EMC® VNX® Series Security Configuration Guide for VNX

Implementing Unisphere in secure environments

Security has become a high priority for many EMC customers. Understandably, many customers are actively securing their network infrastructure or are at least considering it. In addition, they may have varying security requirements and network topologies. However, securing the network without considering Unisphere network management requirements may cause problems when managing the storage system, including the loss of critical storage system events and inconsistencies in global Unisphere configuration data, such as the security database. By understanding the Unisphere architecture discussed throughout this paper, customers can have a secure network environment while still effectively managing their storage systems.

The following scenarios illustrate the flexibility of the Unisphere architecture in network topologies with varying degrees of security requirements. Each scenario employs commonly practiced IT security policies including the use of a de-militarized zone (DMZ) between the corporate network and the Internet.

Minimally secure storage management network topology depicts an environment with minimal security measures in place. The corporate network is secure from the outside through the DMZ, while internally there are few restrictions for storage security. All VNX TCP/IP traffic (as listed in VNX for block - Ports used by Unisphere components) is allowed to flow in both directions between the internal LAN and the storage LAN. This configuration, which provides the most full-featured, easy-to-manage VNX environment, allows the user to manage storage systems from any location within the DMZ. The Unisphere Host Agent, which runs on SAN-attached servers, provides full host registration and LUN/volume mapping information. In addition, there are no restrictions for where a central monitoring station, SNMP server, Unisphere Client/Server management station, or ESRS IP client can be installed on the corporate network.

Some customers may have more stringent security requirements in place, such as allowing storage systems to be managed only by management stations on the storage LAN, and not having management services or agents installed on production servers. As shown in Moderately secure storage management network topology , these requirements can be satisfied, without the loss of Unisphere management capabilities, by making a few minor changes to the configuration shown in Minimally secure storage management network topology. In the new configuration, the firewall between the storage LAN and internal LAN is modified to only allow outbound TCP/IP traffic that the VNX storage system initiates.

As a result of this modification, all Unisphere management and monitoring must be performed on the storage LAN, including management performed by Unisphere, CLI, central monitoring stations, Unisphere Client/Server management stations, and the ESRS IP Client. Note that SNMP traps and email notifications can still be sent to the corporate SMTP/SNMP server, as well as EMC Customer Service with ESRS IP Client. Finally, the Unisphere Host Agent is replaced by the Unisphere Server Registration Utility. All host management functionality is now in-band and no additional services are running on the production servers. However, LUN/volume mapping information is not available through Unisphere or Secure CLI; this information is available only through the server registration utility.

These changes greatly improve the overall security of the storage systems since all management activities must be initiated on the storage LAN. But this configuration is still vulnerable to a breach in the internal firewall. If the firewall is compromised from the internal LAN, any computer in the corporate network will be able to manage the storage systems. The use of VNX-based IP filtering eliminates this potential threat.

The final configuration, see Highly secure storage management network topology, provides a very high level of security for a company's storage systems. Potential threats are reduced to a breach of physical resources. In addition, enabling IP filtering for the VNX domain limits the management of the storage systems to a single Windows server, namely the Unisphere Client/Server management station. IP filtering allows each storage system or domain to have a list of trusted client IP addresses. The storage system(s) will accept management connections only from these trusted clients. IP filtering does not affect other traffic, such as Event Monitor polls, email notifications, or SNMP. IP filtering configuration can be found in the http://<SP IP address>/setup pages or via the naviseccli security -trustedclient switch.

This configuration provides two layers of authentication. First, the user must have valid Windows credentials to log in to the management station. Second, the user must have valid Unisphere credentials to manage the storage system. The trade-off with this configuration is the loss of flexibility in terms of management options. Neither the ability to manage from anywhere in the system nor the ability to centrally monitor the entire network is available. Also, remote support of the storage system by using the ESRS IP Client is not possible in this environment. Note that ESRS IP Client can still send notifications to EMC Customer Service.

As is evident, the Unisphere architecture is very flexible in its ability to integrate into several secure environments. The key to a successful implementation of VNX management is an understanding of Unisphere network requirements, which are listed in VNX for block - Ports used by Unisphere components and described in the previous scenarios.