Dell EMC Integrated Data ProtectionApplianceVersion 2.4
Security Configuration Guide302-005-687
REV 01
Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.
Published May 2019
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.
Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com
2 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
5
7
9
Security quick reference 15Deployment models.....................................................................................16
Product and subsystem security 19Security controls map................................................................................ 20Authentication............................................................................................22
Login security settings...................................................................22Authentication types and setup..................................................... 23User credential management......................................................... 25Authentication to external systems............................................... 29
Authorization..............................................................................................29General authorization settings.......................................................30Role-based access control (RBAC)................................................32
Network security........................................................................................ 34Network exposure......................................................................... 34Communication security settings...................................................36Firewall settings.............................................................................36
Data security.............................................................................................. 36Data-at-rest encryption................................................................. 37Data erasure ................................................................................. 37
Cryptography............................................................................................. 38Cryptographic configuration options............................................. 38Certified cryptographic modules....................................................39Certificate management................................................................ 39
Auditing and logging................................................................................... 40Logs...............................................................................................40Log management options............................................................... 41Log protection................................................................................41Log format..................................................................................... 41Alerting..........................................................................................42
Physical security.........................................................................................43Physical interfaces........................................................................ 43Physical security options............................................................... 43Customer service access............................................................... 43Tamper evidence and resistance....................................................44Statements of volatility................................................................. 44
Serviceability..............................................................................................44Maintenance aids...........................................................................45Responsible service use.................................................................45Security updates and patching...................................................... 46
Figures
Tables
Preface
Chapter 1
Chapter 2
CONTENTS
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 3
Customer requirements for updates.............................................. 46
Miscellaneous configuration and management elements 47Protecting authenticity and integrity..........................................................48Installing client software.............................................................................48
49
Chapter 3
Index
CONTENTS
4 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Model DP4400............................................................................................................ 17Security controls map - Avamar and Data Domain.......................................................21
12
FIGURES
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 5
FIGURES
6 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Revision history............................................................................................................ 9Typographical conventions..........................................................................................12Login banner configuration......................................................................................... 22Failed login behavior................................................................................................... 22Emergency user lockout............................................................................................. 23Configuring local authentication sources.................................................................... 23Configuring Active Directory...................................................................................... 24Certificate/key-based authentication.........................................................................24Digital certificates and SSH keys................................................................................25Default accounts........................................................................................................ 25Default management accounts................................................................................... 26Default credentials..................................................................................................... 26How to disable local accounts.....................................................................................28Managing credentials..................................................................................................28Configuring remote connections.................................................................................29Remote component authentication.............................................................................29Configuring authorization rules...................................................................................30Default authorizations................................................................................................ 30External authorization associations............................................................................. 31Role-based access control..........................................................................................32Default roles............................................................................................................... 32Configuring roles........................................................................................................ 33Role mapping..............................................................................................................33External role associations........................................................................................... 34Network ports............................................................................................................ 34Default IP addresses ..................................................................................................35Communication security settings................................................................................36Firewall settings......................................................................................................... 36Data-at-rest encryption..............................................................................................37Data erasure .............................................................................................................. 37Cryptographic configuration options.......................................................................... 38Certified cryptographic modules.................................................................................39Certificate management............................................................................................. 39Logs........................................................................................................................... 40Log management options............................................................................................ 41Log protection.............................................................................................................41Log format.................................................................................................................. 41Alerting.......................................................................................................................42Physical interfaces..................................................................................................... 43Physical security options............................................................................................ 43Customer service access............................................................................................ 43Tamper evidence and resistance.................................................................................44Statements of volatility.............................................................................................. 44Maintenance aids........................................................................................................45Responsible service use..............................................................................................45Security updates and patching................................................................................... 46Customer requirements for updates........................................................................... 46Protecting authenticity and integrity..........................................................................48Installing client software.............................................................................................48
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
TABLES
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 7
TABLES
8 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Preface
OverviewThe Integrated Data Protection Appliance Security Configuration Guide provides anoverview of security configuration settings available for this solution, and bestpractices for using those settings to ensure secure operation of the product.
Table 1 Revision history
Revision number Date Description
01 May 2019 First release of this document forIDPA 2.4
Scope of documentThis publication provides a survey of security topics that are related to the IntegratedData Protection Appliance (IDPA). The content is not associated with a specificcompliance regime.
Topics specific to the security of individual components that are contained within theIDPA, including Avamar, Data Domain, Data Protection Advisor (DP Advisor), Search,Data Protection Central , and Cloud Disaster Recovery (CDRA) are contained withinthe security and administration guides for each component, which are listed in Document references on page 10.
As the IDPA is a solution-level product, content from these guides is not repeatedhere. Instead, tables within each topic lead you to the correct location in thereferenced publications, where applicable.
AudienceThe information in this publication is intended for customers who are responsible forthe planning, implementing, administering, or auditing security controls inenvironments containing IDPA solutions. The primary audience is technical, but thispublication addresses the needs of a range of security professionals.
Legal disclaimersAs part of an effort to improve its product lines, Dell EMC periodically releasesrevisions of its software and hardware. Therefore, some versions of the software orhardware currently in use may not support all functions that are described in thisdocument. The product release notes provide the most up-to-date information aboutproduct features.
Contact your Dell EMC representative if a product does not function correctly or doesnot function as described in this document.
NOTICE
This document was accurate at publication time. New versions of this document mightbe released on the Online Support website. To ensure that you are using the latestversion of this document, check the Online Support at https://www.dell.com/support.
Dell EMC websites may contain links to third-party sites. Content contained on anywebsite that is linked to any Dell EMC website is not the responsibility of Dell EMC
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 9
and Dell EMC is not responsible for the accuracy, or reliability of any content on suchwebsites. Further, the presence of a link to a third-party site does not mean that DellEMC endorses that site, its products, or views expressed there. Dell EMC providesthese links merely for convenience and the presence of such third-party links are notan endorsement or recommendation by Dell EMC.
Reporting vulnerabilitiesDell EMC takes reports of potential vulnerabilities in our products very seriously. Forthe latest on how to report a security issue to Dell EMC, see the Product SecurityResponse Center on EMC.com.
Document referencesThe following documents provide additional information:
Avamar 18.2:
l Avamar Product Security GuideThis publication discusses various aspects of Avamar product security.
l Avamar Administration GuideThis publication describes how to configure, administer, monitor, and maintain anAvamar server.
l Avamar Operational Best Practices GuideThis publication describes operational best practices for both single-node andmulti-node servers in small and large heterogeneous client environments.
Data Domain 6.2:
l Data Domain Product Security GuideThis publication describes the key security features of Data Domain systems andprovides the procedures that are required to ensure data protection andappropriate access control.
l Data Domain Operating System Administration GuideThis publication explains how to manage Data Domain systems with an emphasison procedures using the Data Domain System Manager.
l Data Domain Operating System Command Reference GuideThis publication explains how to manage Data Domain systems by using the DataDomain command line.
l Data Domain Operating System Initial Configuration GuideThis publication explains how to perform the post-installation initial configurationof a Data Domain system.
l Data Domain Statement of Volatility for the Data Domain DD6300, DD6800 andDD9300 SystemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can becleared.
l Data Domain Statement of volatility for Data Domain DD9500 and DD9800 systemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can becleared.
Data Protection Advisor 18.2:
l Data Protection Advisor Security Configuration GuideThis publication provides an overview of the security configuration settingsavailable in Data Protection Advisor (DP Advisor). These settings include thesecure deployment and usage settings, and secure maintenance and physicalsecurity controls required to ensure secure operation of DP Advisor.
Preface
10 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
l Data Protection Advisor Installation and Administration GuideThis publication provides an overview of the process of administering DP Advisor.
Search 18.2:
l Search Security Configuration GuideThis publication describes the security features and settings of Search.
l Search Installation and Administration GuideThis publication provides an overview of the process of administering Search.
IDPA System Manager (DPC) 18.2:
l IDPA System Manager Security Configuration GuideThis publication describes the security features and settings of Integrated DataProtection Appliance System Manager.
l IDPA System Manager Getting Started GuideThis publication provides an overview of the process of administering IntegratedData Protection Appliance System Manager.
l IDPA System Manager Release NotesThis publication provides the release information for Integrated Data ProtectionAppliance System Manager.
Cloud Disaster Recovery 18.3:
The Data Domain Cloud Disaster Recovery Installation and Administration Guide describesthe security features as well as the settings of Cloud Disaster Recovery.
Secure Remote Support:
l Secure Remote Services Technical DescriptionThis document provides a technical overview of Secure Remote Services (SecureRemote Services).
l Secure Remote Services Installation and Operations GuideThis publication provides an overview of the process of installing, configuring,operating, and troubleshooting Secure Remote Services. The publication alsodescribes customer responsibilities for maintaining Secure Remote Services.
l Secure Remote Support Security Management and Certificate Policy Frequently AskedQuestionsThis publication provides answers to frequently asked questions about SecureRemote Services and Secure Remote Services security, as well as the SecureRemote Services Certificate Practice Statement (CPS) and policy for the DellEMC Internal Secure Remote Services2CA.
l Secure Remote Services Port RequirementsThis publication contains information about port usage for communicationbetween Secure Remote Services and Dell EMC, Policy Manager, and Dell EMCdevices.
Dell PowerEdge R740:
These publications are available at https://www.dell.com/support/home.
l The Dell PowerEdge R740 Owner's Manual or Dell EMC PowerEdge R740xdInstallation and Service Manual
l iDRAC Version 9 User's Guide
l Statement of Volatility - Dell PowerEdge R740
VMware vSphere 6.5:
l VMware vSphere 6.5 Documentation CenterThis publication is available at https://pubs.vmware.com/vsphere-6-5/index.jsp
Preface
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 11
l vSphere 6.5 Hardening GuideThis publication is available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx
l vSphere 6.5 Installation and SetupThis publication is available at https://docs.vmware.com
Special notice conventions used in this documentWe use these conventions for special notices.
DANGER
A danger notice indicates a hazardous situation, which if not avoided, will resultin serious injury or death.
WARNING
A warning indicates a hazardous situation, which if not avoided, could result inserious injury or death.
CAUTION
A caution indicates a hazardous situation, which if not avoided, could result inminor or moderate injury.
NOTICE
A notice identifies content that warns of potential business or data loss.
Note
A note contains information that is incidental, but not essential, to the topic.
Typographical conventionsThese type style conventions are used in this document.
Table 2 Typographical conventions
Bold Used for names of interface elements, such as names of windows,dialog boxes, buttons, fields, tab names, key names, and menu paths(what the user specifically selects or clicks)
Italic Used for full titles of publications referenced in text
Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, filenames, prompts, and syntax
l Commands and options
Monospace italic Used for variables
Monospace bold Used for user input
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections - the bar means “or”
Preface
12 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 2 Typographical conventions (continued)
{ } Braces enclose content that the user must specify, such as x or y orz
... Ellipses indicate nonessential information omitted from the example
Getting helpThe IDPA support page provides access to licensing information, productdocumentation, advisories, and downloads, as well as how-to and troubleshootinginformation. This information may enable you to resolve a product issue before youcontact Customer Support.
To access the IDPA support page:
1. Go to https://www.dell.com/support.
2. In the search box, type a product name, and then from the list that appears, selectthe product.
3. (Optional) Add the product to the My Saved Products list by clicking Add to MySaved Products in the upper right corner of the Support by Product page.
KnowledgebaseThe Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, esgxxxxxx) or by keyword.
To search the Knowledgebase:
1. Click Search at the top of the page.
2. Type either the solution number or keywords in the search box.
3. (Optional) Limit the search to specific products by typing a product name in theScope by product box and then selecting the product from the list that appears.
4. Select Knowledgebase from the Scope by resource list.
5. (Optional) Specify advanced options by clicking Advanced options and specifyingvalues in the available fields.
6. Click Search.
Facilitating supportConnectEMC and Email Home are enabled on IDPA automatically. Secure RemoteServices are enabled automatically for Data Domain (Protection Storage), Avamar(Backup Server), Data Protection Advisor, and Appliance Configuration Manager.
Comments and suggestionsComments and suggestions help us to continue to improve the accuracy, organization,and overall quality of the user publications. Send comments and suggestions aboutthis document to [email protected].
Please include the following information:
l Product name and version
l Document name, part number, and revision (for example, 01)
l Page numbers
l Other details to help address documentation issues
Any information that is provided to Dell EMC in connection with any Dell EMC websiteshall be provided by the submitter and received by Dell EMC on a non-confidentialbasis. Such information shall be considered non-confidential and property of DellEMC. By submitting any such information to Dell EMC you agree to a no-charge
Preface
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 13
assignment to Dell EMC of all worldwide rights, title, and interest in copyrights andother intellectual property rights to the information. Dell EMC shall be free to use suchinformation about an unrestricted basis.
Preface
14 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
CHAPTER 1
Security quick reference
This chapter provides quick-reference information for deployment of the IDPA.
This chapter contains the following topics:
l Deployment models............................................................................................ 16
Security quick reference 15
Deployment modelsThe DP4400 is a fully integrated 2U appliances with different capacities ranging from8 TB to 24 TB and 24 TB to 96 TB respectively.
Before deploymentWhen building the IDPA, the factory performs the following actions:
l Install Dell EMC customized ESXi image.
l Assign private, non-routable IP addresses.
l Set default passwords and configure all default management accounts.
l Complete basic configuration to provide a platform for final deployment at thecustomer site.
During deploymentWhen deploying the appliance, customers must perform the following actions:
l Connect the appliance to the customer network environment.
l Register the appliance with the Secure Remote Services system.
l Assign new passwords for management accounts.
The IDPA deployment process makes no security-related assumptions about thecustomer environment. Customers are expected to provide suitable power and dataconnections, as well as physical security to protect the appliance components.
The Appliance Configuration Manager interface does not provide security-specificconfiguration options or support additional configurations. All appliance componentsare deployed using the best practices that are defined in the security configurationguides for each component. The interface enforces an optimal environment forcorrect operation of the appliance components.
After deploymentThe IDPA contains many externally accessible interfaces for use by data protectionand management clients. Customers should take care to apply appropriate accessrestrictions to prevent unauthorized use. As per the customer security requirements,all forms of access should be regularly monitored and audited.
ModelsThe following diagrams illustrate the IDPA at maximal configuration for each model.
Security quick reference
16 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Figure 1 Model DP4400
Security quick reference
Deployment models 17
Figure 1 Model DP4400 (continued)
Cloud Disaster Recovery Add-on (CDRA)Data Protection Advisor (DPA)Data Protection Search (DPS)Avamar Virtual Edition (AVE)Appliance Configuration Manager (ACM)Data Protection Central (DPC)vCenter (VC)Data Domain Virtual Edition (DDVE)Integrated Dell Remote Access Controller (iDRAC)
Note
Customers can choose either the Copper network ports or the Optical network ports.
Encryption
l The management traffic is encrypted using SSL and TLS.
l The backup data and metadata are both encrypted using SSL and TLS.
l The replication traffic is encrypted using SSL and TLS.
l The Secure Remote Services traffic is encrypted using AES and TLS.
l The authentication can be administered using Active Directory and LDAP.
Secure Remote Services
l When Secure Remote Services is implemented, external communication to andfrom Secure Remote Services is conducted through the TLS tunnel using theAES-256 SHA1 encryption and RSA key exchange with bilateral authentication,with certificates stored in an RSA lockbox. If TLS tunnel is unavailable, themessages are forwarded through FTPS or encrypted email.
l Secure Remote Services data includes diagnostic, system health, and remoteaccess session information for IDPA system components (DDVE, AVE, Search, andso on).
l Secure Remote Services information can be selectively streamed to remote nodesusing the Secure Remote Services Policy Manager which controls the SecureRemote Services traffic flow.
l You can use the Secure Remote Services Policy Manager to configure policies thatgovern permitted remote access sessions, notifications, and diagnostic scriptexecutions.
Security quick reference
18 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
CHAPTER 2
Product and subsystem security
This chapter contains the following topics:
l Security controls map........................................................................................ 20l Authentication....................................................................................................22l Authorization..................................................................................................... 29l Network security................................................................................................34l Data security......................................................................................................36l Cryptography.....................................................................................................38l Auditing and logging...........................................................................................40l Physical security................................................................................................ 43l Serviceability......................................................................................................44
Product and subsystem security 19
Security controls mapThe following diagram details the connections between the IDPA components and thesecurity controls on each link.
Note
vSwitch0 shown in the previous figure replaces the physical switch in the DP4400.
Product and subsystem security
20 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Figure 2 Security controls map - Avamar and Data DomainP
roduct and subsystem security
Security controls m
ap 21
AuthenticationThis section describes default settings and configuration options for how users orprocesses authenticate to the IDPA components.
By default, all components of the IDPA authenticate using the management accountsthat are included with each component and the common password that is configuredduring deployment. The manufacturing process sets a default password for eachmanagement account that is contained within the IDPA components. A customer-provided common password replaces the default during deployment.
The Appliance Configuration Manager (ACM) normally manages the IDPA commonpasswords after deployment.
Note
As a security consideration, it is recommended that you change your appliancepassword after the appliance software is successfully upgraded.
Login security settingsThe following publications provide information on configuring the login securitysettings for IDPA components.
Login banner configurationRefer to the following publications for information about configuring the login bannersfor the IDPA components.
Table 3 Login banner configuration
Component Reference Publication Topic
AVE Avamar Product Security Guide Custom ssh banner not supported
Compute nodes iDRAC Version 9 User's Guide Logging in to iDRAC
ESXi VMware vSphere Security Manage the Login Banner
Failed login behaviorRefer to the following publications for information about configuring the login behaviorfor the IDPA components.
Table 4 Failed login behavior
Component Reference Publication Topic
AVE Avamar Product Security Guide Additional operating systemhardening
Additional password hardening
Compute nodes iDRAC Version 9 User's Guide Logging in to iDRAC
ESXi VMware vSphere Security vCenter Password Requirementsand Lockout Behavior
Product and subsystem security
22 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 4 Failed login behavior (continued)
Component Reference Publication Topic
Edit the vCenter Single Sign-OnLockout Policy
ESXi Passwords and AccountLockout
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR server user accounts.
Emergency user lockoutRefer to the following publications for information about locking out users for theIDPA components.
Table 5 Emergency user lockout
Component Reference Publication Topic
ESXi VMware vSphere Security Cryptographic OperationsPrivileges
Authentication types and setupThis section includes authentication source and type configuration options for theIDPA.
Configuring local authentication sourcesRefer to the following publications for information on using the authenticationdatabases on the IDPA components.
Table 6 Configuring local authentication sources
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Avamar internal authentication
Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
Local user account management
The ACM authenticates using the local username and password, and provides only oneaccount. No other authentication sources are available.
Product and subsystem security
Authentication types and setup 23
Configuring Active DirectoryRefer to the following publications for information on configuring the IDPAcomponents to use LDAP and Active Directory authentication.
Table 7 Configuring Active Directory
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Directory service authentication
Data Domain Data Domain Operating SystemAdministration Guide
Directory user and groupmanagement
Enabling Active Directory
Directory user and groupmanagement
Search Search Installation andAdministration GuideSearchSecurity Configuration Guide
Configure external OpenLDAP andActive Directory servers
Configure LDAP and AD users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
External authentication, LDAPintegration, and binding
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Configuring LDAP
Compute nodes iDRAC Version 9 User's Guide Configuring user accounts andprivileges
ESXi VMware vSphere Security Using Active Directory to ManageESXi Users
Certificate/key-based authenticationRefer to the following publications for information on the use of digital certificates andSSH keys to authenticate human users for the IDPA components.
Table 8 Certificate/key-based authentication
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys
Avamar Operational Best PracticesGuide
Changing passwords
Data Domain Data Domain Product Security Guide System access
Refer to the following publications for information on the use of digital certificates andSSH keys to authenticate inter-component and inter-process communication for IDPAcomponents.
Product and subsystem security
24 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 9 Digital certificates and SSH keys
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Secure RemoteServices
Secure Remote Support SecurityManagement and Certificate PolicyFrequently Asked Questions
SRS Certificate Policy
Unauthenticated interfacesFor Avamar and AVE, the client download and help areas do not requireauthentication.
User credential managementThe following topics discuss default accounts and credentials, enabling and disablingaccounts, credential management options, and credential security, including passwordmanagement.
Default accountsRefer to the following publications for lists of default accounts for each IDPAcomponent.
Table 10 Default accounts
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts
Data Domain Data Domain Product Security Guide User authentication
User authorization
Search
Note
After successfulconfiguration ofSearch in IDPA, theaccounts are same asthe Search defaultconfiguration. IDPAadds its own LDAPconfiguration into thedatabase.
Search Security Configuration Guide Default accounts
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Pre-loaded accounts
IDPA System ManagerAdministration Guide
Unlock a Data Protection Centraluser account
Compute nodes iDRAC Version 9 User's Guide Logging in to iDRAC
Product and subsystem security
User credential management 25
Table 10 Default accounts (continued)
Component Reference Publication Topic
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Server user accounts
Refer to the following table for the default management accounts and additionalaccounts that are associated with each IDPA component.
Note
This table mentions the additional user accounts that are created during configuration.Refer to the corresponding section of each IDPA product for a complete list ofaccounts.
Table 11 Default management accounts
Component Default managementaccounts
Additional accounts
Avamar nodes root
Data Domain sysadmin
Compute node iDRAC (IPMI)interface
root
VMware vCenter Server idpauser root
VMware ESXi hosts idpauser root
Appliance Configuration Manager root Idpauser, idpauser ldap),manager (ldap)
Cloud Disaster Recovery admin
Default credentialsRefer to the following publications for lists of default credentials for each IDPAcomponent.
Table 12 Default credentials
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts
Data Domain Data Domain Product Security Guide User authentication
User authorization
Search Search Security Configuration Guide Default accounts
Product and subsystem security
26 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 12 Default credentials (continued)
Component Reference Publication Topic
Note
Search user interfaceuses LDAPauthentication.
For accessing Search:
l username:idpauser
password:commonappliancepassword
l username: admin(default accountinherited Search)
password:applianceCommonPassword
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Pre-loaded accounts
IDPA System ManagerAdministration Guide
Change password
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Credentials for DD Cloud DRdeployment
ApplianceConfigurationManager
root - customer set password
idpauser - common appliancepassword
VMware ESXi root - random complex password
idpauser - common appliancepassword
VMware vCenter root - random complex password
idpauser - common appliancepassword
Product and subsystem security
User credential management 27
How to disable local accountsRefer to the following publications for information on disabling and removing localaccounts for IDPA components.
Table 13 How to disable local accounts
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Enabling and disabling local users
Deleting a local user
ESXi VMware vSphere Security ESXi Passwords and AccountLockout
Disable Authorized (SSH) Keys
Managing credentialsRefer to the following publications for information on configuring the login andpassword security settings for IDPA components.
Table 14 Managing credentials
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
For iDRAC, passwordis set to default afterinstallation. Customercan change it later.
Integrated Dell Remote AccessController 9 Version 3.15.15.15User's Guide
Secure default password
Password complexityEnsure that the password meets the following criteria:
l A maximum of 20 characters
l A minimum of nine characters
l Must not start with a hyphen (-)
l Contains at least one upper-case and one lower-case letter
l Contains at least one number
l Must not include common names and usernames like 'root' or 'admin'
l Contains at least one special character
Valid special characters include:
n period (.)
n hyphen (-)
Product and subsystem security
28 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
n underscore (_)
Authentication to external systemsThe following topics discuss how to configure authentication of components outsidethe IDPA, including components providing services to the IDPA and remote clients.
Configuring remote connectionsRefer to the following publications for information on configuring connections fromthe IDPA to external components.
Table 15 Configuring remote connections
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Managing DD Boost client accessand encryption
System access management
Remote component authenticationRefer to the following publications for information on how to provide credentials forremote components to use when connecting to the IDPA.
Table 16 Remote component authentication
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Setting the system passphrase
Managing certificates for DDBoost
Importing CA certificates
Key manager setup
Configuring SMB signing
Data Domain Product Security Guide Certificates for cloud providers
Secure RemoteServices
Secure Remote Services TechnicalDescription
Digital Certificate Management
Communication to EMC
AuthorizationThis section describes default settings and configuration options for how users orprocesses authenticate to the IDPA components.
Product and subsystem security
Authentication to external systems 29
General authorization settingsThe following topics discuss basic information about user privileges within the IDPA.
Configuring authorization rulesRefer to the following publications for information on the basic process of configuringauthorization for users with permission to access the IDPA.
Table 17 Configuring authorization rules
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide User Authentication andAuthorization
Avamar Administration Guide Overview of Avamar useraccounts
Roles
Data Domain Data Domain Product Security Guide User Authentication
Search Search Installation andAdministration Guide
Managing Roles and Users
Search Security Configuration Guide Authentication Configuration
DP Advisor Data Protection Advisor Installationand Administration Guide
Users and security
Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Add-on System andUser Management
ESXi VMware vSphere Security Understanding Authorization invSphere
Default authorizationsRefer to the following publications for lists of default authorizations supplied with theIDPA.
Table 18 Default authorizations
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Default authorizations and useraccounts
Avamar Administration Guide Overview of Avamar useraccounts
Roles
Data Domain Data Domain Product Security Guide User authorization
Product and subsystem security
30 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 18 Default authorizations (continued)
Component Reference Publication Topic
Search Search Installation andAdministration Guide
System Administrator role
Application Administrator role
Search Security Configuration Guide System Administrator role
System Administrator role
Full Access Search (Global) role
Index specific search roles
Default accounts
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Pre-loaded accounts
DP Advisor Data Protection Advisor SecurityConfiguration Guide
Users and Security
User roles and privileges
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Add-on System andUser Management
ESXi VMware vSphere Security Understanding Authorization invSphere
External authorization associationsRefer to the following publications for information about mapping LDAP and ADauthentication to levels of authorization for components of the IDPA.
Table 19 External authorization associations
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Directory service authentication
Data Domain Data Domain Operating SystemAdministration Guide
Directory user and groupmanagement
Search Search Installation andAdministration Guide
Configure external OpenLDAP andActive Directory servers
Search Security Configuration Guide Configure LDAP and AD users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
External authentication, LDAPintegration, and binding
ESXi VMware vSphere Security Using Active Directory to ManageESXi Users
Product and subsystem security
General authorization settings 31
Role-based access control (RBAC)The IDPA uses the default roles available for individual components. Refer to thefollowing publications for information on authorization via assigned roles.
Table 20 Role-based access control
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Data Domain Data Domain Operating SystemAdministration Guide
Managing access control
Search Search Installation andAdministration Guide
About roles
Managing roles
DP Advisor Data Protection Advisor Installationand Administration Guide
User roles and privileges
Compute nodes iDRAC Version 9 User's Guide Configuring user accounts andprivileges
Default rolesRefer to the following publications for information about pre-configured roles andprivileges for components of the IDPA.
Table 21 Default roles
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Data Domain Data Domain Operating SystemAdministration Guide
Role-based access control
Local user account management
Search Search Installation andAdministration Guide
System Administrator role
Application Administrator role
Full Access Search (Global) role
Index specific search roles
DP Advisor Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vCenter Server System Roles
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
Product and subsystem security
32 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Configuring rolesRefer to the following publications for information about how to select or configurethe capabilities of roles that can be assigned to users of the IDPA.
Table 22 Configuring roles
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
Role-based access control
Search Search Installation andAdministration Guide
Managing Roles and Users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
Role mappingRefer to the following publications for mapping users and groups to specific roles forcomponents of the IDPA.
Table 23 Role mapping
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
System access management
Search Search Installation andAdministration Guide
Managing Roles and Users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
Product and subsystem security
Role-based access control (RBAC) 33
External role associationsRefer to the following publications for information on mapping LDAP and ADauthentication to specific access roles for components of the IDPA.
Table 24 External role associations
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide LDAP directory serviceauthentication
Data Domain Data Domain Operating SystemAdministration Guide
Configuring Active Directory andKerberos authentication
Search Search Installation andAdministration Guide
Configure external OpenLDAP andActive Directory servers
DP Advisor Data Protection Advisor Installationand Administration Guide
Creating a new user account withLDAP authentication
ESXi VMware vSphere Security Managing ESXi Roles in theVMware Host Client
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Configuring LDAP
Network securityThis section describes the exposed network interfaces in use by the IDPA.
The DP4400 directly connects to the customer-provided network switch.
Network exposureThe following sections indicate where to obtain information on exposed networkinterfaces and ports for each component of the IDPA. Refer to the listed topics ineach publication for a more detailed description and for further instructions.
For maximum security, customers should disable all network ports and interfaces thatare not required for their environment.
Network portsThe following references provide information about the network ports that are openedby each component of the IDPA.
Table 25 Network ports
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Port Requirements appendixa
Session security features
Data Domain Data Domain Product Security Guide Communication security settings
Data Domain Operating SystemInitial Configuration Guide
Configuring the system with theconfiguration wizard
Product and subsystem security
34 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 25 Network ports (continued)
Component Reference Publication Topic
Search Search Security Configuration Guide Port usage
Firewall rules
Search Installation andAdministration Guide
Add an Avamar source server toSearch
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Network Security
ApplianceConfigurationManager
8543 and 8009: Application server
5672: Rabbitmq
22: ssh
DP Advisor Data Protection Advisor SecurityConfiguration Guide
Communication settings
Data Protection Advisor Installationand Administration Guide
DPA port settings
Secure RemoteServices
Secure Remote Services PortRequirements
Not applicable
ESXi VMware vSphere Security Additional vCenter Server TCPand UDP Ports
Compute nodes iDRAC Version 9 User's Guide iDRAC port information
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Required Data Domain CloudDisaster Recovery ports
a. This reference includes information on network ports that are used by all possible Avamarconfigurations.
Network interfacesThe following tables provide information about the default IP addresses for thenetwork interfaces on IDPA appliance. The default IP addresses are configured in thefactory and are for only internal use of the IDPA appliance.
Note
The below-listed IP addresses are not exposed outside of the appliance and are onlyfor internal communication. For these interfaces, the subnet mask is255.255.255.0.
Table 26 Default IP addresses
Component IP address Subnet mask
Appliance Configuration Manager 192.168.100.100 255.255.255.0
ESXi 192.168.100.101 255.255.255.0
Product and subsystem security
Network exposure 35
The IP address for interfaces that are exposed to the customer network areconfigured at the time of the IDPA appliance configuration.
Communication security settingsThe following references provide information about options for securingcommunications between each component of the IDPA and remote systems.
Table 27 Communication security settings
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Data Domain Data Domain Product Security Guide Communication security settings
Firewall settingsThe following references provide information on configuring the firewall functionalityof each component of the IDPA.
Table 28 Firewall settings
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Additional firewall hardening(avfirewall)
Data Domain Data Domain Operating SystemInitial Configuration Guide
Configuring security and firewalls(NFS and CIFS access)
Search Search Security Configuration Guide Firewall rules
DP Advisor Data Protection Advisor Installationand Administration Guide
Communications settings in DPA
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Security and Networking
No additional customer firewall configuration is required.
Data securityThis section describes how the IDPA protects customer data stored on itscomponents.
Product and subsystem security
36 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Data-at-rest encryptionRefer to the following publications for information about the encryption capabilitiesfor Data-at-rest on components of the IDPA.
Table 29 Data-at-rest encryption
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data-at-rest encryption
Data Domain Data Domain Operating SystemAdministration Guide
DD Encryption
Data Domain Product Security Guide Data encryption
The ACM uses Java keystores to secure the encryption keys.
Data erasureRefer to the following publications for information about securely erasing data fromcomponents of the IDPA.
Table 30 Data erasure
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data erasurea
Data Domain Data Domain Operating SystemAdministration Guide
Destroying the file system
Data Domain Product Security Guide Data erasure
System sanitization
Compute nodes iDRAC Version 9 User's Guide Erasing PCIe SSD device data
ESXi VMware vSphere Security Use vmkfstools to Erase SensitiveData
a. Avamar servers can also be restored to factory default conditions by a process called re-kickstarting. This process is performed by Dell EMC service personnel.
Product and subsystem security
Data-at-rest encryption 37
CryptographyThe following sections indicate where to obtain information on the uses ofcryptography in the IDPA. Refer to the listed topics in each publication for a moredetailed description and for further instructions.
Cryptographic configuration optionsThe following references provide information about ciphers, encryption, and otherdata integrity mechanisms for each component of the IDPA.
Table 31 Cryptographic configuration options
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data-in-flight encryption
Data-at-rest encryption
Disabling SSLv2 and weak ciphers
Disabling privileges for CipherSuite 0
Data Domain Data Domain Product Security Guide Data encryption
Data Domain Operating SystemAdministration Guide
DD Encryption chapter
Compute nodes iDRAC Version 9 User's Guide Setting up iDRAC communication
ESXi VMware vSphere Security ESXi SSH Keys
The ACM communicates with the other IDPA components using TLS 1.2.
Disable TLS 1.1 and earlier versionsTo reduce the security vulnerability, disable the weak protocols and ciphers on ACM,vCenter, and ESX. TLS Reconfiguration Utility is used to manage the TLSprotocols on vCenter and ESX. To download and install the utility, see VMware KBarticle 2147469.
To disable weak protocols on vCenter and ESX using the TLS ReconfigurationUtility:
l ACM (internal LDAP):
1. SSH to ACM.
2. Edit the file /etc/openldap/slapd.d/cn=config.ldif.
3. Update the parameter olcTLSProtocolMin from 0.0 to 3.3.
4. Restart the slapd service using following commands:
n service slapd stopn service slapd start
l vCenter:
1. SSH to vCenter.
Product and subsystem security
38 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
3. Run ./reconfigureVc update -p TLSv1.2.
l ESX:
1. SSH to vCenter.
2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator
3. Run ./reconfigureEsx vCenterCluster -c <cluster-name> -uroot -p TLSv1.2.
4. Reboot IDPA appliance.
Certified cryptographic modulesThe following references provide information about the cryptographic modulesavailable for each component of the IDPA.
Table 32 Certified cryptographic modules
Component Reference Publication Topic
Search Search Security Configuration Guide Cryptographic modules
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Certificate Management
Compute nodes iDRAC Version 9 User's Guide Setting up iDRAC communication
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Security and Networking
Certificate managementThe following references provide information on the use and management ofcertificates for each component of the IDPA.
Table 33 Certificate management
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Data Security and Integrity
Avamar Administration Guide ConnectEMC
Data Domain Data Domain Product Security Guide Data Domain system security
Data security settings
Data Domain Operating SystemAdministration Guide
DD Encryption
Product and subsystem security
Certified cryptographic modules 39
Table 33 Certificate management (continued)
Component Reference Publication Topic
Search Search Security Configuration Guide Access Control
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Certificate Management
DP Advisor Data Protection Advisor Installationand Administration Guide
Encryption of the DPA Applicationserver
Compute nodes iDRAC Version 9 User's Guide Configuring iDRAC
ESXi VMware vSphere Security vSphere Security Certificates
ApplianceConfigurationManager
IDPA Product Guide Adding a CA-signed certificate
The ACM ships with a default self-signed RSA SHA-256 certificate. The IntegratedData Protection Appliance Product Guide provides details for replacing the defaultcertificate with a CA-signed certificate.
Auditing and loggingThis section describes how the IDPA components log events and protect againsttampering.
LogsRefer to the following publications for information about log locations and usage forIDPA components.
Table 34 Logs
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Avamar Administration Guide Server Monitoring
Replication
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Data Domain Product Security Guide Log settings
Search Search Installation andAdministration Guide
Log files
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Auditing and Logging
Secure RemoteServices
Secure Remote Services TechnicalDescription
Logging
Product and subsystem security
40 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Table 34 Logs (continued)
Component Reference Publication Topic
Compute nodes iDRAC Version 9 User's Guide Setting up iDRAC communication
ESXi VMware vSphere Security ESXi Log Files
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Troubleshooting > Collect Logs
ACM server execution logs are stored on the ACM in /usr/local/dataprotection/var/configmgr/server_data/logs/server.log.
Log management optionsRefer to the following publications for information about managing logs for IDPAcomponents.
Table 35 Log management options
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Server Monitoring
Compute nodes iDRAC Version 9 User's Guide Managing logs
ESXi VMware vSphere Security ESXi Log Files
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Log protectionRefer to the following publications for information about securing log contents forIDPA components.
Table 36 Log protection
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Log message transmission toremote systems
ESXi VMware vSphere Security ESXi Log Files
Log formatRefer to the following publications for information about understanding the formattingof logs for IDPA components.
Table 37 Log format
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Product and subsystem security
Log management options 41
Table 37 Log format (continued)
Component Reference Publication Topic
Avamar Administration Guide Server Monitoring
Replication
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Learning more about log messages
Search Search Installation andAdministration Guide
Managing Logs
ESXi VMware vSphere Security ESXi Log Files
The ACM log file appends the most recent entries, to a maximum file size of 5120KB,and a maximum backup index1 of 19. ACM log entries use the following format:
%d %-5p [%t]-%C{2}: %m%nwhere:
l %d %-5p is the date
l %t is the thread name
l %C{2} is the Java class name
l %m%n is the logged message
AlertingRefer to the following publications for information about monitoring and managingsecurity alerts for various IDPA components.
Table 38 Alerting
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Avamar Administration Guide Server Monitoring
Data Domain Data Domain Product Security Guide Security alert system settings
Data Domain Operating SystemAdministration Guide
Alert notification management
Compute nodes iDRAC Version 9 User's Guide Configuring iDRAC to send alerts
ESXi vSphere Monitoring andPerformance
Monitoring Events, Alarms, andAutomated Actions
DP Advisor DP Advisor Product Guide Alerts in DPA
DP Advisor Installation andAdministration Guide
dpa application support
1. Backup index is the number of most recent files saved on ACM.
Product and subsystem security
42 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Physical securityThe IDPA is composed of a single piece of hardware with unique interfaces andphysical security requirements. The following topics detail where to find furtherinformation on securing the IDPA hardware.
Refer to Deployment models on page 16 for the locations of individual appliancecomponents.
Physical interfacesRefer to the following publications for information on the accessible physicalinterfaces of the IDPA components.
Table 39 Physical interfaces
Component Reference Publication Topic
Compute nodes Dell PowerEdge R740 Owner'sManual
Ports and connectorsspecifications
Physical security optionsRefer to the following publications for information about physical security controlsthat can be applied to the IDPA components.
Table 40 Physical security options
Component Reference Publication Topic
Data Domain Data Domain Product Security Guide Physical Security Controls
Dell EMC reminds customers to review and frequently audit all operational policies,and verify that personnel, site, and perimeter security are secure.
Customer service accessRefer to the following publications for information about physical interfaces anddevices that are restricted for use by Customer Support.
Table 41 Customer service access
Component Reference Publication Topic
Compute nodes Dell PowerEdge R740 Owner'sManual
Pre-operating systemmanagement applications >System Security
Product and subsystem security
Physical security 43
Tamper evidence and resistanceRefer to the following publications for information about tamper-evident and tamper-resistant features that are found in the IDPA components.
Table 42 Tamper evidence and resistance
Component Reference Publication Topic
Avamar Avamar Product Security Guide Advanced Intrusion DetectionEnvironment (AIDE)
The auditd service
Data Domain Data Domain Operating SystemAdministration Guide
System clock
RPM signature verification
Compute nodes Dell PowerEdge R740 Owner'sManual
Pre-operating systemmanagement applications >System Security
Statements of volatilityRefer to the following publications for information on information-storing componentsof the IDPA.
Table 43 Statements of volatility
Component Reference Publication
Compute nodes Statement of Volatility – Dell PowerEdge R740 and Dell PowerEdge R60
NDMP If NDMP node is used with any IDPA model, refer to the correspondingNDMP appliance documentation.
ServiceabilityThe IDPA deployment process includes Secure Remote Services registration for theAppliance Configuration Manager, Data Domain, Avamar, and DP Advisor.
The Appliance Configuration Manager virtual machine can be used as a bridge byCustomer Support to access appliance components that are not directly registeredwith Secure Remote Services. By default, ConnectEMC is not configured on anyappliance component. For more information about ConnectEMC, see Secure RemoteServices Operations Guide.
Customer Support and authorized service partners complete all service on the IDPA.
Product and subsystem security
44 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
Maintenance aidsRefer to the following publications for information about accounts, tools, and otherfunctions intended for maintenance use.
Table 44 Maintenance aids
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Security patches
Email home notification usingConnectEMC
Intelligent Platform ManagementInterface
Avamar Operational Best PracticesGuide
Using EMC Secure RemoteSupport solution
Avamar Administration Guide Automatic notifications to AvamarSupport
Data Domain Data Domain Product Security Guide Other security considerations
Data Domain Operating SystemAdministration Guide
Network connection management
Autosupport report management
Support bundle management
EMC Support deliverymanagement
Remote system powermanagement with IPMI
Secure RemoteServices
Secure Remote Services TechnicalDescription
EMC Enterprise access control
Communication to EMC
Avamar and AVE make use of a Customer Support-only password to run someworkflow packages in the Avamar Installation Manager.
Responsible service useRefer to the following publication for information on responsible service use by DellEMC.
Table 45 Responsible service use
Component Reference Publication Topic
Secure RemoteServices
Secure Remote Services TechnicalDescription
EMC Enterprise access control
Product and subsystem security
Maintenance aids 45
Security updates and patchingThe following references provide information about how to apply security patches foreach component of the IDPA.
Table 46 Security updates and patching
Component Reference Publication Topic
Integrated DataProtection Appliance
Integrated Data ProtectionAppliance Product Guide
Upgrading the appliance
Customers should apply security updates and patches from Dell EMC regularly toprevent zero-day vulnerability attacks.
Note
A warning on vCenter is displayed about a potential vulnerable issue. CVE-2018-3646is one of the L1 Terminal Fault (L1TF) speculative execution vulnerabilities and isdetermined to have medium vulnerability score.IDPA uses the ESXi version which has the following fixes for this vulnerability,however one of them is not enabled by default as it has severe performance impac:
l Mitigation of the Sequential-Context attack vector - this fix is included in IDPA 2.3and later releases.
l Mitigation of the Concurrent-Context attack vector - this fix is not enabled bydefaultThis fix can be enabled using simple steps on ESXi, but has severe performancepenalties if enabled.
IDPA is a restricted environment where unverified virtual machines are notdeployed on the ESXi. Also, due to severe performance penalties, it is notrecommended to enable the fix on IDPA appliance. However, customers canenable it at their own risk. For more information, see VMware KB article 55806.
Customer requirements for updatesRefer to the following publications for information on periodic security updates thatapply to the IDPA components.
Table 47 Customer requirements for updates
Component Reference Publication Topic
Integrated DataProtection Appliance
Integrated Data Protection ApplianceProduct Guide
Upgrading the applicance
Product and subsystem security
46 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
CHAPTER 3
Miscellaneous configuration and managementelements
This chapter contains the following topics:
l Protecting authenticity and integrity................................................................. 48l Installing client software.................................................................................... 48
Miscellaneous configuration and management elements 47
Protecting authenticity and integrityRefer to the following publications for information about the use of signing andcryptography to ensure the integrity of the IDPA.
Table 48 Protecting authenticity and integrity
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
RPM signature verification
Dell EMC recommends that customers verify the authenticity of downloads againstpublished MD5 and SHA-256 checksums, where provided.
Installing client softwareRefer to the following publications for information about requirements for installingcomponents of the IDPA on client computers.
Table 49 Installing client software
Component Reference Publication Topic
Secure RemoteServices
Secure Remote Services TechnicalDescription
Customer site components
Specifications
Miscellaneous configuration and management elements
48 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide
INDEX
AActive Directory 24alerting 42auditing 40authentication 22, 24, 25, 29authentication, certificates 24authentication, keys 24authentication, local sources 23authentication, remote component 29authentication, role-based 32authentication, setup 23authenticity 48authorization 29, 30authorization, default 30authorization, external 31authorization, rules 30
Ccertificate management 39certificates 24clients 48communications, security 36credential management 25credentials, default 26credentials, managing 28cryptographic modules 39cryptography 38cryptography, certificate management 39cryptography, certified modules 39cryptography, configuration 38customer service access 43
Ddata erasure 37data security 36default accounts 25deployment models 16
Eencryption, data at rest 37
Ffirewall 36
Iintegrity 48interfaces 43
Kkeys 24
LLDAP 24legal disclaimers 9local accounts, deleting 28local accounts, disabling 28lockout, user 23logging 40login banner 22login behavior 22login security 22logs, alerting 42logs, format 41logs, locations 40logs, management 41logs, protection 41logs, usage 40
Mmaintenance aids 45map, security controls 20
Nnetwork exposure 34network interfaces 35network ports 34network security 34networking 34
Ppasswords, complexity 28passwords, managing 28physical interfaces 43physical security 43preface 9
Rremote connections 29requirements, customer 46roles 32roles, configuring 33roles, default 32roles, external association 34roles, mapping 33
Ssecurity controls map 20security updates 46security, communications 36service use, responsible 45serviceability 44statement of volatility 44
Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide 49
Ttampering, evidence 44tampering, resistance 44
Uunauthenticated interfaces 25updates 46
Vvolatility 44
Index
50 Dell EMC Integrated Data Protection Appliance 2.4 Security Configuration Guide