security configuration guide · dell emc integrated data protection appliance version 2.4 security...

Dell EMC Integrated Data ProtectionApplianceVersion 2.4

Security Configuration Guide302-005-687

REV 01

Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.

Published May 2019

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.

Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide

5

7

9

Security quick reference 15Deployment models.....................................................................................16

Product and subsystem security 19Security controls map................................................................................ 20Authentication............................................................................................22

Login security settings...................................................................22Authentication types and setup..................................................... 23User credential management......................................................... 25Authentication to external systems............................................... 29

Authorization..............................................................................................29General authorization settings.......................................................30Role-based access control (RBAC)................................................32

Network security........................................................................................ 34Network exposure......................................................................... 34Communication security settings...................................................36Firewall settings.............................................................................36

Data security.............................................................................................. 36Data-at-rest encryption................................................................. 37Data erasure ................................................................................. 37

Cryptography............................................................................................. 38Cryptographic configuration options............................................. 38Certified cryptographic modules....................................................39Certificate management................................................................ 39

Auditing and logging................................................................................... 40Logs...............................................................................................40Log management options............................................................... 41Log protection................................................................................41Log format..................................................................................... 41Alerting..........................................................................................42

Physical security.........................................................................................43Physical interfaces........................................................................ 43Physical security options............................................................... 43Customer service access............................................................... 43Tamper evidence and resistance....................................................44Statements of volatility................................................................. 44

Serviceability..............................................................................................44Maintenance aids...........................................................................45Responsible service use.................................................................45Security updates and patching...................................................... 46

Figures

Tables

Preface

Chapter 1

Chapter 2

CONTENTS

Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 3

Customer requirements for updates.............................................. 46

Miscellaneous configuration and management elements 47Protecting authenticity and integrity..........................................................48Installing client software.............................................................................48

49

Chapter 3

Index

CONTENTS


Model DP4400............................................................................................................ 17Security controls map - Avamar and Data Domain.......................................................21

12

FIGURES


FIGURES


Revision history............................................................................................................ 9Typographical conventions..........................................................................................12Login banner configuration......................................................................................... 22Failed login behavior................................................................................................... 22Emergency user lockout............................................................................................. 23Configuring local authentication sources.................................................................... 23Configuring Active Directory...................................................................................... 24Certificate/key-based authentication.........................................................................24Digital certificates and SSH keys................................................................................25Default accounts........................................................................................................ 25Default management accounts................................................................................... 26Default credentials..................................................................................................... 26How to disable local accounts.....................................................................................28Managing credentials..................................................................................................28Configuring remote connections.................................................................................29Remote component authentication.............................................................................29Configuring authorization rules...................................................................................30Default authorizations................................................................................................ 30External authorization associations............................................................................. 31Role-based access control..........................................................................................32Default roles............................................................................................................... 32Configuring roles........................................................................................................ 33Role mapping..............................................................................................................33External role associations........................................................................................... 34Network ports............................................................................................................ 34Default IP addresses ..................................................................................................35Communication security settings................................................................................36Firewall settings......................................................................................................... 36Data-at-rest encryption..............................................................................................37Data erasure .............................................................................................................. 37Cryptographic configuration options.......................................................................... 38Certified cryptographic modules.................................................................................39Certificate management............................................................................................. 39Logs........................................................................................................................... 40Log management options............................................................................................ 41Log protection.............................................................................................................41Log format.................................................................................................................. 41Alerting.......................................................................................................................42Physical interfaces..................................................................................................... 43Physical security options............................................................................................ 43Customer service access............................................................................................ 43Tamper evidence and resistance.................................................................................44Statements of volatility.............................................................................................. 44Maintenance aids........................................................................................................45Responsible service use..............................................................................................45Security updates and patching................................................................................... 46Customer requirements for updates........................................................................... 46Protecting authenticity and integrity..........................................................................48Installing client software.............................................................................................48

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849

TABLES


TABLES


Preface

OverviewThe Integrated Data Protection Appliance Security Configuration Guide provides anoverview of security configuration settings available for this solution, and bestpractices for using those settings to ensure secure operation of the product.

Table 1 Revision history

Revision number Date Description

01 May 2019 First release of this document forIDPA 2.4

Scope of documentThis publication provides a survey of security topics that are related to the IntegratedData Protection Appliance (IDPA). The content is not associated with a specificcompliance regime.

Topics specific to the security of individual components that are contained within theIDPA, including Avamar, Data Domain, Data Protection Advisor (DP Advisor), Search,Data Protection Central , and Cloud Disaster Recovery (CDRA) are contained withinthe security and administration guides for each component, which are listed in Document references on page 10.

As the IDPA is a solution-level product, content from these guides is not repeatedhere. Instead, tables within each topic lead you to the correct location in thereferenced publications, where applicable.

AudienceThe information in this publication is intended for customers who are responsible forthe planning, implementing, administering, or auditing security controls inenvironments containing IDPA solutions. The primary audience is technical, but thispublication addresses the needs of a range of security professionals.

Legal disclaimersAs part of an effort to improve its product lines, Dell EMC periodically releasesrevisions of its software and hardware. Therefore, some versions of the software orhardware currently in use may not support all functions that are described in thisdocument. The product release notes provide the most up-to-date information aboutproduct features.

Contact your Dell EMC representative if a product does not function correctly or doesnot function as described in this document.

NOTICE

This document was accurate at publication time. New versions of this document mightbe released on the Online Support website. To ensure that you are using the latestversion of this document, check the Online Support at https://www.dell.com/support.

Dell EMC websites may contain links to third-party sites. Content contained on anywebsite that is linked to any Dell EMC website is not the responsibility of Dell EMC


https://www.dell.com/support


and Dell EMC is not responsible for the accuracy, or reliability of any content on suchwebsites. Further, the presence of a link to a third-party site does not mean that DellEMC endorses that site, its products, or views expressed there. Dell EMC providesthese links merely for convenience and the presence of such third-party links are notan endorsement or recommendation by Dell EMC.

Reporting vulnerabilitiesDell EMC takes reports of potential vulnerabilities in our products very seriously. Forthe latest on how to report a security issue to Dell EMC, see the Product SecurityResponse Center on EMC.com.

Document referencesThe following documents provide additional information:

Avamar 18.2:

l Avamar Product Security GuideThis publication discusses various aspects of Avamar product security.

l Avamar Administration GuideThis publication describes how to configure, administer, monitor, and maintain anAvamar server.

l Avamar Operational Best Practices GuideThis publication describes operational best practices for both single-node andmulti-node servers in small and large heterogeneous client environments.

Data Domain 6.2:

l Data Domain Product Security GuideThis publication describes the key security features of Data Domain systems andprovides the procedures that are required to ensure data protection andappropriate access control.

l Data Domain Operating System Administration GuideThis publication explains how to manage Data Domain systems with an emphasison procedures using the Data Domain System Manager.

l Data Domain Operating System Command Reference GuideThis publication explains how to manage Data Domain systems by using the DataDomain command line.

l Data Domain Operating System Initial Configuration GuideThis publication explains how to perform the post-installation initial configurationof a Data Domain system.

l Data Domain Statement of Volatility for the Data Domain DD6300, DD6800 andDD9300 SystemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can becleared.

l Data Domain Statement of volatility for Data Domain DD9500 and DD9800 systemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can becleared.

Data Protection Advisor 18.2:

l Data Protection Advisor Security Configuration GuideThis publication provides an overview of the security configuration settingsavailable in Data Protection Advisor (DP Advisor). These settings include thesecure deployment and usage settings, and secure maintenance and physicalsecurity controls required to ensure secure operation of DP Advisor.

Preface


http://www.emc.com/products/security/product-security-response-center.htm

http://www.emc.com/products/security/product-security-response-center.htm

l Data Protection Advisor Installation and Administration GuideThis publication provides an overview of the process of administering DP Advisor.

Search 18.2:

l Search Security Configuration GuideThis publication describes the security features and settings of Search.

l Search Installation and Administration GuideThis publication provides an overview of the process of administering Search.

IDPA System Manager (DPC) 18.2:

l IDPA System Manager Security Configuration GuideThis publication describes the security features and settings of Integrated DataProtection Appliance System Manager.

l IDPA System Manager Getting Started GuideThis publication provides an overview of the process of administering IntegratedData Protection Appliance System Manager.

l IDPA System Manager Release NotesThis publication provides the release information for Integrated Data ProtectionAppliance System Manager.

Cloud Disaster Recovery 18.3:

The Data Domain Cloud Disaster Recovery Installation and Administration Guide describesthe security features as well as the settings of Cloud Disaster Recovery.

Secure Remote Support:

l Secure Remote Services Technical DescriptionThis document provides a technical overview of Secure Remote Services (SecureRemote Services).

l Secure Remote Services Installation and Operations GuideThis publication provides an overview of the process of installing, configuring,operating, and troubleshooting Secure Remote Services. The publication alsodescribes customer responsibilities for maintaining Secure Remote Services.

l Secure Remote Support Security Management and Certificate Policy Frequently AskedQuestionsThis publication provides answers to frequently asked questions about SecureRemote Services and Secure Remote Services security, as well as the SecureRemote Services Certificate Practice Statement (CPS) and policy for the DellEMC Internal Secure Remote Services2CA.

l Secure Remote Services Port RequirementsThis publication contains information about port usage for communicationbetween Secure Remote Services and Dell EMC, Policy Manager, and Dell EMCdevices.

Dell PowerEdge R740:

These publications are available at https://www.dell.com/support/home.

l The Dell PowerEdge R740 Owner's Manual or Dell EMC PowerEdge R740xdInstallation and Service Manual

l iDRAC Version 9 User's Guide

l Statement of Volatility - Dell PowerEdge R740

VMware vSphere 6.5:

l VMware vSphere 6.5 Documentation CenterThis publication is available at https://pubs.vmware.com/vsphere-6-5/index.jsp

Preface


https://www.dell.com/support/home

https://pubs.vmware.com/vsphere-6-5/index.jsp

l vSphere 6.5 Hardening GuideThis publication is available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

l vSphere 6.5 Installation and SetupThis publication is available at https://docs.vmware.com

Special notice conventions used in this documentWe use these conventions for special notices.

DANGER

A danger notice indicates a hazardous situation, which if not avoided, will resultin serious injury or death.

WARNING

A warning indicates a hazardous situation, which if not avoided, could result inserious injury or death.

CAUTION

A caution indicates a hazardous situation, which if not avoided, could result inminor or moderate injury.

NOTICE

A notice identifies content that warns of potential business or data loss.

Note

A note contains information that is incidental, but not essential, to the topic.

Typographical conventionsThese type style conventions are used in this document.

Table 2 Typographical conventions

Bold Used for names of interface elements, such as names of windows,dialog boxes, buttons, fields, tab names, key names, and menu paths(what the user specifically selects or clicks)

Italic Used for full titles of publications referenced in text

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, filenames, prompts, and syntax

l Commands and options

Monospace italic Used for variables

Monospace bold Used for user input

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

Preface


https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx



https://docs.vmware.com

Table 2 Typographical conventions (continued)

{ } Braces enclose content that the user must specify, such as x or y orz

... Ellipses indicate nonessential information omitted from the example

Getting helpThe IDPA support page provides access to licensing information, productdocumentation, advisories, and downloads, as well as how-to and troubleshootinginformation. This information may enable you to resolve a product issue before youcontact Customer Support.

To access the IDPA support page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, selectthe product.

3. (Optional) Add the product to the My Saved Products list by clicking Add to MySaved Products in the upper right corner of the Support by Product page.

KnowledgebaseThe Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, esgxxxxxx) or by keyword.

To search the Knowledgebase:

1. Click Search at the top of the page.

2. Type either the solution number or keywords in the search box.

3. (Optional) Limit the search to specific products by typing a product name in theScope by product box and then selecting the product from the list that appears.

4. Select Knowledgebase from the Scope by resource list.

5. (Optional) Specify advanced options by clicking Advanced options and specifyingvalues in the available fields.

6. Click Search.

Facilitating supportConnectEMC and Email Home are enabled on IDPA automatically. Secure RemoteServices are enabled automatically for Data Domain (Protection Storage), Avamar(Backup Server), Data Protection Advisor, and Appliance Configuration Manager.

Comments and suggestionsComments and suggestions help us to continue to improve the accuracy, organization,and overall quality of the user publications. Send comments and suggestions aboutthis document to [email protected].

Please include the following information:

l Product name and version

l Document name, part number, and revision (for example, 01)

l Page numbers

l Other details to help address documentation issues

Any information that is provided to Dell EMC in connection with any Dell EMC websiteshall be provided by the submitter and received by Dell EMC on a non-confidentialbasis. Such information shall be considered non-confidential and property of DellEMC. By submitting any such information to Dell EMC you agree to a no-charge

Preface



mailto:[email protected]

assignment to Dell EMC of all worldwide rights, title, and interest in copyrights andother intellectual property rights to the information. Dell EMC shall be free to use suchinformation about an unrestricted basis.

Preface


CHAPTER 1

Security quick reference

This chapter provides quick-reference information for deployment of the IDPA.

This chapter contains the following topics:

l Deployment models............................................................................................ 16

Security quick reference 15

Deployment modelsThe DP4400 is a fully integrated 2U appliances with different capacities ranging from8 TB to 24 TB and 24 TB to 96 TB respectively.

Before deploymentWhen building the IDPA, the factory performs the following actions:

l Install Dell EMC customized ESXi image.

l Assign private, non-routable IP addresses.

l Set default passwords and configure all default management accounts.

l Complete basic configuration to provide a platform for final deployment at thecustomer site.

During deploymentWhen deploying the appliance, customers must perform the following actions:

l Connect the appliance to the customer network environment.

l Register the appliance with the Secure Remote Services system.

l Assign new passwords for management accounts.

The IDPA deployment process makes no security-related assumptions about thecustomer environment. Customers are expected to provide suitable power and dataconnections, as well as physical security to protect the appliance components.

The Appliance Configuration Manager interface does not provide security-specificconfiguration options or support additional configurations. All appliance componentsare deployed using the best practices that are defined in the security configurationguides for each component. The interface enforces an optimal environment forcorrect operation of the appliance components.

After deploymentThe IDPA contains many externally accessible interfaces for use by data protectionand management clients. Customers should take care to apply appropriate accessrestrictions to prevent unauthorized use. As per the customer security requirements,all forms of access should be regularly monitored and audited.

ModelsThe following diagrams illustrate the IDPA at maximal configuration for each model.



Figure 1 Model DP4400


Deployment models 17

Figure 1 Model DP4400 (continued)

Cloud Disaster Recovery Add-on (CDRA)Data Protection Advisor (DPA)Data Protection Search (DPS)Avamar Virtual Edition (AVE)Appliance Configuration Manager (ACM)Data Protection Central (DPC)vCenter (VC)Data Domain Virtual Edition (DDVE)Integrated Dell Remote Access Controller (iDRAC)

Note

Customers can choose either the Copper network ports or the Optical network ports.

Encryption

l The management traffic is encrypted using SSL and TLS.

l The backup data and metadata are both encrypted using SSL and TLS.

l The replication traffic is encrypted using SSL and TLS.

l The Secure Remote Services traffic is encrypted using AES and TLS.

l The authentication can be administered using Active Directory and LDAP.

Secure Remote Services

l When Secure Remote Services is implemented, external communication to andfrom Secure Remote Services is conducted through the TLS tunnel using theAES-256 SHA1 encryption and RSA key exchange with bilateral authentication,with certificates stored in an RSA lockbox. If TLS tunnel is unavailable, themessages are forwarded through FTPS or encrypted email.

l Secure Remote Services data includes diagnostic, system health, and remoteaccess session information for IDPA system components (DDVE, AVE, Search, andso on).

l Secure Remote Services information can be selectively streamed to remote nodesusing the Secure Remote Services Policy Manager which controls the SecureRemote Services traffic flow.

l You can use the Secure Remote Services Policy Manager to configure policies thatgovern permitted remote access sessions, notifications, and diagnostic scriptexecutions.



CHAPTER 2

Product and subsystem security


l Security controls map........................................................................................ 20l Authentication....................................................................................................22l Authorization..................................................................................................... 29l Network security................................................................................................34l Data security......................................................................................................36l Cryptography.....................................................................................................38l Auditing and logging...........................................................................................40l Physical security................................................................................................ 43l Serviceability......................................................................................................44

Product and subsystem security 19

Security controls mapThe following diagram details the connections between the IDPA components and thesecurity controls on each link.

Note

vSwitch0 shown in the previous figure replaces the physical switch in the DP4400.



Figure 2 Security controls map - Avamar and Data DomainP

roduct and subsystem security

Security controls m

ap 21

AuthenticationThis section describes default settings and configuration options for how users orprocesses authenticate to the IDPA components.

By default, all components of the IDPA authenticate using the management accountsthat are included with each component and the common password that is configuredduring deployment. The manufacturing process sets a default password for eachmanagement account that is contained within the IDPA components. A customer-provided common password replaces the default during deployment.

The Appliance Configuration Manager (ACM) normally manages the IDPA commonpasswords after deployment.

Note

As a security consideration, it is recommended that you change your appliancepassword after the appliance software is successfully upgraded.

Login security settingsThe following publications provide information on configuring the login securitysettings for IDPA components.

Login banner configurationRefer to the following publications for information about configuring the login bannersfor the IDPA components.

Table 3 Login banner configuration

Component Reference Publication Topic

AVE Avamar Product Security Guide Custom ssh banner not supported

Compute nodes iDRAC Version 9 User's Guide Logging in to iDRAC

ESXi VMware vSphere Security Manage the Login Banner

Failed login behaviorRefer to the following publications for information about configuring the login behaviorfor the IDPA components.

Table 4 Failed login behavior


AVE Avamar Product Security Guide Additional operating systemhardening

Additional password hardening


ESXi VMware vSphere Security vCenter Password Requirementsand Lockout Behavior



Table 4 Failed login behavior (continued)


Edit the vCenter Single Sign-OnLockout Policy

ESXi Passwords and AccountLockout

Cloud DisasterRecovery

Data Domain Cloud DisasterRecovery Installation andAdministration Guide

Cloud DR server user accounts.

Emergency user lockoutRefer to the following publications for information about locking out users for theIDPA components.

Table 5 Emergency user lockout


ESXi VMware vSphere Security Cryptographic OperationsPrivileges

Authentication types and setupThis section includes authentication source and type configuration options for theIDPA.

Configuring local authentication sourcesRefer to the following publications for information on using the authenticationdatabases on the IDPA components.

Table 6 Configuring local authentication sources


Avamar and AVE Avamar Product Security Guide Avamar internal authentication

Avamar Administration Guide User Management andAuthentication

Data Domain Data Domain Operating SystemAdministration Guide

Local user account management

The ACM authenticates using the local username and password, and provides only oneaccount. No other authentication sources are available.


Authentication types and setup 23

Configuring Active DirectoryRefer to the following publications for information on configuring the IDPAcomponents to use LDAP and Active Directory authentication.

Table 7 Configuring Active Directory


Avamar and AVE Avamar Administration Guide Directory service authentication


Directory user and groupmanagement

Enabling Active Directory


Search Search Installation andAdministration GuideSearchSecurity Configuration Guide

Configure external OpenLDAP andActive Directory servers

Configure LDAP and AD users

DP Advisor Data Protection Advisor SecurityConfiguration Guide

External authentication, LDAPintegration, and binding

Integrated DataProtection ApplianceSystem Manager

IDPA System Manager GettingStarted Guide

Configuring LDAP

Compute nodes iDRAC Version 9 User's Guide Configuring user accounts andprivileges

ESXi VMware vSphere Security Using Active Directory to ManageESXi Users

Certificate/key-based authenticationRefer to the following publications for information on the use of digital certificates andSSH keys to authenticate human users for the IDPA components.

Table 8 Certificate/key-based authentication


Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys

Avamar Operational Best PracticesGuide

Changing passwords

Data Domain Data Domain Product Security Guide System access

Refer to the following publications for information on the use of digital certificates andSSH keys to authenticate inter-component and inter-process communication for IDPAcomponents.



Table 9 Digital certificates and SSH keys


Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication

Secure RemoteServices

Secure Remote Support SecurityManagement and Certificate PolicyFrequently Asked Questions

SRS Certificate Policy

Unauthenticated interfacesFor Avamar and AVE, the client download and help areas do not requireauthentication.

User credential managementThe following topics discuss default accounts and credentials, enabling and disablingaccounts, credential management options, and credential security, including passwordmanagement.

Default accountsRefer to the following publications for lists of default accounts for each IDPAcomponent.

Table 10 Default accounts


Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts

Data Domain Data Domain Product Security Guide User authentication

User authorization

Search

Note

After successfulconfiguration ofSearch in IDPA, theaccounts are same asthe Search defaultconfiguration. IDPAadds its own LDAPconfiguration into thedatabase.

Search Security Configuration Guide Default accounts



Pre-loaded accounts

IDPA System ManagerAdministration Guide

Unlock a Data Protection Centraluser account



User credential management 25

Table 10 Default accounts (continued)




Cloud DR Server user accounts

Refer to the following table for the default management accounts and additionalaccounts that are associated with each IDPA component.

Note

This table mentions the additional user accounts that are created during configuration.Refer to the corresponding section of each IDPA product for a complete list ofaccounts.

Table 11 Default management accounts

Component Default managementaccounts

Additional accounts

Avamar nodes root

Data Domain sysadmin

Compute node iDRAC (IPMI)interface

root

VMware vCenter Server idpauser root

VMware ESXi hosts idpauser root

Appliance Configuration Manager root Idpauser, idpauser ldap),manager (ldap)

Cloud Disaster Recovery admin

Default credentialsRefer to the following publications for lists of default credentials for each IDPAcomponent.

Table 12 Default credentials


Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts

Data Domain Data Domain Product Security Guide User authentication

User authorization

Search Search Security Configuration Guide Default accounts



Table 12 Default credentials (continued)


Note

Search user interfaceuses LDAPauthentication.

For accessing Search:

l username:idpauser

password:commonappliancepassword

l username: admin(default accountinherited Search)

password:applianceCommonPassword



Pre-loaded accounts

IDPA System ManagerAdministration Guide

Change password



Credentials for DD Cloud DRdeployment

ApplianceConfigurationManager

root - customer set password

idpauser - common appliancepassword

VMware ESXi root - random complex password


VMware vCenter root - random complex password



User credential management 27

How to disable local accountsRefer to the following publications for information on disabling and removing localaccounts for IDPA components.

Table 13 How to disable local accounts



Enabling and disabling local users

Deleting a local user

ESXi VMware vSphere Security ESXi Passwords and AccountLockout

Disable Authorized (SSH) Keys

Managing credentialsRefer to the following publications for information on configuring the login andpassword security settings for IDPA components.

Table 14 Managing credentials


Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys

ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks

For iDRAC, passwordis set to default afterinstallation. Customercan change it later.

Integrated Dell Remote AccessController 9 Version 3.15.15.15User's Guide

Secure default password

Password complexityEnsure that the password meets the following criteria:

l A maximum of 20 characters

l A minimum of nine characters

l Must not start with a hyphen (-)

l Contains at least one upper-case and one lower-case letter

l Contains at least one number

l Must not include common names and usernames like 'root' or 'admin'

l Contains at least one special character

Valid special characters include:

n period (.)

n hyphen (-)



n underscore (_)

Authentication to external systemsThe following topics discuss how to configure authentication of components outsidethe IDPA, including components providing services to the IDPA and remote clients.

Configuring remote connectionsRefer to the following publications for information on configuring connections fromthe IDPA to external components.

Table 15 Configuring remote connections



Managing DD Boost client accessand encryption

System access management

Remote component authenticationRefer to the following publications for information on how to provide credentials forremote components to use when connecting to the IDPA.

Table 16 Remote component authentication



Setting the system passphrase

Managing certificates for DDBoost

Importing CA certificates

Key manager setup

Configuring SMB signing

Data Domain Product Security Guide Certificates for cloud providers


Secure Remote Services TechnicalDescription

Digital Certificate Management

Communication to EMC

AuthorizationThis section describes default settings and configuration options for how users orprocesses authenticate to the IDPA components.


Authentication to external systems 29

General authorization settingsThe following topics discuss basic information about user privileges within the IDPA.

Configuring authorization rulesRefer to the following publications for information on the basic process of configuringauthorization for users with permission to access the IDPA.

Table 17 Configuring authorization rules


Avamar and AVE Avamar Product Security Guide User Authentication andAuthorization

Avamar Administration Guide Overview of Avamar useraccounts

Roles

Data Domain Data Domain Product Security Guide User Authentication

Search Search Installation andAdministration Guide

Managing Roles and Users

Search Security Configuration Guide Authentication Configuration

DP Advisor Data Protection Advisor Installationand Administration Guide

Users and security

Data Protection Advisor SecurityConfiguration Guide

User roles and privileges



Cloud DR Add-on System andUser Management

ESXi VMware vSphere Security Understanding Authorization invSphere

Default authorizationsRefer to the following publications for lists of default authorizations supplied with theIDPA.

Table 18 Default authorizations


Avamar and AVE Avamar Product Security Guide Roles

Default authorizations and useraccounts

Avamar Administration Guide Overview of Avamar useraccounts

Roles

Data Domain Data Domain Product Security Guide User authorization



Table 18 Default authorizations (continued)



System Administrator role

Application Administrator role

Search Security Configuration Guide System Administrator role


Full Access Search (Global) role

Index specific search roles

Default accounts



Pre-loaded accounts


Users and Security




Cloud DR Add-on System andUser Management

ESXi VMware vSphere Security Understanding Authorization invSphere

External authorization associationsRefer to the following publications for information about mapping LDAP and ADauthentication to levels of authorization for components of the IDPA.

Table 19 External authorization associations


Avamar and AVE Avamar Administration Guide Directory service authentication





Search Security Configuration Guide Configure LDAP and AD users


External authentication, LDAPintegration, and binding

ESXi VMware vSphere Security Using Active Directory to ManageESXi Users


General authorization settings 31

Role-based access control (RBAC)The IDPA uses the default roles available for individual components. Refer to thefollowing publications for information on authorization via assigned roles.

Table 20 Role-based access control




Managing access control


About roles

Managing roles



Compute nodes iDRAC Version 9 User's Guide Configuring user accounts andprivileges

Default rolesRefer to the following publications for information about pre-configured roles andprivileges for components of the IDPA.

Table 21 Default roles




Role-based access control

Local user account management



Application Administrator role

Full Access Search (Global) role

Index specific search roles



ESXi VMware vSphere Security vCenter Server System Roles

IDPA SystemManager


Default accounts



Configuring rolesRefer to the following publications for information about how to select or configurethe capabilities of roles that can be assigned to users of the IDPA.

Table 22 Configuring roles


Avamar and AVE Avamar Administration Guide User Management andAuthentication


Role-based access control






IDPA SystemManager


Default accounts

Role mappingRefer to the following publications for mapping users and groups to specific roles forcomponents of the IDPA.

Table 23 Role mapping


Avamar and AVE Avamar Administration Guide User Management andAuthentication


System access management






IDPA SystemManager


Default accounts


Role-based access control (RBAC) 33

External role associationsRefer to the following publications for information on mapping LDAP and ADauthentication to specific access roles for components of the IDPA.

Table 24 External role associations


Avamar and AVE Avamar Administration Guide LDAP directory serviceauthentication


Configuring Active Directory andKerberos authentication




Creating a new user account withLDAP authentication

ESXi VMware vSphere Security Managing ESXi Roles in theVMware Host Client

IDPA SystemManager


Configuring LDAP

Network securityThis section describes the exposed network interfaces in use by the IDPA.

The DP4400 directly connects to the customer-provided network switch.

Network exposureThe following sections indicate where to obtain information on exposed networkinterfaces and ports for each component of the IDPA. Refer to the listed topics ineach publication for a more detailed description and for further instructions.

For maximum security, customers should disable all network ports and interfaces thatare not required for their environment.

Network portsThe following references provide information about the network ports that are openedby each component of the IDPA.

Table 25 Network ports


Avamar and AVE Avamar Product Security Guide Port Requirements appendixa

Session security features

Data Domain Data Domain Product Security Guide Communication security settings

Data Domain Operating SystemInitial Configuration Guide

Configuring the system with theconfiguration wizard



Table 25 Network ports (continued)


Search Search Security Configuration Guide Port usage

Firewall rules

Search Installation andAdministration Guide

Add an Avamar source server toSearch


IDPA System Manager SecurityConfiguration Guide

Network Security


8543 and 8009: Application server

5672: Rabbitmq

22: ssh


Communication settings

Data Protection Advisor Installationand Administration Guide

DPA port settings


Secure Remote Services PortRequirements

Not applicable

ESXi VMware vSphere Security Additional vCenter Server TCPand UDP Ports

Compute nodes iDRAC Version 9 User's Guide iDRAC port information



Required Data Domain CloudDisaster Recovery ports

a. This reference includes information on network ports that are used by all possible Avamarconfigurations.

Network interfacesThe following tables provide information about the default IP addresses for thenetwork interfaces on IDPA appliance. The default IP addresses are configured in thefactory and are for only internal use of the IDPA appliance.

Note

The below-listed IP addresses are not exposed outside of the appliance and are onlyfor internal communication. For these interfaces, the subnet mask is255.255.255.0.

Table 26 Default IP addresses

Component IP address Subnet mask

Appliance Configuration Manager 192.168.100.100 255.255.255.0

ESXi 192.168.100.101 255.255.255.0


Network exposure 35

The IP address for interfaces that are exposed to the customer network areconfigured at the time of the IDPA appliance configuration.

Communication security settingsThe following references provide information about options for securingcommunications between each component of the IDPA and remote systems.

Table 27 Communication security settings



Data Domain Data Domain Product Security Guide Communication security settings

Firewall settingsThe following references provide information on configuring the firewall functionalityof each component of the IDPA.

Table 28 Firewall settings


Avamar and AVE Avamar Product Security Guide Additional firewall hardening(avfirewall)

Data Domain Data Domain Operating SystemInitial Configuration Guide

Configuring security and firewalls(NFS and CIFS access)

Search Search Security Configuration Guide Firewall rules


Communications settings in DPA



Security and Networking

No additional customer firewall configuration is required.

Data securityThis section describes how the IDPA protects customer data stored on itscomponents.



Data-at-rest encryptionRefer to the following publications for information about the encryption capabilitiesfor Data-at-rest on components of the IDPA.

Table 29 Data-at-rest encryption


Avamar and AVE Avamar Product Security Guide Data-at-rest encryption


DD Encryption

Data Domain Product Security Guide Data encryption

The ACM uses Java keystores to secure the encryption keys.

Data erasureRefer to the following publications for information about securely erasing data fromcomponents of the IDPA.

Table 30 Data erasure


Avamar and AVE Avamar Product Security Guide Data erasurea


Destroying the file system

Data Domain Product Security Guide Data erasure

System sanitization

Compute nodes iDRAC Version 9 User's Guide Erasing PCIe SSD device data

ESXi VMware vSphere Security Use vmkfstools to Erase SensitiveData

a. Avamar servers can also be restored to factory default conditions by a process called re-kickstarting. This process is performed by Dell EMC service personnel.


Data-at-rest encryption 37

CryptographyThe following sections indicate where to obtain information on the uses ofcryptography in the IDPA. Refer to the listed topics in each publication for a moredetailed description and for further instructions.

Cryptographic configuration optionsThe following references provide information about ciphers, encryption, and otherdata integrity mechanisms for each component of the IDPA.

Table 31 Cryptographic configuration options


Avamar and AVE Avamar Product Security Guide Data-in-flight encryption

Data-at-rest encryption

Disabling SSLv2 and weak ciphers

Disabling privileges for CipherSuite 0

Data Domain Data Domain Product Security Guide Data encryption

Data Domain Operating SystemAdministration Guide

DD Encryption chapter

Compute nodes iDRAC Version 9 User's Guide Setting up iDRAC communication

ESXi VMware vSphere Security ESXi SSH Keys

The ACM communicates with the other IDPA components using TLS 1.2.

Disable TLS 1.1 and earlier versionsTo reduce the security vulnerability, disable the weak protocols and ciphers on ACM,vCenter, and ESX. TLS Reconfiguration Utility is used to manage the TLSprotocols on vCenter and ESX. To download and install the utility, see VMware KBarticle 2147469.

To disable weak protocols on vCenter and ESX using the TLS ReconfigurationUtility:

l ACM (internal LDAP):

1. SSH to ACM.

2. Edit the file /etc/openldap/slapd.d/cn=config.ldif.

3. Update the parameter olcTLSProtocolMin from 0.0 to 3.3.

4. Restart the slapd service using following commands:

n service slapd stopn service slapd start

l vCenter:

1. SSH to vCenter.



2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator

3. Run ./reconfigureVc update -p TLSv1.2.

l ESX:

1. SSH to vCenter.

2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

3. Run ./reconfigureEsx vCenterCluster -c <cluster-name> -uroot -p TLSv1.2.

4. Reboot IDPA appliance.

Certified cryptographic modulesThe following references provide information about the cryptographic modulesavailable for each component of the IDPA.

Table 32 Certified cryptographic modules


Search Search Security Configuration Guide Cryptographic modules



Certificate Management




Security and Networking

Certificate managementThe following references provide information on the use and management ofcertificates for each component of the IDPA.

Table 33 Certificate management



Data Security and Integrity

Avamar Administration Guide ConnectEMC

Data Domain Data Domain Product Security Guide Data Domain system security

Data security settings


DD Encryption


Certified cryptographic modules 39

Table 33 Certificate management (continued)


Search Search Security Configuration Guide Access Control



Certificate Management


Encryption of the DPA Applicationserver

Compute nodes iDRAC Version 9 User's Guide Configuring iDRAC

ESXi VMware vSphere Security vSphere Security Certificates


IDPA Product Guide Adding a CA-signed certificate

The ACM ships with a default self-signed RSA SHA-256 certificate. The IntegratedData Protection Appliance Product Guide provides details for replacing the defaultcertificate with a CA-signed certificate.

Auditing and loggingThis section describes how the IDPA components log events and protect againsttampering.

LogsRefer to the following publications for information about log locations and usage forIDPA components.

Table 34 Logs


Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging

Avamar Administration Guide Server Monitoring

Replication


Log file management

Data Domain Product Security Guide Log settings


Log files



Auditing and Logging



Logging



Table 34 Logs (continued)



ESXi VMware vSphere Security ESXi Log Files



Troubleshooting > Collect Logs

ACM server execution logs are stored on the ACM in /usr/local/dataprotection/var/configmgr/server_data/logs/server.log.

Log management optionsRefer to the following publications for information about managing logs for IDPAcomponents.

Table 35 Log management options


Avamar and AVE Avamar Administration Guide Server Monitoring

Compute nodes iDRAC Version 9 User's Guide Managing logs



Log file management

Log protectionRefer to the following publications for information about securing log contents forIDPA components.

Table 36 Log protection



Log message transmission toremote systems


Log formatRefer to the following publications for information about understanding the formattingof logs for IDPA components.

Table 37 Log format




Log management options 41

Table 37 Log format (continued)



Replication


Log file management

Learning more about log messages


Managing Logs


The ACM log file appends the most recent entries, to a maximum file size of 5120KB,and a maximum backup index1 of 19. ACM log entries use the following format:

%d %-5p [%t]-%C{2}: %m%nwhere:

l %d %-5p is the date

l %t is the thread name

l %C{2} is the Java class name

l %m%n is the logged message

AlertingRefer to the following publications for information about monitoring and managingsecurity alerts for various IDPA components.

Table 38 Alerting




Data Domain Data Domain Product Security Guide Security alert system settings


Alert notification management

Compute nodes iDRAC Version 9 User's Guide Configuring iDRAC to send alerts

ESXi vSphere Monitoring andPerformance

Monitoring Events, Alarms, andAutomated Actions

DP Advisor DP Advisor Product Guide Alerts in DPA

DP Advisor Installation andAdministration Guide

dpa application support

1. Backup index is the number of most recent files saved on ACM.



Physical securityThe IDPA is composed of a single piece of hardware with unique interfaces andphysical security requirements. The following topics detail where to find furtherinformation on securing the IDPA hardware.

Refer to Deployment models on page 16 for the locations of individual appliancecomponents.

Physical interfacesRefer to the following publications for information on the accessible physicalinterfaces of the IDPA components.

Table 39 Physical interfaces


Compute nodes Dell PowerEdge R740 Owner'sManual

Ports and connectorsspecifications

Physical security optionsRefer to the following publications for information about physical security controlsthat can be applied to the IDPA components.

Table 40 Physical security options


Data Domain Data Domain Product Security Guide Physical Security Controls

Dell EMC reminds customers to review and frequently audit all operational policies,and verify that personnel, site, and perimeter security are secure.

Customer service accessRefer to the following publications for information about physical interfaces anddevices that are restricted for use by Customer Support.

Table 41 Customer service access



Pre-operating systemmanagement applications >System Security


Physical security 43

Tamper evidence and resistanceRefer to the following publications for information about tamper-evident and tamper-resistant features that are found in the IDPA components.

Table 42 Tamper evidence and resistance


Avamar Avamar Product Security Guide Advanced Intrusion DetectionEnvironment (AIDE)

The auditd service


System clock

RPM signature verification


Pre-operating systemmanagement applications >System Security

Statements of volatilityRefer to the following publications for information on information-storing componentsof the IDPA.

Table 43 Statements of volatility

Component Reference Publication

Compute nodes Statement of Volatility – Dell PowerEdge R740 and Dell PowerEdge R60

NDMP If NDMP node is used with any IDPA model, refer to the correspondingNDMP appliance documentation.

ServiceabilityThe IDPA deployment process includes Secure Remote Services registration for theAppliance Configuration Manager, Data Domain, Avamar, and DP Advisor.

The Appliance Configuration Manager virtual machine can be used as a bridge byCustomer Support to access appliance components that are not directly registeredwith Secure Remote Services. By default, ConnectEMC is not configured on anyappliance component. For more information about ConnectEMC, see Secure RemoteServices Operations Guide.

Customer Support and authorized service partners complete all service on the IDPA.



Maintenance aidsRefer to the following publications for information about accounts, tools, and otherfunctions intended for maintenance use.

Table 44 Maintenance aids


Avamar and AVE Avamar Product Security Guide Security patches

Email home notification usingConnectEMC

Intelligent Platform ManagementInterface

Avamar Operational Best PracticesGuide

Using EMC Secure RemoteSupport solution

Avamar Administration Guide Automatic notifications to AvamarSupport

Data Domain Data Domain Product Security Guide Other security considerations


Network connection management

Autosupport report management

Support bundle management

EMC Support deliverymanagement

Remote system powermanagement with IPMI



EMC Enterprise access control

Communication to EMC

Avamar and AVE make use of a Customer Support-only password to run someworkflow packages in the Avamar Installation Manager.

Responsible service useRefer to the following publication for information on responsible service use by DellEMC.

Table 45 Responsible service use




EMC Enterprise access control


Maintenance aids 45

Security updates and patchingThe following references provide information about how to apply security patches foreach component of the IDPA.

Table 46 Security updates and patching


Integrated DataProtection Appliance

Integrated Data ProtectionAppliance Product Guide

Upgrading the appliance

Customers should apply security updates and patches from Dell EMC regularly toprevent zero-day vulnerability attacks.

Note

A warning on vCenter is displayed about a potential vulnerable issue. CVE-2018-3646is one of the L1 Terminal Fault (L1TF) speculative execution vulnerabilities and isdetermined to have medium vulnerability score.IDPA uses the ESXi version which has the following fixes for this vulnerability,however one of them is not enabled by default as it has severe performance impac:

l Mitigation of the Sequential-Context attack vector - this fix is included in IDPA 2.3and later releases.

l Mitigation of the Concurrent-Context attack vector - this fix is not enabled bydefaultThis fix can be enabled using simple steps on ESXi, but has severe performancepenalties if enabled.

IDPA is a restricted environment where unverified virtual machines are notdeployed on the ESXi. Also, due to severe performance penalties, it is notrecommended to enable the fix on IDPA appliance. However, customers canenable it at their own risk. For more information, see VMware KB article 55806.

Customer requirements for updatesRefer to the following publications for information on periodic security updates thatapply to the IDPA components.

Table 47 Customer requirements for updates


Integrated DataProtection Appliance

Integrated Data Protection ApplianceProduct Guide

Upgrading the applicance



CHAPTER 3

Miscellaneous configuration and managementelements


l Protecting authenticity and integrity................................................................. 48l Installing client software.................................................................................... 48

Miscellaneous configuration and management elements 47

Protecting authenticity and integrityRefer to the following publications for information about the use of signing andcryptography to ensure the integrity of the IDPA.

Table 48 Protecting authenticity and integrity



RPM signature verification

Dell EMC recommends that customers verify the authenticity of downloads againstpublished MD5 and SHA-256 checksums, where provided.

Installing client softwareRefer to the following publications for information about requirements for installingcomponents of the IDPA on client computers.

Table 49 Installing client software




Customer site components

Specifications

Miscellaneous configuration and management elements


INDEX

AActive Directory 24alerting 42auditing 40authentication 22, 24, 25, 29authentication, certificates 24authentication, keys 24authentication, local sources 23authentication, remote component 29authentication, role-based 32authentication, setup 23authenticity 48authorization 29, 30authorization, default 30authorization, external 31authorization, rules 30

Ccertificate management 39certificates 24clients 48communications, security 36credential management 25credentials, default 26credentials, managing 28cryptographic modules 39cryptography 38cryptography, certificate management 39cryptography, certified modules 39cryptography, configuration 38customer service access 43

Ddata erasure 37data security 36default accounts 25deployment models 16

Eencryption, data at rest 37

Ffirewall 36

Iintegrity 48interfaces 43

Kkeys 24

LLDAP 24legal disclaimers 9local accounts, deleting 28local accounts, disabling 28lockout, user 23logging 40login banner 22login behavior 22login security 22logs, alerting 42logs, format 41logs, locations 40logs, management 41logs, protection 41logs, usage 40

Mmaintenance aids 45map, security controls 20

Nnetwork exposure 34network interfaces 35network ports 34network security 34networking 34

Ppasswords, complexity 28passwords, managing 28physical interfaces 43physical security 43preface 9

Rremote connections 29requirements, customer 46roles 32roles, configuring 33roles, default 32roles, external association 34roles, mapping 33

Ssecurity controls map 20security updates 46security, communications 36service use, responsible 45serviceability 44statement of volatility 44


Ttampering, evidence 44tampering, resistance 44

Uunauthenticated interfaces 25updates 46

Vvolatility 44

Index


security configuration guide · dell emc integrated data protection appliance version 2.4 security...

Documents