Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Dell EMC Data Domain® Version 6.1 Security Configuration Guide 302-003-722 REV

Dell EMC Data Domain® Version 6.1 Security Configuration Guide 302-003-722 REV 03 Copyright © 2014-2018 Dell Inc. and its subsidiaries. All rights reserved. Published July 2018 Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. Dell EMC Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.DellEMC.com 2 Data Domain 6.1 Security Configuration Guide Preface 5 Revision history 9 Overview 11 The Data Domain Operating System........................................................... 12 Data Domain system security......................................................................12 System interfaces and access control.........................................................12 Security Configuration Settings 15 Introduction................................................................................................ 16 System passphrase..................................................................................... 16 Passphrase security....................................................................... 16 Access control settings............................................................................... 17 System access............................................................................... 17 User authentication........................................................................19 User authorization .........................................................................21 Certificate management............................................................................. 23 Externally signed certificates.........................................................24 Log settings................................................................................................25 Log descriptions............................................................................ 25 Log management and retrieval.......................................................26 Communication security settings................................................................26 Data Domain TCP and UDP ports.................................................. 26 Network routing management....................................................... 30 Time synchronization with external source.................................................30 Cloud tier network security recommendations............................................ 31 Certificates for cloud providers..................................................... 32 DD VE on S3 storage (AWS) and hot blob storage (Azure) security recommendations....................................................................................... 33 DD VE for kernel-based virtual machine considerations..............................33 Secure multi-tenancy security....................................................................33 Data security settings.................................................................................34 Data Domain Retention Lock software ..........................................34 Data integrity.................................................................................35 End-to-End verification................................................................. 36 Data erasure.................................................................................. 36 System sanitization....................................................................... 36 Data encryption............................................................................. 36 Encryption of data at rest..............................................................36 Encryption of data in flight............................................................ 38 Encryption of data in flight via DD Boost....................................... 38 Secure Remote Services............................................................................ 38 Security alert system settings.................................................................... 39 Other security considerations.....................................................................39 Securing data in flight ...................................................................39 System hardening..........................................................................39 Chapter 1 Chapter 2 CONTENTS Data Domain 6.1 Security Configuration Guide 3 Secure Maintenance 43 Security patch management.......................................................................44 Physical Security Controls 45 Physical controls........................................................................................ 46 Baseboard management controller and basic input/output system recommendations.......................................................................................46 General USB security best practices.......................................................... 46 Securing Integrated Dell Remote Access Controller 9 for DD3300............. 47 Chapter 3 Chapter 4 CONTENTS 4 Data Domain 6.1 Security Configuration Guide Preface As part of an effort to improve its products, Data Domain periodically releases software and hardware revisions. Therefore, some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features, software updates, software compatibility guides, and information about Data Domain products, licensing, and service. Contact a technical support professional if a product does not function correctly or does not function as described in this document. Purpose This document describes the key security features of Data Domain systems and provides the procedures that are required to ensure data protection and appropriate access control. Audience This document is primarily intended for Data Domain Field Engineers, contracted representatives, and business partners who are responsible for configuring, troubleshooting, and upgrading Data Domain systems at customer sites. System administrators or application integrators who are responsible for installing software, maintaining servers and clients on a network, and ensuring network security should also be aware of the contents of this document. Related documentation The following publications provide additional information: l Data Domain Operating System Release Notes l Data Domain Operating System Administration Guide l Data Domain Operating System Initial Configuration Guide l Data Domain Operating System Command Reference Guide l Data Domain Operating System MIB Quick Reference l Data Domain Hardware Features and Specifications l Installation guide for the system, for example, Data Domain DD6300 System Installation Guide l Data Domain, System Controller Upgrade Guide l Data Domain Expansion Shelf, Hardware Guide (for shelf model ES30/FS15 or DS60) If you have the optional RSA Data Protection (DPM) Key Manager, see the latest version of the RSA Data Protection Manager Server Administrator's Guide, available with the RSA Data Protection Manager product. Preface 5 Special notice conventions used in this document The following conventions are used for special notices: DANGER If not avoided, indicates a hazardous situation which results in death or serious injury. WARNING If not avoided, indicates a hazardous situation which could result in death or serious injury. CAUTION If not avoided, indicates a hazardous situation which could result in minor or moderate injury. NOTICE Addresses practices that are not related to personal injury. Note Presents information that is important, but not hazard-related. Typographical conventions Table 1 Style conventions Bold Used for names of interface elements, such as names of windows, dialog boxes, buttons, fields, tab names, key names, and menu paths (what the user specifically selects or clicks) Italic Used for full titles of publications that are referenced in text Monospace Used for: l System code l System output, such as an error message or script l Pathnames, filenames, prompts, and syntax l Commands and options Monospace italic Used for variables Monospace bold Used for user input [ ] Square brackets enclose optional values | Vertical bar indicates alternate selections - the bar means “or” { } Braces enclose content that the user must specify, such as x or y or z ... Ellipses indicate nonessential information that is omitted from the example Where to get help Support, product, and licensing information can be obtained as follows: Preface 6 Data Domain 6.1 Security Configuration Guide Product information For documentation, release notes, software updates, or additional product information, go to the support site at https://support.emc.com. Technical support Go to the online support site and click Service Center. Several options are available for contacting Technical Support. Note that to open a service request, you must have a valid support agreement. Contact a sales representative for details about obtaining a valid support agreement or with account questions. Comments Suggestions help continue to improve the accuracy, organization, and overall quality of the user publications. Send opinions of this document to mailto:DPAD.Doc.feedback@emc.com. Note This document was accurate at publication time. Go to the online support site to ensure that you are using the latest version of this document. Preface 7 Preface 8 Data Domain 6.1 Security Configuration Guide Revision history The following table presents the revision history of this document. Table 2 Document revision history Revision Date Description 03 (6.1.2) July 2018 Latest revision includes security recommendations for lightweight access protocol (LDAP), DD VE running on Kernel-based Virtual Machine (KVM), DD VE on S3 and hot blob storage, and exporting encryption keys. Also includes updates to default account login information, certificate management, encryption, and system hardening. 02 (6.1.1) January 2018 Updated to include general information relating to NFSv4, BMC security practices, BIOS password disabling, and iDRAC for the DD3300. 01 (6.1) June 2017 Updated for DD OS 6.1 Revision history 9 Revision history 10 Data Domain 6.1 Security Configuration Guide CHAPTER 1 Overview This chapter includes: l The Data Domain Operating System...................................................................12 l Data Domain system security..............................................................................12 l System interfaces and access control................................................................ 12 Overview 11 The Data Domain Operating System A Data Domain system is an appliance that runs the Data Domain Operating System (DD OS). A web-based graphical user interface (GUI), Data Domain System Manager, is provided for configuration operations, management, and monitoring. In addition, a controlled command-line interface (CLI) environment is available, which provides a complete set of Data Domain administrative operations. Because DD OS is an embedded operating system, additional software or agents cannot be installed or executed within a Data Domain system. This restriction ensures control and consistency of DD OS releases and provides additional security over the system. Data Domain systems are purpose-built physical and virtual appliances with restricted access to their internal operation. Any tampering voids the warranty. Updated versions of embedded open source modules are included in DD OS updates as appropriate. Data Domain system security Data Domain systems, as central repositories for both structured and unstructured backup data, have many security capabilities and attributes to protect the data on the Data Domain systems. This document is a supplement to the Data Domain Operating System Administration Guide and provides an overview of key security features and procedures that are required to ensure data protection and appropriate access control. System interfaces and access control Hosts and backup applications interface with the Data Domain systems through one or more of the standard native server interface protocols: CIFS, NFS, NDMP, VTL, or Data Domain Boost. Access control and user authentication to the Data Domain system is controlled by either local users, NIS environments, or within a Microsoft Active Directory Domain environment. Other points that run the security attributes of the Data Domain system are listed in the simplified diagram. Overview 12 Data Domain 6.1 Security Configuration Guide Figure 1 System interfaces and access control The following Data Domain native protocols and software options depend on or enable security attributes of the Data Domain system. See the uploads/s1/ dd-security-configuration-guide.pdf