EMC RecoverPoint Security and Networking Technical Notes

EMC ® RecoverPoint 

Security and Networking 

Technical Notes 

P/N 300-004-450 

Rev A03 

March 11, 2008 

This document contains information about EMC RecoverPoint security 

and networking. Topics include: 

◆ Scope....................................................................................................... 2 

◆ RecoverPoint OS................................................................................... 2 

◆ Networking ........................................................................................... 3 

◆ Access control ....................................................................................... 6 

◆ System notifications ............................................................................. 7 

1

Scope 

Scope 

2 EMC RecoverPoint Security and Networking Technical Notes 

The EMC ® RecoverPoint system has been designed as a secure 

platform for continuous remote replication (CRR) and continuous 

data protection (CDP). EMC has invested in ensuring security for all 

aspects of its RecoverPoint system, including the operating system, 

networking, and RecoverPoint software. 

This document describes some of the security provisions of EMC 

RecoverPoint, particularly the operating system and network 

security. This document is intended primarily for company personnel 

responsible for system administration and network security. 

Related documents Use the release of any of the following documents, available in the 

Documentation Library on http://Powerlink.EMC.com, that matches 

your installed RecoverPoint version: 

RecoverPoint OS 

◆ EMC RecoverPoint Administrator’s Guide 

◆ EMC RecoverPoint Installation Guide 

◆ EMC RecoverPoint and RecoverPoint/SE Release Notes 

The RecoverPoint operating system is based on a standard Debian 

distribution that has been modified according to RecoverPoint 

functional and security requirements. Unessential Debian packages 

were removed (for OS hardening), required packages were added, 

and the latest security updates from Debian were applied. The latest 

release of the RecoverPoint kernel is based on Linux. 

RecoverPoint operates the Linux runlevel 3, full multi-user mode. 

All extraneous default Linux daemons were disabled to allow 

maximum security. The following daemons are running: 

◆ syslogd 

◆ sshd 

◆ httpd (Apache 2) 

◆ kashya_drivers 

◆ network 

◆ random

Networking 

◆ iptables 

◆ crond 

◆ snmpd 

All RecoverPoint user space applications are started automatically 

when the RecoverPoint appliance (RPA) starts up. 

Note: Additional services may run to support hardware monitoring on some 

platforms (for example, Dell and Unisys). 

EMC RecoverPoint Security and Networking Technical Notes 


The RPA has a minimum of two Ethernet cards, usually on-board. 

One adapter (eth0) is dedicated to the WAN connection, and the other 

adapter is dedicated to the LAN connection (management network). 

Each node in the RPA cluster is assigned to a static IP address for both 

its WAN and LAN interfaces. The cluster is assigned an additional 

floating IP address, which is active at only one node at a time. 

The primary RecoverPoint site is normally installed in the corporate 

data center. In most cases, the WAN network that links the primary 

site and the disaster recovery (DR) site runs over dedicated lines 

(such as a DS-3), or uses VPN over the public networks. 

RecoverPoint applies a secure signature to all replicated data. The 

user is protected from any malicious alteration or unexpected 

corruption of the WAN traffic while data is in transit. Encryption can 

be added at the network level using a technology such as VPN. 

The RPA dedicates a large part of its resources to compression. 

RecoverPoint employs a number of compression algorithms to better 

utilize the WAN, including: algorithmic compression, delta 

differential, hot spots, and application-aware compression. 

Supported services The RPA supports the following services: 

◆ Firewall 

The RecoverPoint OS achieves enhanced security by running 

iptables firewall that blocks all unused ports on the machine. 

3


◆ SSH 


EMC encourages its customers to use a secure shell (SSH) when 

connecting to an RPA. RecoverPoint runs OpenSSH. 

◆ Web server 

RecoverPoint uses the Apache HTTP Server for HTTP. 

◆ SNMP 

The RPA is SNMP-capable; that is, the RecoverPoint system 

supports monitoring and problem notification using the standard 

Simple Network Management Protocol (SNMP). This includes 

support for SNMPv3, which adds security and remote 

configuration capabilities to the previous versions. The SNMPv3 

architecture introduces the User-based Security Model (USM) for 

message security and the View-based Access Control Model 

(VACM) for access control. The architecture supports the 

concurrent use of different security, access control, and message 

processing models. The system supports various SNMP queries 

to the agent on RecoverPoint. In addition, the system can be 

configured so that RecoverPoint events generate SNMP traps 

which are sent to designated hosts (that is, NMS servers). 

RecoverPoint supports the default MIB-II and, on selected 

platforms, hardware monitoring of the RecoverPoint platform. 

Firewall port settings The following RPA ports must be open for input: 

Table 1 LAN/Management communication and notification ports (Sheet 1 of 2) 

Port Protocol 

21 Outgoing FTP communications; for system info collection (TCP) 

22 SSH and communications between RPAs (TCP) 

25 Outgoing mail (SMTP) email alerts from RPA, if configured (TCP) 

53 DNS (TCP, UDP) 

80 HTTP; web server for management (TCP) 

123 NTP (TCP, UDP) 

161 SNMP (TCP, UDP) 

162 SNMP (TCP, UDP)


Table 1 LAN/Management communication and notification ports (Sheet 2 of 2) 

Port Protocol 

443 HTTPS; for management (TCP) 

514 Syslog (TCP, UDP) 

1099 RMI (TCP) 


4405 kutils VDI, KVSS (TCP) 

777 hlr_kbox; Automatic host info collection (TCP) 

All RPAs must be able to communicate with one another, both on the 

local site and on the remote site, on the following ports: 

Table 2 inter-RPA communication ports 

Port Protocol 

22 SSH and communications between RPAs (TCP) 

23 Telnet (TCP) 

123 NTP (TCP, UDP) 



5001 iperf; performance measuring between RPAs (TCP) 

5020 Control process (TCP, UDP) 

5030 RMI (TCP, UDP) 

5040 Replication (TCP, UDP) 

5060 mpi_perf (TCP, UDP) 

5080 Connectivity diagnostics tool (TCP, UDP) 

9999 udponger; connectivity diagnostics tool (UDP) 


5

Access control 

Access control 


The RPA supports privilege-based user administration. The 

superuser admin can create new users and assign privileges ranging 

from full administrative capabilities to read-only access. 

Default users defined on RecoverPoint are: 

◆ admin 

User admin has full permission for administration of 

RecoverPoint, including to create, modify, delete, and add entities 

in the RecoverPoint Management Application (GUI) and CLI. 

◆ monitor 

User monitor has read-only permission, allowing the user to view 

entities in the RecoverPoint GUI and CLI. 

Access methods RecoverPoint supports the following access methods: 

◆ SSH to the RecoverPoint CLI 

For best security, EMC recommends that the user communicate 

with RecoverPoint using SSH. Following a successful login to 

RecoverPoint, the user enters the RecoverPoint command line 

interface (CLI), from which point the user login credentials 

govern access permissions. 

◆ Web access to the RecoverPoint GUI 

The RecoverPoint GUI is based on Java, and users can access it as 

either admin or monitor.

System notifications 

Copyright © 2008 EMC Corporation. All rights reserved. 

RecoverPoint supports the following event notification methods: 

◆ SNMP notification 

Users can get system information and traps using SNMP. 


System notifications 

◆ Alert notification 

The email notification (alert) mechanism sends specified event 

alerts to designated individuals. Optionally, it can be configured 

to notify EMC RecoverPoint Technical Support. 

◆ Syslog notification 

RecoverPoint uses syslog to support event notification to a 

remote management application. 

Note: Users should consider the appropriate network settings for each event 

notification method that they wish to configure. 

EMC believes the information in this publication is accurate as of its publication date. The information is 

subject to change without notice. 

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO 

REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN 

THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF 

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 

Use, copying, and distribution of any EMC software described in this publication requires an applicable 

software license. 

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. 

All other trademarks used herein are the property of their respective owners. 

7

EMC RecoverPoint Security and Networking Technical Notes

Create successful ePaper yourself

Delete template?

Save as template?