EMC® VNX® Series Security Configuration Guide for VNX

Defense in depth

Because the behavior of the vast majority of the open network ports on VNX for file is governed by network standards, there are no additional steps available for VNX for file to protect these ports other than disabling their associated services and closing the ports. Disabling services such as portmap will hinder the general operations of VNX for file, and in some cases, the impact will be severe.

However, the notion of defense in depth dictates that any potential vulnerability is addressed with additional protections to control who may access the ports. This may be done with firewalls in the network environment (external to VNX for file) or by enabling the iptables functionality on the Control Station.

In addition, the VNX for file Data Mover provides two powerful mechanisms for controlling network connectivity:

• Packet Reflect
• Virtual local area networks (VLANs)

Packet Reflect ensures that outbound (reply) packets always exit through the same interfaces through which the inbound (request) packets entered. Because majority of the network traffic on a Data Mover, including all file system I/O, is initiated by the client, the Data Mover uses Packet Reflect to reply to client requests. With Packet Reflect, there is no need to determine the route to send the reply packets. Packet Reflect is enabled by default.

VLANs are logical networks that function independently of the physical network configuration. For example, VLANs enable you to put all of a department's computers on the same logical subnet, which can increase security and reduce network broadcast traffic.

Configuring and Managing Networking on VNX provides additional information about Packet Reflect and VLANs as well as how to configure these features.