Manualshelf

HP StorageWorks XP Command View Advanced Edition software Device Manager server installation and configuration guide (web version) (T1780-96078, March 2008)

ManualsBrandsHP ManualsSoftwareHP Command View XP AE Media Kit
31323334353637383940
Device Manager network configuration
32
production network and reduces the risk of security-related threats. If a management controller such
as the SVP coexists on a production LAN, it is left open for any entity on the IP network to access.
Whether the access is intentional or not, the resulting security risks can lead to actual outages
characterized as denial of service (DoS). DoS attacks can lead to a management session being
hijacked for malignant purposes, such as unbinding a storage extent from a port during an I/O
operation.
The following are guidelines for constructing management LANs:
Traffic from the production LAN should not flow through, or be routed to, the management
LAN.
If possible, all hosts with management interfaces or controllers on the management LAN
should be hardened to their maximum level to reduce the potential that software other than the
management interface will not lead to an exploit of the entire station or device. (In this case
hardening includes removing unnecessary software, shutting down nonessential services, and
updating to the latest patches.)
The management LAN should intersect a production LAN only on those hosts acting as an
interface between the management LAN and the production LAN (for example the Device
Manager server.)
If possible, hosts intersecting both a private LAN and a management LAN should be behind a
firewall of some kind, further inhibiting unintended access.
2-2 Server network configurations
2-2-1 Most secure configuration: Separate management
LAN with firewall
In this configuration, the server hosting the Device Manager must either be dual-homed or have two
NICs, and every other management application must have a similar configuration. The first NIC for
each host is attached to a LAN dedicated to manage traffic between the management host and
management-target devices. The devices that Device Manager can manage include
XP24000/XP20000, XP12000/XP10000/SVS200, XP1024/XP128, and XP512/XP48. A second NIC
is attached to a LAN where access is governed by a firewall. As shown in
Figure 2-2, each server
can also be connected to a different LAN with a different firewall. The firewall contains strict access
rules that allow access to the management servers only to the Device Manager or specified
management application clients.