Manualshelf

HP XP7 Command View Advanced Edition Administrator Guide (Web Version) (TK981-96004, May 2014)

ManualsBrandsHP ManualsSoftwareHP XP Array Manager Enterprise Media Kit
21222324252627282930
Use one management server to manage one storage system. Do not configure a system such that
multiple management servers manage a single storage system.
On a single Device Manager server, you cannot use multiple storage administrator accounts to
manage multiple storage partitions. If you want to manage storage partitions individually, you
must provide a Device Manager server for each storage partition.
Network security configuration
HP XP7, P9500, XP24000/XP20000, XP12000/XP10000/SVS200 and XP1024/XP128 come
equipped with a service processor, which is usually abbreviated as SVP.
The following two Ethernet adapters are available for the SVP:
Private (internal) Ethernet LAN adapter
Used for communication only in a storage system.
Public LAN adapter
Used by applications of other computers outside a storage system to communicate with the SVP.
Device Manager uses this public LAN for communication with the SVP regarding storage systems
and configuration changes.
WARNING!
Do not
under any circumstances attach the private LAN to an external network because this can cause
serious problems on the array.
Common security risks
System administrators frequently separate production LANs from management LANs. In such cases,
management LANs act as a separate network, which isolates management traffic from a production
network and reduces the risk of security-related threats. If a management controller such as the SVP
exists on a production LAN, the storage systems are left open for access by any entity on the IP
network. Whether the access is intentional or not, the resulting security risks can lead to DoS (Denial
of Service) attacks and actual loss of storage availability. DoS attacks may lead to a management
session being hijacked for malicious purposes, such as unbinding a storage extent from a port during
an I/O operation.
The following are guidelines for constructing management LANs:
Traffic from the production LAN should not flow through, or be routed to the management LAN.
If possible, all hosts with management interfaces or controllers on the management LAN should
be hardened to their maximum level to reduce the potential that software other than the management
interface will not lead to an exploit of the entire station or device. (In this case, hardening should
include removal of unnecessary software, shutting down nonessential services, and updating to
the latest patches.)
The management LAN should only intersect a production LAN on those computers acting as an
interface between the management LAN and the production LAN (for example, the Device Manager
server).
If possible, those computers intersecting both private LAN and management LAN should be behind
a firewall of some kind, further inhibiting unintended access.
Administrator Guide (Web Version) 23