Manualshelf

HP StorageWorks XP Command View Advanced Edition software Device Manager server installation and configuration guide (web version) (T1780-96078, March 2008)

ManualsBrandsHP ManualsSoftwareHP Command View XP AE Media Kit
31323334353637383940
Device Manager network configuration
33
Figure 2-2 Most secure configuration: separate management LAN with firewall
This configuration is the most secure but least flexible implementation, because it requires overhead
to manage the various network components, servers, and managed devices. Adding further security
to this configuration requires that the underlying management application OS be hardened to the
maximum possible. This hardening includes disabling services such as Telnet, FTP, SMTP, or IIS.
Additionally, if possible, all unnecessary packages should be removed.
For an exhaustive study of what is required to harden a server, see
http://ist.uwaterloo.ca/security/howto/
CAUTION: When Physical View of XP24000/XP20000 or XP12000/XP10000/SVS200, or XP
Remote Web Console of XP1024/XP128 is launched, Java Web Start and the web browser on the
web client machine directly communicate with the storage subsystem. For this reason, if the web
client machine and the storage subsystem exist on different networks, you must set up the
networks so that the machine and the storage subsystem can communicate directly with each
other.
2-2-2 Second-most secure configuration: Separate
management LAN with firewalled devices under
management
In this configuration, the server hosting the Device Manager server and all other management
servers can be single-homed, and the managed devices are separated from the Device Manager by
a firewall. The firewall's rules restrict access to the arrays to the Device Manager server and any
other required management application. Management clients accessing the Device Manager are not
allowed to pass traffic through the firewall to talk directly to the managed arrays, but can participate
in management operations directly with the Device Manager or the management application.
This configuration is the second most secure, and is more flexible than the most secure option.
While this configuration protects the devices under management, it does not protect the
management application servers themselves. Therefore, all management application servers should
be hardened to the maximum possible extent.