) and alert messages from your VNXe system, and to perform remote troubleshooting resulting
in a fast and efficient time to resolution.
Note: Available with VNXe operating environment (OE) version 2 or later. For ESRS to
work, you must enable it on the VNXe system.
Configuring alert settings

You can configure VNXe alert settings for email notifications and SNMP traps from the
VNXe.
Configure email notification alert settings
Using Unisphere:
1. Select Settings > More Configuration > Alert Settings.
2. In the Email Alerts section, configure the severity level at which alert email messages are
generated to one of the following:
◆ Information
◆ Warning
◆ Error
◆ Critical
◆ Emergency
Note: For the VNXe alert email mechanism to work, a target SMTP server must be configured for
the VNXe system.
Configure SNMP traps alert settings
Using Unisphere:
1. Select Settings > More Configuration > Alert Settings.
2. In the Alerts Settings section, configure the severity level at which SNMP traps are
generated to one of the following:
Alert settings 49
◆ Information
◆ Warning
◆ Error
◆ Critical
◆ Emergency

8
Other Security Settings
This chapter contains other information that is relevant for ensuring the
secure operation of the VNXe.
Topics include:
◆ Data erasure on page 52
◆ Physical security controls on page 52
◆ Antivirus protection on page 52

Other Security Settings
Data erasure
Objects deleted cannot be reconstructed. However, in the cases where data erasure is a
requirement, EMC offers data erasure services.
Physical security controls

The area where the VNXe system resides must be chosen and modified to provide for the
physical security of the VNXe system. These include basic measures such as providing
sufficient doors and locks, permitting only authorized and monitored physical access to the
system, providing reliable power source, and following standard cabling best practices.
In addition, the following VNXe system components require particular care:
◆ Password reset button: Temporarily resets the factory default passwords for both the
VNXe default administrator account and service account - until an administrator resets
the password.
◆ Serial port connector: Allows authenticated access through serial port connection.
Antivirus protection
The VNXe supports EMC Common AntiVirus Agent (CAVA). CAVA, a component of VNX
Event Enabler (VEE) 4.9.3.0, provides an antivirus solution to clients using a VNXe system.
It uses an industry-standard CIFS protocol in a Microsoft Windows Server environment.
CAVA uses third-party antivirus software to identify and eliminate known viruses before
they infect files on the VNXe system. The VEE installer, which contains the CAVA installer,
and the VEE release notes are available in Downloads > VNXe product support at the EMC
Online Support website.

Dokumen - Tips - Emc Vnxe Security Configuration Emcvnxe Release 2 Security Configuration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dokumen - Tips - Emc Vnxe Security Configuration Emcvnxe Release 2 Security Configuration

Uploaded by

Copyright:

Available Formats

EMC® VNXe™

Security Configuration Guide

2 EMC VNXe Security Configuration Guide

Chapter 2: Access Control.....................................................................9

Chapter 4: Communication Security...................................................23

EMC VNXe Security Configuration Guide 3

VNXe interfaces, services, and features that support Internet Protocol

Chapter 5: Data Security Settings........................................................37

Chapter 6: Security Maintenance........................................................43

Chapter 7: Security Alert Settings........................................................47

Chapter 8: Other Security Settings.......................................................51

4 EMC VNXe Security Configuration Guide

EMC VNXe Security Configuration Guide 5

Special notice conventions

Identifies content that warns of potential business or data loss.

Indicates a hazardous situation which, if not avoided, could result in minor or

Indicates a hazardous situation which, if not avoided, could result in death or

Where to get help

Product information — For documentation, release notes, software updates, or for

6 EMC VNXe Security Configuration Guide

This chapter briefly describes a variety of security features implemented

EMC VNXe Security Configuration Guide 7

Table 1. Security settings categories

Security category Description

8 EMC VNXe Security Configuration Guide

This chapter describes a variety of access control features implemented

EMC VNXe Security Configuration Guide 9

Table 2. Access methods

◆ VNXe Unisphere CLI:

10 EMC VNXe Security Configuration Guide

Table 2. Access methods (continued)

◆ Unisphere for VNXe:

◆ Collect system service information:

◆ Reinitialize the system :

◆ Change the system service password:

◆ VNXe Unisphere CLI:

◆ VNXe SSH service script interface:

◆ VNXe serial port service interface:

VNXe factory default management and service accounts

VNXe factory default management and service accounts 11

Table 3. Factory default user account settings

Account type Username Password Privileges

VNXe account management

Table 4. Account management methods

Account roles Description

Unisphere for VNXe

◆ Expiration term of one hour

12 EMC VNXe Security Configuration Guide

◆ Session timeout is not configurable

Table 5. Unisphere account requirements

Restriction Password requirement

Minimum number of characters 8

Minimum number of uppercase characters 1

Minimum number of lowercase characters 1

Minimum number of numeric characters 1

Minimum number of special characters 1

Maximum number of characters 40

Table 6. Local user roles and privileges

Task Operator Storage adminis- Administrator

Change own local login password x x x

Unisphere for VNXe 13

Table 6. Local user roles and privileges (continued)

Task Operator Storage adminis- Administrator