- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
VNX for file Control Station network ports
NOTE: Unisphere enables you to manage some network services. The Unisphere interface shows the current status of most network services (enabled or disabled) and provides a convenient means of enabling or disabling the services. Select your system then use
. For more information about enabling and disabling network services, refer to the Unisphere online help.
| Port | Protocol | Default State | Service | Comments |
|---|---|---|---|---|
| 22 | TCP | Open | SSH | SSH is the default method of getting a shell to use the Control Station CLI. Telnet and other related services are not enabled by default. SSH is the recommended method to access the Control Station. Authentication is handled by the SSH daemon and uses the local user account information on the Control Station.
NOTE: Although this port can be closed by running the command
/sbin/service sshd
stop followed by
/sbin/chkconfig
-levels 2345 sshd off, this is not recommended.
|
| 80 | TCP | Open | HTTP | This is the standard HTTP port. All HTTP management traffic directed to this port is automatically redirected to the HTTPS port (443). No services are offered over port 80. |
| 111 | TCP
UDP |
Open | rpcbind | The standard portmapper or rpcbind process opens this port and is an ancillary network service; it cannot be stopped. If a client system has network connectivity to the port, the client can query it. There is no authentication performed. |
| 123 | UDP | Closed | NTP | This port is related to the NTP (Network Time Protocol). It can be opened when NTP is configured on the Control Station. |
| 161 | TCP/UDP | Closed | SNMP
Management infrastructure |
SNMP is a management and monitoring service used by many third-party management tools. The Control Station uses SNMP version 1 as defined by RFC 1157. This version of SNMP does not support modification of any of the monitored values. Authentication is based on a client system using the correct community string. The community string is "public" by default and should be changed.
Use the command /sbin/service snmpd start followed by/sbin/chkconfig snmpd on from the root account to enable SNMP. The SNMP service can be disabled by running the command /sbin/chkconfig snmpd off followed by /sbin/service snmpd stop from the root account. Disabling SNMP on the Control Station prevents external SNMP management platforms from communicating with the Control Station, including by means of auto-discovery. If you do not use an enterprise management software, you can disable SNMP on the Control Station. |
| 199 | TCP | Closed | SMUX | This port is related to the SNMP service. |
| 427 | TCP
UDP |
Open | SLP | Allows hosts (or other resources) to discover available services provided by a storage system. |
| 443 | TCP | Open | HTTPS | This is the standard HTTPS port and is used by both Unisphere and Celerra Monitor for HTTP-based management traffic to the Control Station. When used by Unisphere, an administrator must log in before they are granted access to the system. They are authenticated against the local Control Station administrative user accounts. Celerra Monitor has its own authentication protocol but uses the same set of local administrative user accounts. |
| 631 | TCP
UDP |
Closed | CUPS
IPP |
(Applicable only to systems running VNX OE for file earlier than version 8.x.) This port is related to the Common Unix Printing System (CUPS) or Internet Printing Protocol (IPP). |
| 843 | TCP | Open | FLEX/Flash | This port is associated with the crossdomain.xml policy file. |
| 5988 | TCP | Open | SMI-S | By default, the EMC CIM server listens on ports 5988 (for http) and 5989 (for https). If these ports are in use by some other process, the CIM server will not start. SMI-S Provider Programmer's Guide for VNX provides more information about configuring this service. |
| 5989 | TCP | Open | SMI-S | See information in above row for details. |
| 6389 | TCP | Open | Naviagent | This port can be placed behind a firewall. |
| 8000 | TCP | Open | HTTP | This port can be used by Celerra Monitor if HTTPS is not desired for some reason. It is also used for replication commands that go between Control Stations.
Celerra Monitor follows a protocol that requires all incoming traffic to be authenticated and to carry a valid session token. The Control Station to Control Station replication traffic requires that an explicit trust relationship between the Control Stations be established beforehand. Then, each HTTP request is cryptographically signed by the sending Control Station before being sent to the receiving Control Station. Without a valid signature, the HTTP requests will not be accepted. It is recommended that this port remain enabled. |
| 8712 | TCP | Open | NBS | This port is used by the NBS service for access to the Control Station file system on VNX for file. It is restricted to the private network between the Control Station and Data Mover. |
| 9823 | TCP | Open | nas_mcd | This port is used for the two nas_mcd processes to communicate with each other. It is used in two instances:
While the port is strictly for communication between nas_mcd processes and provides a very limited interface, no additional authentication is performed (as with standard ancillary network services). |
| 9824 | TCP | Open | Common Cache | This service must bind to multiple internal network interfaces and as a consequence, it binds to the external interface as well. However, incoming requests over the external network are rejected.
If desired, iptables can be used to block external access to this port. |
| 9825 | TCP | Open | Indication Manager | This service must bind to multiple internal network interfaces and as a consequence, it binds to the external interface as well. However, incoming requests over the external network are rejected.
If desired, iptables can be used to block external access to this port. |
| 9826 | TCP | Open | Indication Manager | This service must bind to multiple internal network interfaces and as a consequence, it binds to the external interface as well. However, incoming requests over the external network are rejected.
If desired, iptables can be used to block external access to this port. |
| * See Comments. | TCP
UDP |
Open | statd, lockd | * Native Linux NFS Remote Procedure Call (RPC) services, such as the
lockd daemon that works with
statd, running on the Control Station use dynamic ports. These dyanmic ports can be closed by running the command:
/sbin/service nfslock stop followed by /sbin/chkconfig --levels 2345 nfslock off NOTE: Running these commands may prevent NFS from functioning properly.
|
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\