Best Practices for Securing Dell EMC SC Series Storage Abstract This paper explores the technologies available for building a secure Dell EMC™ SC Series storage area network (SAN) with operational environment best practices and self-encrypting drives.
Revisions Revisions Date Description June 2014 Initial release April 2015 Minor updates April 2016 Updates for SCOS7.0 and DSM 2016 R1 October 2018 Validated for SCOS 7.3 and DSM 2018; added CloudIQ and air-gapped sections Acknowledgements Updated by: David Glynn The information in this publication is provided “as is.” Dell Inc.
Additional resources Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 1 Introduction ................................................................................................
Additional resources 1 Introduction Data security is a primary concern in any IT environment. Business-critical or confidential information must be protected from unauthorized access and properly disposed of when required. Many organizations are compelled to implement data-protection technologies due to regulatory compliance.
Additional resources 2 SC Series SAN The SC Series includes high performance, enterprise-level SAN devices that support Fibre Channel (FC), Fibre Channel over Ethernet (FCoE), and iSCSI connections. They provide fast, network-based storage to servers. An SC Series SAN consists of at least one controller and disk enclosure interconnected with SAS, or Fibre Channel in some legacy SC Series systems.
Additional resources 2.1 Basic security features An SC Series SAN offers a variety of mechanisms for preventing unauthorized access to administrative access points or to storage volumes. In addition, self-encrypting drives (SEDs) are available to provide security for data at rest. Note: Common Criteria (CC) for IT Security Evaluation certification of SC Series storage is in process at the time of this publication (certificate number: BSI-DSZ-CC-0847): https://www.bsi.bund.
Additional resources 2.2 Operational environment Physical security is always the most basic form of protection for any business-critical infrastructure. To make sure an SC Series SAN operates in a physically secure environment that is accessible only to authorized administrators, use the following best practices: • • • • 2.3 Ensure secondary services, such as DNS and NTP, originate from trustworthy sources.
Additional resources 2.4 SupportAssist and Secure Console SC Series includes two features that enhance the enterprise support that Dell provides: Dell SupportAssist (formerly known as Phone Home) is a service that allows SCOS to automatically send diagnostic logs and alerts to and download firmware updates from Dell. Secure Console is a service that allows Dell Support engineers to access the SCOS console using Secure Shell (SSH).
Additional resources 3 Protect data at rest with self-encrypting drives Data at rest is the data that resides on the physical hard drives within the SC Series enclosure. Though difficult, it is possible that bits of data could be extracted from a conventional hard drive if physical security is breached and the hard drive is removed from an enclosure. Self-encrypting drives (SEDs) guard against this threat by encrypting data as it is written to the disk and decrypting data as it is read.
Additional resources 4 Protect data in flight Data in flight is data as it is transmitted over the network within packets. These network packets contain unencrypted data payloads that can be read if the packet is captured in transit. SC Series storage relies on the physical security of storage and networking hardware and the logical or physical isolation of the SAN and management networks from external networks. It does not support IPsec network-layer security or Fibre Channel encryption.
Additional resources 5 Security scanning No security analysis would be complete without a review of open IP network protocol ports for a given system. Nmap, the open source network discovery and security-auditing tool, was used for this purpose. The following tables list all TCP and UDP ports and services for SCOS and DSM. Not all services are enabled by default. For each port, the protocol is listed as well as the actual port usage.
Additional resources SCOS UDP ports and services UDP port Protocol Purpose Direction 69 TFTP SupportAssist access to configuration and boot files Inbound 123 NTP Network Time Protocol Inbound and outbound 161 SNMP Communication from network manager Inbound 162 SNMP trap Sending alerts Inbound and outbound 514 syslog Forwarding SCOS logs to syslog server Outbound 5000-5010 Dell EMC IPC IPC traffic for communicating with SCOS components Inbound and outbound Dell EMC IPC IPC traffi
Additional resources TCP port Protocol Purpose 3034 HTTPS VASA 1.0 and 2.
Additional resources 5.3 DSM client port list Table 5 list the TCP ports and services associated with DSM client. No UDP ports are used. DSM client TCP ports and services TCP port Protocol Purpose Direction Communicating with the DSM server 3033 5.4 HTTP Direct communication with managed or unmanaged SC Series SAN Outbound DSM Server Agent port list Table 6 list the TCP ports and services associated with DSM Server Agent. No UDP ports are used.
Additional resources 6 Conclusion An SC Series SAN offers a variety of mechanisms for preventing unauthorized access to administrative access points or to storage volumes. The following actions are recommended to ensure the security of SC Series storage: • • • • • • • • 15 Restrict physical access to the SAN hardware and to the DSM server. Ensure password complexity is consistent with the organizational security policy. Logically isolate and firewall the SAN and management networks.
Additional resources A Additional resources Dell.com/support is focused on meeting customer needs with proven services and support. Storage Solutions Technical Documents provide expertise that helps to ensure customer success on Dell EMC storage platforms. A.1 Related resources See the following referenced or recommended Dell EMC publications and resources. Access to the SC Series Customer Portal requires a login.
