EMC RecoverPoint Security and Networking Technical Notes
EMC RecoverPoint Security and Networking Technical Notes
EMC RecoverPoint Security and Networking Technical Notes
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>EMC</strong> ® <strong>RecoverPoint</strong><br />
<strong>Security</strong> <strong>and</strong> <strong>Networking</strong><br />
<strong>Technical</strong> <strong>Notes</strong><br />
P/N 300-004-450<br />
Rev A03<br />
March 11, 2008<br />
This document contains information about <strong>EMC</strong> <strong>RecoverPoint</strong> security<br />
<strong>and</strong> networking. Topics include:<br />
◆ Scope....................................................................................................... 2<br />
◆ <strong>RecoverPoint</strong> OS................................................................................... 2<br />
◆ <strong>Networking</strong> ........................................................................................... 3<br />
◆ Access control ....................................................................................... 6<br />
◆ System notifications ............................................................................. 7<br />
1
Scope<br />
Scope<br />
2 <strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
The <strong>EMC</strong> ® <strong>RecoverPoint</strong> system has been designed as a secure<br />
platform for continuous remote replication (CRR) <strong>and</strong> continuous<br />
data protection (CDP). <strong>EMC</strong> has invested in ensuring security for all<br />
aspects of its <strong>RecoverPoint</strong> system, including the operating system,<br />
networking, <strong>and</strong> <strong>RecoverPoint</strong> software.<br />
This document describes some of the security provisions of <strong>EMC</strong><br />
<strong>RecoverPoint</strong>, particularly the operating system <strong>and</strong> network<br />
security. This document is intended primarily for company personnel<br />
responsible for system administration <strong>and</strong> network security.<br />
Related documents Use the release of any of the following documents, available in the<br />
Documentation Library on http://Powerlink.<strong>EMC</strong>.com, that matches<br />
your installed <strong>RecoverPoint</strong> version:<br />
<strong>RecoverPoint</strong> OS<br />
◆ <strong>EMC</strong> <strong>RecoverPoint</strong> Administrator’s Guide<br />
◆ <strong>EMC</strong> <strong>RecoverPoint</strong> Installation Guide<br />
◆ <strong>EMC</strong> <strong>RecoverPoint</strong> <strong>and</strong> <strong>RecoverPoint</strong>/SE Release <strong>Notes</strong><br />
The <strong>RecoverPoint</strong> operating system is based on a st<strong>and</strong>ard Debian<br />
distribution that has been modified according to <strong>RecoverPoint</strong><br />
functional <strong>and</strong> security requirements. Unessential Debian packages<br />
were removed (for OS hardening), required packages were added,<br />
<strong>and</strong> the latest security updates from Debian were applied. The latest<br />
release of the <strong>RecoverPoint</strong> kernel is based on Linux.<br />
<strong>RecoverPoint</strong> operates the Linux runlevel 3, full multi-user mode.<br />
All extraneous default Linux daemons were disabled to allow<br />
maximum security. The following daemons are running:<br />
◆ syslogd<br />
◆ sshd<br />
◆ httpd (Apache 2)<br />
◆ kashya_drivers<br />
◆ network<br />
◆ r<strong>and</strong>om
<strong>Networking</strong><br />
◆ iptables<br />
◆ crond<br />
◆ snmpd<br />
All <strong>RecoverPoint</strong> user space applications are started automatically<br />
when the <strong>RecoverPoint</strong> appliance (RPA) starts up.<br />
Note: Additional services may run to support hardware monitoring on some<br />
platforms (for example, Dell <strong>and</strong> Unisys).<br />
<strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
<strong>Networking</strong><br />
The RPA has a minimum of two Ethernet cards, usually on-board.<br />
One adapter (eth0) is dedicated to the WAN connection, <strong>and</strong> the other<br />
adapter is dedicated to the LAN connection (management network).<br />
Each node in the RPA cluster is assigned to a static IP address for both<br />
its WAN <strong>and</strong> LAN interfaces. The cluster is assigned an additional<br />
floating IP address, which is active at only one node at a time.<br />
The primary <strong>RecoverPoint</strong> site is normally installed in the corporate<br />
data center. In most cases, the WAN network that links the primary<br />
site <strong>and</strong> the disaster recovery (DR) site runs over dedicated lines<br />
(such as a DS-3), or uses VPN over the public networks.<br />
<strong>RecoverPoint</strong> applies a secure signature to all replicated data. The<br />
user is protected from any malicious alteration or unexpected<br />
corruption of the WAN traffic while data is in transit. Encryption can<br />
be added at the network level using a technology such as VPN.<br />
The RPA dedicates a large part of its resources to compression.<br />
<strong>RecoverPoint</strong> employs a number of compression algorithms to better<br />
utilize the WAN, including: algorithmic compression, delta<br />
differential, hot spots, <strong>and</strong> application-aware compression.<br />
Supported services The RPA supports the following services:<br />
◆ Firewall<br />
The <strong>RecoverPoint</strong> OS achieves enhanced security by running<br />
iptables firewall that blocks all unused ports on the machine.<br />
3
<strong>Networking</strong><br />
◆ SSH<br />
4 <strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
<strong>EMC</strong> encourages its customers to use a secure shell (SSH) when<br />
connecting to an RPA. <strong>RecoverPoint</strong> runs OpenSSH.<br />
◆ Web server<br />
<strong>RecoverPoint</strong> uses the Apache HTTP Server for HTTP.<br />
◆ SNMP<br />
The RPA is SNMP-capable; that is, the <strong>RecoverPoint</strong> system<br />
supports monitoring <strong>and</strong> problem notification using the st<strong>and</strong>ard<br />
Simple Network Management Protocol (SNMP). This includes<br />
support for SNMPv3, which adds security <strong>and</strong> remote<br />
configuration capabilities to the previous versions. The SNMPv3<br />
architecture introduces the User-based <strong>Security</strong> Model (USM) for<br />
message security <strong>and</strong> the View-based Access Control Model<br />
(VACM) for access control. The architecture supports the<br />
concurrent use of different security, access control, <strong>and</strong> message<br />
processing models. The system supports various SNMP queries<br />
to the agent on <strong>RecoverPoint</strong>. In addition, the system can be<br />
configured so that <strong>RecoverPoint</strong> events generate SNMP traps<br />
which are sent to designated hosts (that is, NMS servers).<br />
<strong>RecoverPoint</strong> supports the default MIB-II <strong>and</strong>, on selected<br />
platforms, hardware monitoring of the <strong>RecoverPoint</strong> platform.<br />
Firewall port settings The following RPA ports must be open for input:<br />
Table 1 LAN/Management communication <strong>and</strong> notification ports (Sheet 1 of 2)<br />
Port Protocol<br />
21 Outgoing FTP communications; for system info collection (TCP)<br />
22 SSH <strong>and</strong> communications between RPAs (TCP)<br />
25 Outgoing mail (SMTP) email alerts from RPA, if configured (TCP)<br />
53 DNS (TCP, UDP)<br />
80 HTTP; web server for management (TCP)<br />
123 NTP (TCP, UDP)<br />
161 SNMP (TCP, UDP)<br />
162 SNMP (TCP, UDP)
<strong>Networking</strong><br />
Table 1 LAN/Management communication <strong>and</strong> notification ports (Sheet 2 of 2)<br />
Port Protocol<br />
443 HTTPS; for management (TCP)<br />
514 Syslog (TCP, UDP)<br />
1099 RMI (TCP)<br />
4401 RMI (TCP)<br />
4405 kutils VDI, KVSS (TCP)<br />
777 hlr_kbox; Automatic host info collection (TCP)<br />
All RPAs must be able to communicate with one another, both on the<br />
local site <strong>and</strong> on the remote site, on the following ports:<br />
Table 2 inter-RPA communication ports<br />
Port Protocol<br />
22 SSH <strong>and</strong> communications between RPAs (TCP)<br />
23 Telnet (TCP)<br />
123 NTP (TCP, UDP)<br />
1097 RMI (TCP)<br />
1099 RMI (TCP)<br />
5001 iperf; performance measuring between RPAs (TCP)<br />
5020 Control process (TCP, UDP)<br />
5030 RMI (TCP, UDP)<br />
5040 Replication (TCP, UDP)<br />
5060 mpi_perf (TCP, UDP)<br />
5080 Connectivity diagnostics tool (TCP, UDP)<br />
9999 udponger; connectivity diagnostics tool (UDP)<br />
<strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
5
Access control<br />
Access control<br />
6 <strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
The RPA supports privilege-based user administration. The<br />
superuser admin can create new users <strong>and</strong> assign privileges ranging<br />
from full administrative capabilities to read-only access.<br />
Default users defined on <strong>RecoverPoint</strong> are:<br />
◆ admin<br />
User admin has full permission for administration of<br />
<strong>RecoverPoint</strong>, including to create, modify, delete, <strong>and</strong> add entities<br />
in the <strong>RecoverPoint</strong> Management Application (GUI) <strong>and</strong> CLI.<br />
◆ monitor<br />
User monitor has read-only permission, allowing the user to view<br />
entities in the <strong>RecoverPoint</strong> GUI <strong>and</strong> CLI.<br />
Access methods <strong>RecoverPoint</strong> supports the following access methods:<br />
◆ SSH to the <strong>RecoverPoint</strong> CLI<br />
For best security, <strong>EMC</strong> recommends that the user communicate<br />
with <strong>RecoverPoint</strong> using SSH. Following a successful login to<br />
<strong>RecoverPoint</strong>, the user enters the <strong>RecoverPoint</strong> comm<strong>and</strong> line<br />
interface (CLI), from which point the user login credentials<br />
govern access permissions.<br />
◆ Web access to the <strong>RecoverPoint</strong> GUI<br />
The <strong>RecoverPoint</strong> GUI is based on Java, <strong>and</strong> users can access it as<br />
either admin or monitor.
System notifications<br />
Copyright © 2008 <strong>EMC</strong> Corporation. All rights reserved.<br />
<strong>RecoverPoint</strong> supports the following event notification methods:<br />
◆ SNMP notification<br />
Users can get system information <strong>and</strong> traps using SNMP.<br />
<strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Security</strong> <strong>and</strong> <strong>Networking</strong> <strong>Technical</strong> <strong>Notes</strong><br />
System notifications<br />
◆ Alert notification<br />
The email notification (alert) mechanism sends specified event<br />
alerts to designated individuals. Optionally, it can be configured<br />
to notify <strong>EMC</strong> <strong>RecoverPoint</strong> <strong>Technical</strong> Support.<br />
◆ Syslog notification<br />
<strong>RecoverPoint</strong> uses syslog to support event notification to a<br />
remote management application.<br />
Note: Users should consider the appropriate network settings for each event<br />
notification method that they wish to configure.<br />
<strong>EMC</strong> believes the information in this publication is accurate as of its publication date. The information is<br />
subject to change without notice.<br />
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” <strong>EMC</strong> CORPORATION MAKES NO<br />
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN<br />
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF<br />
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.<br />
Use, copying, <strong>and</strong> distribution of any <strong>EMC</strong> software described in this publication requires an applicable<br />
software license.<br />
For the most up-to-date listing of <strong>EMC</strong> product names, see <strong>EMC</strong> Corporation Trademarks on <strong>EMC</strong>.com.<br />
All other trademarks used herein are the property of their respective owners.<br />
7