Dell EMC Integrated Data ProtectionApplianceVersion 2.4.1
Security Configuration GuideRev 01
November 2019
Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property
of their respective owners. Published in the USA.
Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com
2 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
5
7
9
Security quick reference 15Deployment models........................................................................................... 16
Product and subsystem security 19Security controls map.......................................................................................20Authentication.................................................................................................. 22
Login security settings......................................................................... 22Authentication types and setup............................................................23User credential management............................................................... 25Authentication to external systems......................................................29
Authorization.................................................................................................... 30General authorization settings............................................................. 30Role-based access control (RBAC)...................................................... 32
Network security.............................................................................................. 34Network exposure................................................................................34Communication security settings......................................................... 36Firewall settings................................................................................... 36
Data security.....................................................................................................36Hardening.............................................................................................37Data-at-rest encryption....................................................................... 37Data erasure ........................................................................................37
Cryptography....................................................................................................38Cryptographic configuration options....................................................38Certified cryptographic modules.......................................................... 39Certificate management...................................................................... 40
Auditing and logging......................................................................................... 40Logs......................................................................................................41Log management options......................................................................41Log protection..................................................................................... 42Log format........................................................................................... 42Alerting................................................................................................ 43
Physical security............................................................................................... 43Physical interfaces...............................................................................43Physical security options......................................................................44Customer service access......................................................................44Tamper evidence and resistance.......................................................... 44Statements of volatility........................................................................45
Serviceability.................................................................................................... 45Maintenance aids................................................................................. 45Responsible service use....................................................................... 46
Figures
Tables
Preface
Chapter 1
Chapter 2
CONTENTS
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 3
Security updates and patching.............................................................46Customer requirements for updates.....................................................47
Miscellaneous configuration and management elements 49Protecting authenticity and integrity................................................................ 50Installing client software................................................................................... 50
Network ports 51Backup Server (Avamar and Avamar Virtual Edition)........................................ 52Protection Storage (Data Domain)................................................................... 52IDPA System Manager (Data Protection Central).............................................59Search...............................................................................................................61
Add an Avamar source server to Search.............................................. 62Reporting and Analytics (Data Protection Advisor)...........................................63Secure Remote Services...................................................................................66Remote server management (iDRAC)............................................................... 67Data Domain Cloud Disaster Recovery..............................................................68
69
Chapter 3
Appendix
Index
Contents
4 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Model DP4400...................................................................................................................17Security controls map - Avamar and Data Domain............................................................. 21
12
FIGURES
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 5
Figures
6 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Revision history.................................................................................................................. 9Typographical conventions................................................................................................ 12Login banner configuration............................................................................................... 22Failed login behavior..........................................................................................................22Emergency user lockout....................................................................................................23Configuring local authentication sources...........................................................................23Configuring Active Directory.............................................................................................24Certificate/key-based authentication............................................................................... 24Digital certificates and SSH keys...................................................................................... 25Default accounts...............................................................................................................25Default management accounts..........................................................................................26Default credentials............................................................................................................26How to disable local accounts........................................................................................... 28Managing credentials........................................................................................................ 28Configuring remote connections....................................................................................... 29Remote component authentication................................................................................... 29Configuring authorization rules......................................................................................... 30Default authorizations.......................................................................................................30External authorization associations....................................................................................31Role-based access control................................................................................................ 32Default roles......................................................................................................................32Configuring roles...............................................................................................................33Role mapping.................................................................................................................... 33External role associations..................................................................................................34Network ports...................................................................................................................35Default IP addresses ........................................................................................................ 36Communication security settings...................................................................................... 36Firewall settings................................................................................................................36Data-at-rest encryption.................................................................................................... 37Data erasure .....................................................................................................................37Cryptographic configuration options.................................................................................38Certified cryptographic modules....................................................................................... 39Certificate management................................................................................................... 40Logs...................................................................................................................................41Log management options...................................................................................................41Log protection.................................................................................................................. 42Log format........................................................................................................................ 42Alerting............................................................................................................................. 43Physical interfaces............................................................................................................43Physical security options...................................................................................................44Customer service access.................................................................................................. 44Tamper evidence and resistance....................................................................................... 44Statements of volatility.....................................................................................................45Maintenance aids.............................................................................................................. 45Responsible service use.................................................................................................... 46Security updates and patching..........................................................................................46Customer requirements for updates..................................................................................47Protecting authenticity and integrity................................................................................ 50Installing client software................................................................................................... 50Port requirements.............................................................................................................52Data Domain system inbound communication ports.......................................................... 52Data Domain system outbound communication ports........................................................54Ports that Data Domain uses for inbound traffic...............................................................55
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
TABLES
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 7
Ports that Data Domain systems for outbound traffic.......................................................57Outbound ports.................................................................................................................59Inbound ports....................................................................................................................60Default ports..................................................................................................................... 61DPA application ports settings.......................................................................................... 63DPA datastore port settings..............................................................................................64DPA agent port settings....................................................................................................64DPA cluster port settings..................................................................................................65Port requirements.............................................................................................................66Ports iDRAC listens for connections................................................................................. 67Ports iDRAC uses as client................................................................................................67Required Data Domain Cloud Disaster Recovery ports......................................................68
545556575859606162636465
Tables
8 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Preface
Overview
The Integrated Data Protection Appliance Security Configuration Guide provides an overview ofsecurity configuration settings available for this solution, and best practices for using thosesettings to ensure secure operation of the product.
Table 1 Revision history
Revision number Date Description
01 November 2019 First release of this document forIDPA 2.4.1
Scope of document
This publication provides a survey of security topics that are related to the Integrated DataProtection Appliance (IDPA). The content is not associated with a specific compliance regime.
Topics specific to the security of individual components that are contained within the IDPA,including Avamar, Data Domain, Data Protection Advisor (DPA), Search, Data Protection Central ,and Cloud Disaster Recovery (CDR) are contained within the security and administration guidesfor each component, which are listed in Document references on page 10.
As the IDPA is a solution-level product, content from these guides is not repeated here. Instead,tables within each topic lead you to the correct location in the referenced publications, whereapplicable.
Audience
The information in this publication is intended for customers who are responsible for the planning,implementing, administering, or auditing security controls in environments containing IDPAsolutions. The primary audience is technical, but this publication addresses the needs of a range ofsecurity professionals.
Legal disclaimers
As part of an effort to improve its product lines, Dell EMC periodically releases revisions of itssoftware and hardware. Therefore, some versions of the software or hardware currently in usemay not support all functions that are described in this document. The product release notesprovide the most up-to-date information about product features.
Contact your Dell EMC representative if a product does not function correctly or does not functionas described in this document.
NOTICEThis document was accurate at publication time. New versions of this document might bereleased on the Online Support website. To ensure that you are using the latest version of thisdocument, check the Online Support at https://www.dell.com/support.
Dell EMC websites may contain links to third-party sites. Content contained on any website that islinked to any Dell EMC website is not the responsibility of Dell EMC and Dell EMC is notresponsible for the accuracy, or reliability of any content on such websites. Further, the presenceof a link to a third-party site does not mean that Dell EMC endorses that site, its products, orviews expressed there. Dell EMC provides these links merely for convenience and the presence ofsuch third-party links are not an endorsement or recommendation by Dell EMC.
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 9
Reporting vulnerabilities
Dell EMC takes reports of potential vulnerabilities in our products very seriously. For the latest onhow to report a security issue to Dell EMC, see the Product Security Response Center onEMC.com.
Document references
The following documents provide additional information:
Avamar 18.2:
l Avamar Product Security GuideThis publication discusses various aspects of Avamar product security.
l Avamar Administration GuideThis publication describes how to configure, administer, monitor, and maintain an Avamarserver.
l Avamar Operational Best Practices GuideThis publication describes operational best practices for both single-node and multi-nodeservers in small and large heterogeneous client environments.
Data Domain 6.2:
l Data Domain Product Security GuideThis publication describes the key security features of Data Domain systems and provides theprocedures that are required to ensure data protection and appropriate access control.
l Data Domain Operating System Administration GuideThis publication explains how to manage Data Domain systems with an emphasis on proceduresusing the Data Domain System Manager.
l Data Domain Operating System Command Reference GuideThis publication explains how to manage Data Domain systems by using the Data Domaincommand line.
l Data Domain Operating System Initial Configuration GuideThis publication explains how to perform the post-installation initial configuration of a DataDomain system.
l Data Domain Statement of Volatility for the Data Domain DD6300, DD6800 and DD9300 SystemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can be cleared.
l Data Domain Statement of volatility for Data Domain DD9500 and DD9800 systemsThis publication provides a description of memory storage components and theircharacteristics including, where appropriate, the method by which memory can be cleared.
Data Protection Advisor 18.2:
l Data Protection Advisor Security Configuration GuideThis publication provides an overview of the security configuration settings available in DataProtection Advisor (DPA). These settings include the secure deployment and usage settings,and secure maintenance and physical security controls required to ensure secure operation ofDPA.
l Data Protection Advisor Installation and Administration GuideThis publication provides an overview of the process of administering DPA.
Search 19.1:
l Search Security Configuration GuideThis publication describes the security features and settings of Search.
l Search Installation and Administration GuideThis publication provides an overview of the process of administering Search.
Preface
10 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
IDPA System Manager (DPC) 18.2:
l IDPA System Manager Security Configuration GuideThis publication describes the security features and settings of IDPA System Manager.
l IDPA System Manager Getting Started GuideThis publication provides an overview of the process of administering IDPA System Manager.
l IDPA System Manager Release NotesThis publication provides the release information for IDPA System Manager.
Cloud Disaster Recovery 19.1:
The Data Domain Cloud Disaster Recovery Installation and Administration Guide describes the securityfeatures as well as the settings of Cloud Disaster Recovery.
Secure Remote Services:
l Secure Remote Services Technical DescriptionThis document provides a technical overview of Secure Remote Services.
l Secure Remote Services Installation and Operations GuideThis publication provides an overview of the process of installing, configuring, operating, andtroubleshooting Secure Remote Services. The publication also describes customerresponsibilities for maintaining Secure Remote Services.
l Secure Remote Support Security Management and Certificate Policy Frequently Asked QuestionsThis publication provides answers to frequently asked questions about Secure RemoteServices and Secure Remote Services security, as well as the Secure Remote ServicesCertificate Practice Statement (CPS) and policy for the Dell EMC Internal Secure RemoteServices2CA.
l Secure Remote Services Port RequirementsThis publication contains information about port usage for communication between SecureRemote Services and Dell EMC, Policy Manager, and Dell EMC devices.
Dell PowerEdge R740:
These publications are available at https://www.dell.com/support/home.
l The Dell PowerEdge R740 Owner's Manual or Dell EMC PowerEdge R740xd Installation and ServiceManual
l iDRAC Version 9 User's Guide
l Statement of Volatility - Dell PowerEdge R740
VMware vSphere 6.5:
l VMware vSphere 6.5 Documentation CenterThis publication is available at https://pubs.vmware.com/vsphere-6-5/index.jsp
l vSphere 6.5 Hardening GuideThis publication is available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx
l vSphere 6.5 Installation and SetupThis publication is available at https://docs.vmware.com
Preface
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 11
Special notice conventions used in this document
We use these conventions for special notices.
DANGER A danger notice indicates a hazardous situation, which if not avoided, will result inserious injury or death.
WARNING A warning indicates a hazardous situation, which if not avoided, could result inserious injury or death.
CAUTION A caution indicates a hazardous situation, which if not avoided, could result in minoror moderate injury.
NOTICE A notice identifies content that warns of potential business or data loss.
Note: A note contains information that is incidental, but not essential, to the topic.
Typographical conventions
These type style conventions are used in this document.
Table 2 Typographical conventions
Bold Used for names of interface elements, such as names of windows,dialog boxes, buttons, fields, tab names, key names, and menu paths(what the user specifically selects or clicks)
Italic Used for full titles of publications referenced in text
Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, filenames, prompts, and syntax
l Commands and options
Monospace italic Used for variables
Monospace bold Used for user input
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections - the bar means “or”
{ } Braces enclose content that the user must specify, such as x or y orz
... Ellipses indicate nonessential information omitted from the example
Getting help
The IDPA support page provides access to licensing information, product documentation,advisories, and downloads, as well as how-to and troubleshooting information. This informationmay enable you to resolve a product issue before you contact Customer Support.
To access the IDPA support page:
1. Go to https://www.dell.com/support.
2. In the search box, type a product name, and then from the list that appears, select theproduct.
3. (Optional) Add the product to the My Saved Products list by clicking Add to My SavedProducts in the upper right corner of the Support by Product page.
Preface
12 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Knowledgebase
The Knowledgebase contains applicable solutions that you can search for either by solutionnumber (for example, esgxxxxxx) or by keyword.
To search the Knowledgebase:
1. Click Search at the top of the page.
2. Type either the solution number or keywords in the search box.
3. (Optional) Limit the search to specific products by typing a product name in the Scope byproduct box and then selecting the product from the list that appears.
4. Select Knowledgebase from the Scope by resource list.
5. (Optional) Specify advanced options by clicking Advanced options and specifying values inthe available fields.
6. Click Search.
Facilitating support
ConnectEMC and Email Home are enabled on IDPA automatically. Secure Remote Services areenabled automatically for Data Domain (Protection Storage), Avamar (Backup Server), DataProtection Advisor, and Appliance Configuration Manager.
Comments and suggestions
Comments and suggestions help us to continue to improve the accuracy, organization, and overallquality of the user publications. Send comments and suggestions about this document to [email protected].
Please include the following information:
l Product name and version
l Document name, part number, and revision (for example, 01)
l Page numbers
l Other details to help address documentation issues
Any information that is provided to Dell EMC in connection with any Dell EMC website shall beprovided by the submitter and received by Dell EMC on a non-confidential basis. Such informationshall be considered non-confidential and property of Dell EMC. By submitting any such informationto Dell EMC you agree to a no-charge assignment to Dell EMC of all worldwide rights, title, andinterest in copyrights and other intellectual property rights to the information. Dell EMC shall befree to use such information about an unrestricted basis.
Preface
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 13
Preface
14 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
CHAPTER 1
Security quick reference
This chapter provides quick-reference information for deployment of the IDPA.
This chapter contains the following topics:
l Deployment models................................................................................................................16
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 15
Deployment modelsThe DP4400 is a fully integrated 2U appliance with different capacities ranging from 8 TB to 24 TBand 24 TB to 96 TB respectively.
Before deployment
When building the IDPA, the factory performs the following actions:
l Install Dell EMC customized ESXi image.
l Assign private, non-routable IP addresses.
l Set default passwords and configure all default management accounts.
l Complete basic configuration to provide a platform for final deployment at the customer site.
During deployment
When deploying the appliance, customers must perform the following actions:
l Connect the appliance to the customer network environment.
l Register the appliance with the Secure Remote Services system.
l Assign new passwords for management accounts.
The IDPA deployment process makes no security-related assumptions about the customerenvironment. Customers are expected to provide suitable power and data connections, andphysical security to protect the appliance components.
The Appliance Configuration Manager interface does not provide security-specific configurationoptions or support additional configurations. All appliance components are deployed using the bestpractices that are defined in the security configuration guides for each component. The interfaceenforces an optimal environment for correct operation of the appliance components.
After deployment
The IDPA contains many externally accessible interfaces for use by data protection andmanagement clients. Customers should take care to apply appropriate access restrictions toprevent unauthorized use. As per the customer security requirements, all forms of access shouldbe regularly monitored and audited.
Models
The following diagrams illustrate the IDPA at maximal configuration for each model.
Security quick reference
16 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Figure 1 Model DP4400
Security quick reference
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 17
Figure 1 Model DP4400 (continued)
Cloud Disaster Recovery Add-on (CDRA)Data Protection Advisor (DPA)Data Protection Search (DPS)Avamar Virtual Edition (AVE)Appliance Configuration Manager (ACM)Data Protection Central (DPC)vCenter (VC)Data Domain Virtual Edition (DDVE)Integrated Dell Remote Access Controller (iDRAC)
Note: Customers can choose either the Copper network ports or the Optical network ports.
Encryption
l The management traffic is encrypted using SSL and TLS.
l The backup data and metadata are both encrypted using SSL and TLS.
l The replication traffic is encrypted using SSL and TLS.
l The Secure Remote Services traffic is encrypted using AES and TLS.
l The authentication can be administered using Active Directory and LDAP.
Secure Remote Services
l When Secure Remote Services is implemented, external communication to and from SecureRemote Services is conducted through the TLS tunnel using the AES-256 SHA1 encryptionand RSA key exchange with bilateral authentication, with certificates stored in an RSA lockbox.If TLS tunnel is unavailable, the messages are forwarded through FTPS or encrypted email.
l Secure Remote Services data includes diagnostic, system health, and remote access sessioninformation for IDPA system components (DDVE, AVE, Search, and so on).
l Secure Remote Services information can be selectively streamed to remote nodes using theSecure Remote Services Policy Manager which controls the Secure Remote Services trafficflow.
l You can use the Secure Remote Services Policy Manager to configure policies that governpermitted remote access sessions, notifications, and diagnostic script executions.
Security quick reference
18 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
CHAPTER 2
Product and subsystem security
This chapter contains the following topics:
l Security controls map........................................................................................................... 20l Authentication.......................................................................................................................22l Authorization.........................................................................................................................30l Network security...................................................................................................................34l Data security......................................................................................................................... 36l Cryptography........................................................................................................................ 38l Auditing and logging.............................................................................................................. 40l Physical security................................................................................................................... 43l Serviceability.........................................................................................................................45
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 19
Security controls mapThe following diagram details the connections between the IDPA components and the securitycontrols on each link.
Note: vSwitch0 shown in the previous figure replaces the physical switch in the DP4400.
Product and subsystem security
20 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Figure 2 Security controls map - Avamar and Data DomainP
roduct and subsystem security
Dell E
MC
Integrated Data P
rotection Appliance S
ecurity Configuration G
uide21
AuthenticationThis section describes default settings and configuration options for how users or processesauthenticate to the IDPA components.
By default, all components of the IDPA authenticate using the management accounts that areincluded with each component and the common password that is configured during deployment.The manufacturing process sets a default password for each management account that iscontained within the IDPA components. A customer-provided common password replaces thedefault during deployment.
The Appliance Configuration Manager (ACM) manages the IDPA common passwords afterdeployment.
Note: As a security consideration, Dell EMC recommends that you change your appliancepassword after the appliance software is successfully upgraded.
Login security settingsThe following publications provide information on configuring the login security settings for IDPAcomponents.
Login banner configurationRefer to the following publications for information about configuring the login banners for theIDPA components.
Table 3 Login banner configuration
Component Reference Publication Topic
AVE Avamar Product Security Guide Custom ssh banner not supported
Remote servermanagement
iDRAC Version 9 User's Guide Logging in to iDRAC
ESXi VMware vSphere Security Manage the Login Banner
Failed login behaviorRefer to the following publications for information about configuring the login behavior for theIDPA components.
Table 4 Failed login behavior
Component Reference Publication Topic
AVE Avamar Product Security Guide Additional operating systemhardening
Additional password hardening
Remote servermanagement
iDRAC Version 9 User's Guide Logging in to iDRAC
ESXi VMware vSphere Security vCenter Password Requirementsand Lockout Behavior
Product and subsystem security
22 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 4 Failed login behavior (continued)
Component Reference Publication Topic
Edit the vCenter Single Sign-OnLockout Policy
ESXi Passwords and AccountLockout
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR server user accounts.
Emergency user lockoutRefer to the following publications for information about locking out users for the IDPAcomponents.
Table 5 Emergency user lockout
Component Reference Publication Topic
ESXi VMware vSphere Security Cryptographic OperationsPrivileges
Authentication types and setupThis section includes authentication source and type configuration options for the IDPA.
Configuring local authentication sourcesRefer to the following publications for information on using the authentication databases on theIDPA components.
Table 6 Configuring local authentication sources
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Avamar internal authentication
Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
Local user account management
The ACM authenticates using the local username and password, and provides only one account.No other authentication sources are available.
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 23
Configuring Active DirectoryRefer to the following publications for information on configuring the IDPA components to useLDAP and Active Directory authentication.
Table 7 Configuring Active Directory
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Directory service authentication
Data Domain Data Domain Operating SystemAdministration Guide
Directory user and groupmanagement
Enabling Active Directory
Directory user and groupmanagement
Search Search Installation andAdministration GuideSearchSecurity Configuration Guide
Configure external OpenLDAP andActive Directory servers
Configure LDAP and AD users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
External authentication, LDAPintegration, and binding
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Configuring LDAP
Remote servermanagement
iDRAC Version 9 User's Guide Configuring user accounts andprivileges
ESXi VMware vSphere Security Using Active Directory to ManageESXi Users
Certificate/key-based authenticationRefer to the following publications for information on the use of digital certificates and SSH keysto authenticate human users for the IDPA components.
Table 8 Certificate/key-based authentication
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys
Avamar Operational Best PracticesGuide
Changing passwords
Data Domain Data Domain Product Security Guide System access
Refer to the following publications for information on the use of digital certificates and SSH keysto authenticate inter-component and inter-process communication for IDPA components.
Product and subsystem security
24 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 9 Digital certificates and SSH keys
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Secure RemoteServices
Secure Remote Support SecurityManagement and Certificate PolicyFrequently Asked Questions
SRS Certificate Policy
Unauthenticated interfacesFor Avamar and AVE, the client download and help areas do not require authentication.
User credential managementThe following topics discuss default accounts and credentials, enabling and disabling accounts,credential management options, and credential security, including password management.
Default accountsRefer to the following publications for lists of default accounts for each IDPA component.
Table 10 Default accounts
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts
Data Domain Data Domain Product Security Guide User authentication
User authorization
SearchNote: Aftersuccessfulconfiguration ofSearch in IDPA,the accounts aresame as theSearch defaultconfiguration.IDPA adds its ownLDAPconfiguration intothe database.
Search Security Configuration Guide Default accounts
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Pre-loaded accounts
IDPA System ManagerAdministration Guide
Unlock a Data Protection Centraluser account
Remote servermanagement
iDRAC Version 9 User's Guide Logging in to iDRAC
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 25
Table 10 Default accounts (continued)
Component Reference Publication Topic
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Server user accounts
Refer to the following table for the default management accounts and additional accounts that areassociated with each IDPA component.
Note: This table mentions the additional user accounts that are created during configuration.Refer to the corresponding section of each IDPA product for a complete list of accounts.
Table 11 Default management accounts
Component Default managementaccounts
Additional accounts
Avamar nodes root
Data Domain sysadmin
Compute node iDRAC (IPMI)interface
root
VMware vCenter Server idpauser root
VMware ESXi hosts idpauser root
Appliance Configuration Manager root Idpauser, idpauser ldap),manager (ldap)
Cloud Disaster Recovery admin
Default credentialsRefer to the following publications for lists of default credentials for each IDPA component.
Table 12 Default credentials
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Default authorizations and useraccounts
Data Domain Data Domain Product Security Guide User authentication
User authorization
SearchNote:Search userinterface usesLDAPauthentication.
For accessingSearch:
Search Security Configuration Guide Default accounts
Product and subsystem security
26 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 12 Default credentials (continued)
Component Reference Publication Topic
l username:idpauser
password:commonappliancepassword
l username:admin(defaultaccountinheritedSearch)
password:applianceCommonPassword
Integrated DataProtection ApplianceSystem Manager
Note: When theappliance isconfigured, [email protected] accountpassword is set tothe commonappliancepassword.Thereafter, theACM does notmanage thepassword for thisaccount.Customers haveto manage thepassword for [email protected] account.
IDPA System Manager SecurityConfiguration Guide
User and credential management
IDPA System ManagerAdministration Guide
Change password
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Credentials for DD Cloud DRdeployment
ApplianceConfigurationManager
root - customer set password
idpauser - common appliancepassword
VMware ESXi root - random complex password
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 27
Table 12 Default credentials (continued)
Component Reference Publication Topic
idpauser - common appliancepassword
VMware vCenter root - random complex password
idpauser - common appliancepassword
How to disable local accountsRefer to the following publications for information on disabling and removing local accounts forIDPA components.
Table 13 How to disable local accounts
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Enabling and disabling local users
Deleting a local user
ESXi VMware vSphere Security ESXi Passwords and AccountLockout
Disable Authorized (SSH) Keys
Managing credentialsRefer to the following publications for information on configuring the login and password securitysettings for IDPA components.
Table 14 Managing credentials
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Changing server passwords andOpenSSH keys
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
For iDRAC, passwordis set to default afterinstallation. Customercan change it later.
Integrated Dell Remote AccessController 9 Version 3.34.34.34User's Guide
Secure default password
Password complexityEnsure that the password meets the following criteria:
l A maximum of 20 characters
l A minimum of nine characters
l Must not start with a hyphen (-)
Product and subsystem security
28 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
l Contains at least one upper-case and one lower-case letter
l Contains at least one number
l Must not include common names and usernames like 'root' or 'admin'
l Contains at least one special character
Valid special characters include:
n period (.)
n hyphen (-)
n underscore (_)
Authentication to external systemsThe following topics discuss how to configure authentication of components outside the IDPA,including components providing services to the IDPA and remote clients.
Configuring remote connectionsRefer to the following publications for information on configuring connections from the IDPA toexternal components.
Table 15 Configuring remote connections
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Managing DD Boost client accessand encryption
System access management
Remote component authenticationRefer to the following publications for information on how to provide credentials for remotecomponents to use when connecting to the IDPA.
Table 16 Remote component authentication
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Setting the system passphrase
Managing certificates for DDBoost
Importing CA certificates
Key manager setup
Configuring SMB signing
Data Domain Product Security Guide Certificates for cloud providers
Secure RemoteServices
Secure Remote Services TechnicalDescription
Digital Certificate Management
Communication to EMC
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 29
AuthorizationThis section describes default settings and configuration options for how users or processesauthenticate to the IDPA components.
General authorization settingsThe following topics discuss basic information about user privileges within the IDPA.
Configuring authorization rulesRefer to the following publications for information on the basic process of configuringauthorization for users with permission to access the IDPA.
Table 17 Configuring authorization rules
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide User Authentication andAuthorization
Avamar Administration Guide Overview of Avamar useraccounts
Roles
Data Domain Data Domain Product Security Guide User Authentication
Search Search Installation andAdministration Guide
Managing Roles and Users
Search Security Configuration Guide Authentication Configuration
DP Advisor Data Protection Advisor Installationand Administration Guide
Users and security
Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Add-on System andUser Management
ESXi VMware vSphere Security Understanding Authorization invSphere
Default authorizationsRefer to the following publications for lists of default authorizations supplied with the IDPA.
Table 18 Default authorizations
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Default authorizations and useraccounts
Product and subsystem security
30 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 18 Default authorizations (continued)
Component Reference Publication Topic
Avamar Administration Guide Overview of Avamar useraccounts
Roles
Data Domain Data Domain Product Security Guide User authorization
Search Search Installation andAdministration Guide
System Administrator role
Application Administrator role
Search Security Configuration Guide System Administrator role
System Administrator role
Full Access Search (Global) role
Index specific search roles
Default accounts
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager GettingStarted Guide
Pre-loaded accounts
DP Advisor Data Protection Advisor SecurityConfiguration Guide
Users and Security
User roles and privileges
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Cloud DR Add-on System andUser Management
ESXi VMware vSphere Security Understanding Authorization invSphere
External authorization associationsRefer to the following publications for information about mapping LDAP and AD authentication tolevels of authorization for components of the IDPA.
Table 19 External authorization associations
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Directory service authentication
Data Domain Data Domain Operating SystemAdministration Guide
Directory user and groupmanagement
Search Search Installation andAdministration Guide
Configure external OpenLDAP andActive Directory servers
Search Security Configuration Guide Configure LDAP and AD users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
External authentication, LDAPintegration, and binding
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 31
Table 19 External authorization associations (continued)
Component Reference Publication Topic
ESXi VMware vSphere Security Using Active Directory to ManageESXi Users
Role-based access control (RBAC)The IDPA uses the default roles available for individual components.
Refer to the following publications for information about authorization through assigned roles:
Table 20 Role-based access control
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Data Domain Data Domain Operating SystemAdministration Guide
Managing access control
Search Search Installation andAdministration Guide
About roles
Managing roles
DP Advisor Data Protection Advisor Installationand Administration Guide
User roles and privileges
Remote servermanagement
iDRAC Version 9 User's Guide Configuring user accounts andprivileges
Default rolesRefer to the following publications for information about pre-configured roles and privileges forcomponents of the IDPA.
Table 21 Default roles
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Roles
Data Domain Data Domain Operating SystemAdministration Guide
Role-based access control
Local user account management
Search Search Installation andAdministration Guide
System Administrator role
Application Administrator role
Full Access Search (Global) role
Index specific search roles
DP Advisor Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vCenter Server System Roles
Product and subsystem security
32 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 21 Default roles (continued)
Component Reference Publication Topic
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
Configuring rolesRefer to the following publications for information about how to select or configure the capabilitiesof roles that can be assigned to users of the IDPA:
Table 22 Configuring roles
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
Role-based access control
SearchSearch Search Installation andAdministration Guide
Managing Roles and Users
Data ProtectionAdvisor
Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
Role mappingRefer to the following publications for mapping users and groups to specific roles for componentsof the IDPA.
Table 23 Role mapping
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide User Management andAuthentication
Data Domain Data Domain Operating SystemAdministration Guide
System access management
Search Search Installation andAdministration Guide
Managing Roles and Users
DP Advisor Data Protection Advisor SecurityConfiguration Guide
User roles and privileges
ESXi VMware vSphere Security vSphere Permissions and UserManagement Tasks
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 33
Table 23 Role mapping (continued)
Component Reference Publication Topic
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Default accounts
External role associationsRefer to the following publications for information on mapping LDAP and AD authentication tospecific access roles for components of the IDPA.
Table 24 External role associations
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide LDAP directory serviceauthentication
Data Domain Data Domain Operating SystemAdministration Guide
Configuring Active Directory andKerberos authentication
Search Search Installation andAdministration Guide
Configure external OpenLDAP andActive Directory servers
DP Advisor Data Protection Advisor Installationand Administration Guide
Creating a new user account withLDAP authentication
ESXi VMware vSphere Security Managing ESXi Roles in theVMware Host Client
IDPA SystemManager
IDPA System Manager GettingStarted Guide
Configuring LDAP
Network securityThis section describes the exposed network interfaces in use by the IDPA.
The DP4400 directly connects to the customer-provided network switch.
Network exposureThe following sections indicate where to obtain information on exposed network interfaces andports for each component of the IDPA. Refer to the listed topics in each publication for a moredetailed description and for further instructions.
For maximum security, customers should disable all network ports and interfaces that are notrequired for their environment.
Network portsThe following references provide information about the network ports that are opened by eachcomponent of the IDPA.
For more information about the network ports for the corresponding components, see Networkports on page 51.
Product and subsystem security
34 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 25 Network ports
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Port Requirements appendixa
Session security features
Data Domain Data Domain Product Security Guide Communication security settings
Data Domain Operating SystemInitial Configuration Guide
Configuring the system with theconfiguration wizard
Search Search Security Configuration Guide Port usage
Firewall rules
Search Installation andAdministration Guide
Add an Avamar source server toSearch
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Network Security
ApplianceConfigurationManager
8543 and 8009: Application server
5672: Rabbitmq
9443: for upgrade operation
22: ssh
636: LDAP over SSL (for internalldap)
DP Advisor Data Protection Advisor SecurityConfiguration Guide
Communication settings
Data Protection Advisor Installationand Administration Guide
DPA port settings
Secure RemoteServices
Secure Remote Services PortRequirements
Not applicable
VMware ESXi andvCenter
VMware vSphere Security Additional vCenter Server TCPand UDP Ports
Remote servermanagement
iDRAC Version 9 User's Guide iDRAC port information
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Required Data Domain CloudDisaster Recovery ports
a. This reference includes information on network ports that are used by all possible Avamarconfigurations.
Network interfacesThe following tables provide information about the default IP addresses for the network interfaceson IDPA appliance. The default IP addresses are configured in the factory and are for only internaluse of the IDPA appliance.
Note: The below-listed IP addresses are not exposed outside of the appliance and are only forinternal communication. For these interfaces, the subnet mask is 255.255.255.0.
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 35
Table 26 Default IP addresses
Component IP address Subnet mask
Appliance Configuration Manager 192.168.100.100 255.255.255.0
ESXi 192.168.100.101 255.255.255.0
The IP address for interfaces that are exposed to the customer network are configured at the timeof the IDPA appliance configuration.
Communication security settingsThe following references provide information about options for securing communications betweeneach component of the IDPA and remote systems.
Table 27 Communication security settings
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Data Domain Data Domain Product Security Guide Communication security settings
Firewall settingsThe following references provide information on configuring the firewall functionality of eachcomponent of the IDPA.
Table 28 Firewall settings
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Additional firewall hardening(avfirewall)
Data Domain Data Domain Operating SystemInitial Configuration Guide
Configuring security and firewalls(NFS and CIFS access)
Search Search Security Configuration Guide Firewall rules
DP Advisor Data Protection Advisor Installationand Administration Guide
Communications settings in DPA
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Security and Networking
No additional customer firewall configuration is required.
Data securityThis section describes how the IDPA protects customer data stored on its components.
Product and subsystem security
36 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
HardeningAfter the IDPA configuration is completed, customers can optionally stop bind server on ACMusing following commands:
service named stopchkconfig named off
Data-at-rest encryptionRefer to the following publications for information about the encryption capabilities for Data-at-rest on components of the IDPA.
Table 29 Data-at-rest encryption
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data-at-rest encryption
Data Domain Data Domain Operating SystemAdministration Guide
DD Encryption
Data Domain Product Security Guide Data encryption
The ACM uses Java keystores to secure the encryption keys.
Data erasureRefer to the following publications for information about securely erasing data from componentsof the IDPA.
Table 30 Data erasure
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data erasurea
Data Domain Data Domain Operating SystemAdministration Guide
Destroying the file system
Data Domain Product Security Guide Data erasure
System sanitization
Remote servermanagement
iDRAC Version 9 User's Guide Erasing PCIe SSD device data
ESXi VMware vSphere Security Use vmkfstools to Erase SensitiveData
a. Avamar servers can also be restored to factory default conditions by a process called re-kickstarting. This process is performed by Dell EMC service personnel.
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 37
CryptographyThe following sections indicate where to obtain information on the uses of cryptography in theIDPA. Refer to the listed topics in each publication for a more detailed description and for furtherinstructions.
Cryptographic configuration optionsThe following references provide information about ciphers, encryption, and other data integritymechanisms for each component of the IDPA.
Table 31 Cryptographic configuration options
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Data-in-flight encryption
Data-at-rest encryption
Disabling SSLv2 and weak ciphers
Disabling privileges for CipherSuite 0
Data Domain Data Domain Product Security Guide Data encryption
Data Domain Operating SystemAdministration Guide
DD Encryption chapter
Remote servermanagement
iDRAC Version 9 User's Guide Setting up iDRAC communication
ESXi VMware vSphere Security ESXi SSH Keys
The ACM communicates with the other IDPA components using TLS 1.2.
Disable TLS 1.1 and earlier versions
To reduce the security vulnerability, disable the weak protocols and ciphers on ACM, vCenter, andESX. TLS Reconfiguration Utility is used to manage the TLS protocols on vCenter andESX. To download and install the utility, see VMware KB article 2147469.
To disable weak protocols on vCenter and ESX using the TLS Reconfiguration Utility:
l ACM (internal LDAP):
1. SSH to ACM.
2. Edit the file /etc/openldap/slapd.d/cn=config.ldif.
3. Update the parameter olcTLSProtocolMin from 0.0 to 3.3.
4. Update the parameter olcTLSCipherSuite with the following value:olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
Note: Add this parameter and its value at the end of the file in case if it is not existing.
5. Restart the slapd service using following commands:
n service slapd stop
Product and subsystem security
38 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
n service slapd startl ACM (SSH service):
1. Login to ACM using SSH client such as putty.
2. Edit the file /etc/ssh/sshd_config using any file editor such as vi, and add followinglines at the end of the file:ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected] hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected]
3. Save the file.
4. Restart the sshd service using the command # service sshd restart.
l vCenter:
1. SSH to vCenter.
2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
3. Run ./reconfigureVc update -p TLSv1.2.
l ESX:
1. SSH to vCenter.
2. Change directory using the command:cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator
3. Run ./reconfigureEsx vCenterCluster -c <cluster-name> -u root -pTLSv1.2.
4. Reboot IDPA appliance.
Certified cryptographic modulesThe following references provide information about the cryptographic modules available for eachcomponent of the IDPA.
Table 32 Certified cryptographic modules
Component Reference Publication Topic
Search Search Security Configuration Guide Cryptographic modules
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Certificate Management
Remote servermanagement
iDRAC Version 9 User's Guide Setting up iDRAC communication
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Security and Networking
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 39
Certificate managementThe following references provide information on the use and management of certificates for eachcomponent of the IDPA.
Table 33 Certificate management
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Client/Server Access andAuthentication
Data Security and Integrity
Avamar Administration Guide ConnectEMC
Data Domain Data Domain Product Security Guide Data Domain system security
Data security settings
Data Domain Operating SystemAdministration Guide
DD Encryption
Search Search Security Configuration Guide Access Control
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Certificate Management
DP Advisor Data Protection Advisor Installationand Administration Guide
Encryption of the DPA Applicationserver
Remote servermanagement
iDRAC Version 9 User's Guide Configuring iDRAC
ESXi VMware vSphere Security vSphere Security Certificates
ApplianceConfigurationManager
IDPA Product Guide Adding a CA-signed certificate
The ACM ships with a default self-signed RSA SHA-256 certificate. The Integrated Data ProtectionAppliance Product Guide provides details for replacing the default certificate with a CA-signedcertificate.
Auditing and loggingThis section describes how the IDPA components log events and protect against tampering.
Product and subsystem security
40 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
LogsRefer to the following publications for information about log locations and usage for IDPAcomponents.
Table 34 Logs
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Avamar Administration Guide Server Monitoring
Replication
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Data Domain Product Security Guide Log settings
Search Search Installation andAdministration Guide
Log files
Integrated DataProtection ApplianceSystem Manager
IDPA System Manager SecurityConfiguration Guide
Auditing and Logging
Secure RemoteServices
Secure Remote Services TechnicalDescription
Logging
Remote servermanagement
iDRAC Version 9 User's Guide Setting up iDRAC communication
ESXi VMware vSphere Security ESXi Log Files
Cloud DisasterRecovery
Data Domain Cloud DisasterRecovery Installation andAdministration Guide
Troubleshooting > Collect Logs
ACM server execution logs are stored on the ACM in /usr/local/dataprotection/var/configmgr/server_data/logs/server.log.
Log management optionsRefer to the following publications for information about managing logs for IDPA components.
Table 35 Log management options
Component Reference Publication Topic
Avamar and AVE Avamar Administration Guide Server Monitoring
Remote servermanagement
iDRAC Version 9 User's Guide Managing logs
ESXi VMware vSphere Security ESXi Log Files
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 41
Log protectionRefer to the following publications for information about securing log contents for IDPAcomponents.
Table 36 Log protection
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
Log message transmission toremote systems
ESXi VMware vSphere Security ESXi Log Files
Log formatRefer to the following publications for information about understanding the formatting of logs forIDPA components.
Table 37 Log format
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Avamar Administration Guide Server Monitoring
Replication
Data Domain Data Domain Operating SystemAdministration Guide
Log file management
Learning more about log messages
Search Search Installation andAdministration Guide
Managing Logs
ESXi VMware vSphere Security ESXi Log Files
The ACM log file appends the most recent entries, to a maximum file size of 5120KB, and amaximum backup index1 of 19. ACM log entries use the following format:
%d %-5p [%t]-%C{2}: %m%nwhere:
l %d %-5p is the date
l %t is the thread name
l %C{2} is the Java class name
l %m%n is the logged message
1. Backup index is the number of most recent files saved on ACM.
Product and subsystem security
42 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
AlertingRefer to the following publications for information about monitoring and managing security alertsfor various IDPA components.
Table 38 Alerting
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide System Monitoring, Auditing, andLogging
Avamar Administration Guide Server Monitoring
Data Domain Data Domain Product Security Guide Security alert system settings
Data Domain Operating SystemAdministration Guide
Alert notification management
Remote servermanagement
iDRAC Version 9 User's Guide Configuring iDRAC to send alerts
ESXi vSphere Monitoring andPerformance
Monitoring Events, Alarms, andAutomated Actions
DP Advisor DP Advisor Product Guide Alerts in DPA
DP Advisor Installation andAdministration Guide
dpa application support
Physical securityThe IDPA is composed of a single piece of hardware with unique interfaces and physical securityrequirements. The following topics detail where to find further information on securing the IDPAhardware.
Refer to Deployment models on page 16 for the locations of individual appliance components.
Physical interfacesRefer to the following publications for information on the accessible physical interfaces of theIDPA components.
Table 39 Physical interfaces
Component Reference Publication Topic
Compute nodes Dell PowerEdge R740 Owner'sManual
Ports and connectorsspecifications
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 43
Physical security optionsRefer to the following publications for information about physical security controls that can beapplied to the IDPA components.
Table 40 Physical security options
Component Reference Publication Topic
Data Domain Data Domain Product Security Guide Physical Security Controls
Dell EMC reminds customers to review and frequently audit all operational policies, and verify thatpersonnel, site, and perimeter security are secure.
Customer service accessRefer to the following publications for information about physical interfaces and devices that arerestricted for use by Customer Support.
Table 41 Customer service access
Component Reference Publication Topic
Compute nodes Dell PowerEdge R740 Owner'sManual
Pre-operating systemmanagement applications >System Security
Tamper evidence and resistanceRefer to the following publications for information about tamper-evident and tamper-resistantfeatures that are found in the IDPA components.
Table 42 Tamper evidence and resistance
Component Reference Publication Topic
Avamar Avamar Product Security Guide Advanced Intrusion DetectionEnvironment (AIDE)
The auditd service
Data Domain Data Domain Operating SystemAdministration Guide
System clock
RPM signature verification
Compute nodes Dell PowerEdge R740 Owner'sManual
Pre-operating systemmanagement applications >System Security
Product and subsystem security
44 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Statements of volatilityRefer to the following publications for information on information-storing components of the IDPA.
Table 43 Statements of volatility
Component Reference Publication
Compute nodes Statement of Volatility – Dell PowerEdge R740
NDMP If NDMP node is used with any IDPA model, refer to the correspondingNDMP appliance documentation.
ServiceabilityThe IDPA deployment process includes Secure Remote Services registration for the ApplianceConfiguration Manager, Data Domain, Avamar, and DP Advisor.
The Appliance Configuration Manager virtual machine can be used as a bridge by CustomerSupport to access appliance components that are not directly registered with Secure RemoteServices. By default, ConnectEMC is not configured on any appliance component. For moreinformation about ConnectEMC, see Secure Remote Services Operations Guide.
Customer Support and authorized service partners complete all service on the IDPA.
Maintenance aidsRefer to the following publications for information about accounts, tools, and other functionsintended for maintenance use.
Table 44 Maintenance aids
Component Reference Publication Topic
Avamar and AVE Avamar Product Security Guide Security patches
Email home notification usingConnectEMC
Intelligent Platform ManagementInterface
Avamar Operational Best PracticesGuide
Using EMC Secure RemoteSupport solution
Avamar Administration Guide Automatic notifications to AvamarSupport
Data Domain Data Domain Product Security Guide Other security considerations
Data Domain Operating SystemAdministration Guide
Network connection management
Autosupport report management
Support bundle management
EMC Support deliverymanagement
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 45
Table 44 Maintenance aids (continued)
Component Reference Publication Topic
Remote system powermanagement with IPMI
Secure RemoteServices
Secure Remote Services TechnicalDescription
EMC Enterprise access control
Communication to EMC
Avamar and AVE make use of a Customer Support-only password to run some workflow packagesin the Avamar Installation Manager.
Responsible service useRefer to the following publication for information on responsible service use by Dell EMC.
Table 45 Responsible service use
Component Reference Publication Topic
Secure RemoteServices
Secure Remote Services TechnicalDescription
EMC Enterprise access control
Security updates and patchingThe following references provide information about how to apply security patches for eachcomponent of the IDPA.
Table 46 Security updates and patching
Component Reference Publication Topic
Integrated DataProtection Appliance
Integrated Data ProtectionAppliance Product Guide
Upgrading the appliance
Customers should apply security updates and patches from Dell EMC regularly to prevent zero-dayvulnerability attacks.
Note: A warning on vCenter is displayed about a potential vulnerable issue. CVE-2018-3646 isone of the L1 Terminal Fault (L1TF) speculative execution vulnerabilities and is determined tohave medium vulnerability score.IDPA uses the ESXi version which has the following fixes for this vulnerability, however one ofthem is not enabled by default as it has severe performance impac:
l Mitigation of the Sequential-Context attack vector - this fix is included in IDPA 2.3 andlater releases.
l Mitigation of the Concurrent-Context attack vector - this fix is not enabled by defaultThis fix can be enabled using simple steps on ESXi, but has severe performance penalties ifenabled.
IDPA is a restricted environment where unverified virtual machines are not deployed on theESXi. Also, due to severe performance penalties, it is not recommended to enable the fixon IDPA appliance. However, customers can enable it at their own risk. For moreinformation, see VMware KB article 55806.
Product and subsystem security
46 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Customer requirements for updatesRefer to the following publications for information on periodic security updates that apply to theIDPA components.
Table 47 Customer requirements for updates
Component Reference Publication Topic
Integrated DataProtection Appliance
Integrated Data Protection ApplianceProduct Guide
Upgrading the applicance
Product and subsystem security
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 47
Product and subsystem security
48 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
CHAPTER 3
Miscellaneous configuration and managementelements
This chapter contains the following topics:
l Protecting authenticity and integrity.....................................................................................50l Installing client software....................................................................................................... 50
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 49
Protecting authenticity and integrityRefer to the following publications for information about the use of signing and cryptography toensure the integrity of the IDPA.
Table 48 Protecting authenticity and integrity
Component Reference Publication Topic
Data Domain Data Domain Operating SystemAdministration Guide
RPM signature verification
Dell EMC recommends that customers verify the authenticity of downloads against published MD5and SHA-256 checksums, where provided.
Installing client softwareRefer to the following publications for information about requirements for installing components ofthe IDPA on client computers.
Table 49 Installing client software
Component Reference Publication Topic
Secure RemoteServices
Secure Remote Services TechnicalDescription
Customer site components
Specifications
Miscellaneous configuration and management elements
50 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
APPENDIX
Network ports
This appendix contains information about the network ports for the following components:
l Backup Server (Avamar and Avamar Virtual Edition).............................................................52l Protection Storage (Data Domain)........................................................................................52l IDPA System Manager (Data Protection Central)................................................................. 59l Search................................................................................................................................... 61l Reporting and Analytics (Data Protection Advisor)............................................................... 63l Secure Remote Services....................................................................................................... 66l Remote server management (iDRAC)................................................................................... 67l Data Domain Cloud Disaster Recovery.................................................................................. 68
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 51
Backup Server (Avamar and Avamar Virtual Edition)The following table lists the port requirements for Avamar and Avamar Virtual Edition:
Table 50 Port requirements
Port/Protocol Source Destination Description
29000/TCP Utility node Storage node Avamar subsystem usingSSL
29000/TCP Storage node Utility node Avamar subsystem usingSSL
30001/TCP Utility node Storage node MCS using SSL
30001/TCP Storage node Utility node MCS using SSL
30002/TCP Avamar server Avamar client Avamar client using SSL
30002/TCP Avamar client Avamar server Avamar client using SSL
30003/TCP Utility node Storage node MCS using SSL
30003/TCP Storage node Utility node MCS using SSL
For detailed information about ports, see the Port Requirements appendix in Avamar ProductSecurity Guide.
Protection Storage (Data Domain)This section lists information about Data Domain network ports.
Communication security settings
Communication security settings enable the establishment of secure communication channelsbetween the product components, and between product components and external systems orcomponents.
The following tables list the input and output ports for TCP and UDP:
Table 51 Data Domain system inbound communication ports
Service Protocol Port PortConfigurable
Default Description
FTP TCP 21 No Disabled Port is used only if FTP isenabled. Runadminaccess show on
the Data Domain system todetermine if it is enabled.
SSH and SCP TCP 22 Yes Enabled Port is used only if SSH isenabled. Runadminaccess show on
the Data Domain system todetermine if it is enabled.SCP is enabled as default.
Network ports
52 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 51 Data Domain system inbound communication ports (continued)
Service Protocol Port PortConfigurable
Default Description
Telnet TCP 23 No Disabled Port is used only if Telnet isenabled. Runadminaccess show on
the Data Domain system todetermine if it is enabled.
HTTP TCP 80 Yes Enabled a Port is used only if HTTP isenabled. Runadminaccess show on
the Data Domain system todetermine if it is enabled.
DD Boost/NFS(portmapper)
TCP 111 No Enabled Used to assign a randomport for the mountd servicethat DD Boost and NFS use.Mountd service port can bestatically assigned and canbe run with the nfsoption set mountd-port command.
NTP UDP 123 No Disabled 1. Port is used only if NTPis enabled on the DataDomain system. Runntp status to
determine if it isenabled.
2. Data Domain systemuses this port tosynchronize to a timeserver.
SNMP TCP/UDP 161 No Disabled Port is used only if SNMP isenabled. Run snmpstatus to determine if it is
enabled.
HTTPS TCP 443 Yes Enabled Port is used only if HTTPSis enabled. Runadminaccess show on
the Data Domain system todetermine if it is enabled.
CIFS (Microsoft-DS) TCP 445 No Enabled Main port that CIFS usesfor data transfer.
DD Boost/NFS TCP 2049 Yes Enabled Main port that NFS uses.Run the nfs optionshow command on the Data
Domain system todetermine the current NFSserver port.
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 53
Table 51 Data Domain system inbound communication ports (continued)
Service Protocol Port PortConfigurable
Default Description
NFS v3/NFS v4 TCP 2049 Yes Enabled Main port that NFS serviceuses. Run nfs status to
determine if NFS v3 or NFSv4 service is enabled. Runnfs option shownfs3-port or nfsoption show nfs4-port on Data Domain
system to determine thecurrent port that islistening.
Replication TCP 2051 Yes Enabled Port is used only ifreplication is configured onthe Data Domain system.Run replication showconfig to determine if it is
configured. This port can bemodified using thereplication modifycommand.
NFS (mountd) TCP/UDP 2052 Yes Enabled Can be hardcoded using thenfs option setmountd-port command.
(This command is SE mode,which means that only aService Engineer can issuethis command.) Run nfsoption show mountd-port on the Data Domain
system to determine thecurrent port that mountd islistening on.
Data DomainManagement Center Port
TCP 3009 No Enabled This port is used only if theData Domain ManagementCenter manages the DataDomain system. It is notconfigurable.
a. HTTP is enabled by default, but automatically redirects to HTTPS.
Table 52 Data Domain system outbound communication ports
Service Protocol Port PortConfigurable
Default Description
SMTP TCP 25 No Disabled Data Domain system usesthis port to send emailautosupports and alerts.
Network ports
54 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 52 Data Domain system outbound communication ports (continued)
Service Protocol Port PortConfigurable
Default Description
SNMP UDP 162 Yes Disabled Data Domain system usesthis port to send SNMPtraps to SNMP host. Usesnmp show trap-hoststo see destination hosts andsnmp status to display
service status.
Syslog UDP 514 No Disabled If enabled, Data Domainsystem uses this port tosend syslog messages. Uselog host show to display
destination hosts andservice status.
RMCP UDP 623 Open Enabled Remotely access BMCthrough IPMI.
To reach a Data Domain system behind a firewall, you may need to enable these ports defined inthe preceding tables.
Use the net filter functionality to disable all ports that are not used.
Firewall Configuration
Table 53 Ports that Data Domain uses for inbound traffic
Port Service Note
TCP 21 FTP Used only if FTP is enabled(run adminaccess show on
the Data Domain system todetermine).
TCP 22 SSH Used only if SSH is enabled(run adminaccess show on
the Data Domain system todetermine).
TCP 23 Telnet Used only if Telnet is enabled(run adminaccess show on
the Data Domain system todetermine).
TCP 80 HTTP Used only if HTTP is enabled(run adminaccess show on
the Data Domain system todetermine).
TCP 111 DD Boost/NFS (port mapper) Used to assign a random portfor the mountd service thatNFS and DD Boost use.Mountd service port can bestatically assigned.
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 55
Table 53 Ports that Data Domain uses for inbound traffic (continued)
Port Service Note
UDP 111 DD Boost/NFS (port mapper) Used to assign a random portfor the mountd service thatNFS and DD Boost use.Mountd service port can bestatically assigned.
UDP 123 NTP Used only if NTP is enabled(run ntp status on Data
Domain system to determine).
UDP 137 CIFS (NetBIOS name service) CIFS uses this port forNetBIOS name resolution.
UDP 138 CIFS (NetBIOS datagramservice)
CIFS uses this port forNetBIOS datagram service.
TCP 139 CIFS (NetBIOS sessionservice)
CIFS uses this port forsession information.
UDP 161 SNMP (query) Used only if SNMP is enabled(run snmp status on Data
Domain system to determine).
TCP 389 LDAP The LDAP server monitorsthis port for LDAP clientrequests; by default it usesTCP.
TCP 443 HTTPS Used only if HTTPS is enabled(run adminaccess show on
Data Domain system todetermine).
TCP 445 CIFS (Microsoft-DS) Main port that CIFS uses fordata transfer.
TCP 464 Active Directory Kerberos change/setpassword; this is required tojoin an Active Directorydomain.
TCP 2049 DD Boost/NFS Main port that NFS uses; itcan be modified using the nfsset server-portcommand, which requires SEmode.
TCP 2051 Replication/DD Boost/Optimized Duplication
Used only if replication isconfigured (runreplication showconfig on Data Domain
system to determine).Thisport can be modified usingreplication modify .
Network ports
56 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 53 Ports that Data Domain uses for inbound traffic (continued)
Port Service Note
TCP 2052 NFS Mountd/DD Boost/Optimized Duplication
Main port that NFS Mountduses.
TCP 3008 RSS Required when the DataDomain system has anArchive Tier.
TCP 3009 SMS (system management) Used for managing a systemremotely with Data DomainSystem Manager. This portcannot be modified. This portis used only on Data Domainsystems running DD OS 4.7.xor later. This port needs to beopen if you plan to configurereplication within DataDomain System Managerbecause the replicationpartner must be added toData Domain SystemManager.
TCP 5001 iPerf iPerf uses this by default.Changing the port requiresthe -p option from se iperf orthe port option from the netiperf command. The remote
side must listen on the newport.
TCP 10000 NDMP NDMP uses this port.
Table 54 Ports that Data Domain systems for outbound traffic
Port Service Note
TCP 20 FTP Used only if FTP is enabled(run adminaccess show on
Data Domain system todetermine).
TCP 25 SMTP Used only if FTP is enabled(run adminaccess show on
Data Domain system todetermine).
UDP/TCP 53 DNS Used to perform DNS lookupswhen DNS is configured (runnet show dns on the Data
Domain system to reviewDNS configuration).
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 57
Table 54 Ports that Data Domain systems for outbound traffic (continued)
Port Service Note
TCP 80 HTTP Used to upload log files toEMC Data Domain supportusing support upload.
TCP 443 HTTPS Used to upload the SupportBundle (SUB).
UDP 123 NTP Used to synchronize to a timeserver.
UDP 162 SNMP (trap) Used to send SNMP traps toan SNMP host. Use to seedestination hosts and snmpstatus to display servicestatus. Use the snmp showtrap-hosts command.
UDP 514 Syslog If enabled, Used to sendsyslog messages. Use log hostshow to display destinationhosts and service status.
TCP 2051 Replication/DD Boost/Optimized Duplication
Used only if replication isconfigured (runreplication showconfig on Data Domain
system to determine).
TCP 3009 SMS (system management) Used for managing a systemremotely using Data DomainSystem Manager. This portcannot be modified. This portis used only on Data Domainsystems running DD OS 4.7.xor later.If you plan to configurereplication from within theData Domain SystemManager, this port needs tobe opened. The replicationpartner has to be added tothe Data Domain SystemManager.
TCP 5001 iPerf iPerf uses this port by default.Changing the port requiresentering the -p option from
se iperf or the port optionfrom net iperf. The
remote side must listen on thenew port.
Network ports
58 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 54 Ports that Data Domain systems for outbound traffic (continued)
Port Service Note
TCP 27000 Avamar clientcommunications with Avamarserver
Avamar client network hosts.
TCP 27000 Avamar servercommunications withReplicator target server(Avamar proprietarycommunication)
Required if server is used asreplication source.
TCP 28001 Avamar clientcommunications withadministrator server
Avamar clients required.
TCP 28002 Administrator servercommunications with Avamarclient
Optional for browsing clientsand canceling backups fromAvamar Administratormanagement console.
TCP 29000 Avamar client Secure SocketsLayer (SSL) communicationswith Avamar server
Avamar clients required.
TCP 29000 Avamar server SSLcommunications withReplicator target server
Required if server isreplication source.
IDPA System Manager (Data Protection Central)IDPA System Manager uses inbound and outbound ports when communicating with remotesystems.
Table 55 Outbound ports
Port number Layer 4 protocol Service
7 TCP, UDP ECHO
22 TCP SSO
25 TCP SMTP
53 UDP, TCP DNS
67, 68 TCP DHCP
80 TCP HTTP
88 TCP, UDP Kerberos
111 TCP, UDP ONC RPC
123 TCP, UDP NTP
161-163 TCP, UDP SNMP
389 TCP, UDP LDAP
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 59
Table 55 Outbound ports (continued)
Port number Layer 4 protocol Service
443 TCP HTTPS
448 TCP Data Protection Search Admin RESTAPI
464 TCP, UDP Kerberos
514 TCP, UDP rsh
587 TCP SMPT
636 TCP, UDP LDAPS
902 TCP VMware ESXi
2049 TCP, UDP NFS
2052 TCP, UDP mountd, clearvisn
3009 TCP Data Domain REST API
5672 TCP RabbitMQ over amqp
8443 TCP MCSDK 8443 is an alternative for443
9000 TCP NetWorker Management Console
9002 TCP Data Protection Advisor REST API
9090 TCP NetWorker Authentication Serviceand REST API
9443 TCP Avamar Management Console webservice
Table 56 Inbound ports
Port number Layer 4 protocol Service
22 TCP SSH
80 TCP HTTP
443 TCP HTTPS
5671 TCP RabbitMQ over amqp
Network ports
60 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
SearchThis section lists information about Search network ports.
Port usage
Table 57 Default ports
Component Service Protocol Port Description
CommonIndexing Service
NGINX TCP/HTTPS
442 Secure access to Elasticsearch.
Search andAdmin UIs andAPIs
NGINX TCP/HTTPS
443 Admin web application.
Search web application.
Admin REST API.
Search REST API.
CommonIndexing Service
NGINX TCP/HTTPS
445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.
Elasticsearchcluster ports
NGINX TCP/HTTPS
9300–9400
Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.
Puppet Puppet TCP 8140,61613
Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to enable communicationduring an automatic upgrade.
Avamar Client AvamarClient
TCP 28000-29000,30000-31000
Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.
NetWorkerClient
NetWorkerClient
TCP 7937-8100
Ports for NetWorker clientcommunicating with Networker server.
OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.
SSH sshd TCP 22 Client connects to server through ssh.
NFS nfs TCP 111,2049
Ports for communicating with NFS areonly opened internally.
Firewall rules
Search requires access to the following external (worldwide) ports:
l 442:445 (Web/Rest API)
l 28000-29000, 30000-31000 (Avamar Client)
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 61
l 7937-8100 (NetWorker client)
l 22 (SSH)
Search requires access to the following internal ports:
l 389 (openLDAP)
l 8140 (Puppet Master and Master node only)
l 61613 (Puppet)
l 9300:9400 (Elasticsearch)
l 111, 2049 (NFS)
To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnetis 128.222.162.
Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with otherElasticsearch nodes.
Add an Avamar source server to SearchIn the Search UI, identify one or more Avamar servers to be indexed. Indexing begins automaticallyafter a source has been added.
About this task
You can add an Avamar server only if you have the Application Administrator role.
Procedure
1. In the Manage drop-down list, select Avamar.
2. Click Administration > Sources.
3. To add a source, click .
The Add Source window displays.
4. In the Name field, enter a display name that identifies the Avamar server. The name mustmeet the following requirements:
l One to 50 characters in length
l No spaces
l Combination of lower and uppercase letters, numbers, dashes, and underscores
5. In the Hostname field, enter the fully qualified hostname of the Avamar server by using oneof the following formats:
l IP address
l FQDN
6. In the Port field, leave the default entry unless the Avamar server has been configured witha different port.
7. In the User ID field, enter the account name of the user with the administrator role on theAvamar server that is being added.
For example, MCUser.
8. In the Password field, enter the password for the user who is identified in the User ID field.
9. Select an analyzer.
The default standard analyzers are recommended for most use cases.
Network ports
62 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
10. To enable a connection limitation, in the Connection Limitation field, select Enable.
Note: By default, the Connection Limitation option is disabled.
a. In the Indexing field, specify the number of concurrent indexing tasks across the cluster.
b. In the Action field, specify the number of search actions across the cluster, whichinclude download, full content indexing, and restore.
11. To enable a blackout window, in the Blackout Window field, select Enable.
Enabling this option prevents Search from interacting with the source during specific hourseach day. By default, the blackout window applies to all activities including indexing,monitoring, and search actions.
a. Specify the time zone.
b. Specify the time range.
12. Click Connect.
If the source server connection is successful, a summary of the configuration is displayed. Ifnecessary, you can edit the configuration:
l To edit the Avamar domain, click the Domains link.Note: By default, Search selects all existing Avamar domains for indexing, apart fromany replica domains (/REPLICATE). To index replica domains, select the checkboxnext to the replica domain.You cannot index both a replica domain and the original domain that is beingreplicated, in the same Search instance. If there is a requirement to index both, youmust use different Search instances.
l To edit the range of backups to index, click the Backups all will be indexed link.
l To edit the schedule for indexing, click the Indexing will occur... link.
13. On the source summary page, click Done.
The Next Steps page is displayed and lists the administration tasks.
Reporting and Analytics (Data Protection Advisor)The following tables list information about Data Protection Advisor (DPA) network ports.Additional ports can be required for the DPA agents depending on the systems being monitored.
Table 58 DPA application ports settings
Port Description Traffic direction
25 TCP port used for the SMTPservice
Outbound connection toSMTP server.
80 TCP port used for theSharePoint service
Outbound connection toSharePoint server.
161 UDP port used for SNMPservice
Outbound connection toSNMP devices.
389/636 (over SSL) TCP port used for LDAPintegration
Outbound connection toLDAP server.
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 63
Table 58 DPA application ports settings (continued)
Port Description Traffic direction
3741 TCP port used for DPAagents communications.
Outbound connection to DPAagents
4447 TCP port used for intra-service communication
Inbound connection
4712 TCP port used for intra-service communication
Localhost connection
4713 TCP port used for intra-service communication
Localhost connection
5445 TCP port used for intra-service communication
Localhost connection
5455 TCP port used for intra-service communication
Localhost connection
8090 TCP port used for intra-service communication
Localhost connection
9002 TCP port used for the HTTPSservice.
Inbound connection over SSLfrom UI, CLI, and REST APIclients.
9003 TCP port used for DPADatastore communications.
Outbound connection to DPADatastore.
9005 TCP port used for JBossManagement
Localhost connection
9999 TCP port used for JBossManagement
Localhost connection
Table 59 DPA datastore port settings
Port Description Traffic direction
3741 TCP port used for DPAagents communications.
Inbound connection from DPAapplication server.
9002 TCP port used for the HTTPSservice.
Outbound connection overSSL to DPA applicationserver.
9003 TCP port used for DPAdatastore communications.
Inbound connection from DPAapplication server.
Table 60 DPA agent port settings
Port Description Traffic direction
3741 TCP port used for DPAagents communications.
Inbound connection from DPAapplication server.
Network ports
64 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Table 60 DPA agent port settings (continued)
Port Description Traffic direction
9002 TCP port used for the HTTPSservice.
Outbound connection overSSL to DPA applicationserver.
Table 61 DPA cluster port settings
Port Description Traffic direction
25 TCP port used for the SMTPservice
Outbound connection toSMTP server.
80 TCP port used for theSharePoint service
Outbound connection toSharePoint server.
161 UDP port used for SNMPservice
Outbound connection toSNMP devices.
389/636 (over SSL) TCP port used for LDAPintegration
Outbound connection toLDAP server.
3741 TCP port used for DPAagents communications.
Outbound connection to DPAagents
4447 TCP port used for intra-service communication
Inbound connection
4712 TCP port used for intra-service communication
Localhost connection
4713 TCP port used for intra-service communication
Localhost connection
5445 TCP port used for intra-service communication
Bidirectional connection forCluster
5455 TCP port used for intra-service communication
Bidirectional connection forCluster
7500 Multicast over UDP Bidirectional connection forCluster
7600 Multicast over TCP Inbound connection forCluster
8090 TCP port used for intra-service communication
Localhost connection
9002 TCP port used for the HTTPSservice.
Inbound connection over SSLfrom UI, CLI, and REST APIclients.
9003 TCP port used for DPAdatastore communications.
Outbound connection to DPAdatastore.
9005 TCP port used for JBossManagement
Localhost connection
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 65
Table 61 DPA cluster port settings (continued)
Port Description Traffic direction
9876 Multicast over TCP Bidirectional connection forCluster
9999 TCP port used for JBossManagement
Localhost connection
23364 Multicast over TCP Bidirectional connection forCluster
45688 Multicast over TCP Bidirectional connection forCluster
45689 Multicast over TCP Bidirectional connection forCluster
45700 Multicast over UDP Bidirectional connection forCluster
54200 Multicast over UDP Bidirectional connection forCluster
54201 Multicast over UDP Bidirectional connection forCluster
55200 Multicast over UDP Bidirectional connection forCluster
55201 Multicast over UDP Bidirectional connection forCluster
57600 Multicast over TCP Bidirectional connection forCluster
Secure Remote ServicesSecure Remote Services runs its services on the following ports:
The following ports should be opened on the Secure Remote Services (SRS) gateway server VM.The appliance components (AVE, DD, ACM, and DPA) communicate with SRS using these ports.
Table 62 Port requirements
Services Ports
Connect Home support (legacy) - FTP 21
Connect Home support (legacy) - HTTPS 443
Connect Home support (legacy) - SMTP 25
provision, WebUI, RESTful services (such as devicemanagement, RESTful Connect Home, MFT,keepalive, and so on)
9443
Network ports
66 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
Remote server management (iDRAC)The following table lists the ports that are required to remotely access iDRAC through firewall.These are the default ports iDRAC listens to for connections.
Table 63 Ports iDRAC listens for connections
Portnumber
Type Function Configurableport
MaximumEncryption Level
22 TCP SSH Yes 256-bit SSL
23 TCP TELNET Yes None
80 TCP HTTP Yes None
161 UDP SNMP Agent Yes None
443 TCP HTTPS Yes 256-bit SSL
623 UDP RMCP/RMCP+ No 128-bit SSL
5900 TCP Virtual console keyboard andmouse redirection, VirtualMedia, Virtual folders, andRemote File Share
Yes 128-bit SSL
5901 TCP VNC Yes 128-bit SSL
Note: Port 5901 opens when VNC feature is enabled.
The following table lists the ports that iDRAC uses as a client:
Table 64 Ports iDRAC uses as client
Portnumber
Type Function Configurableport
MaximumEncryption Level
25 TCP SMTP Yes None
53 UDP DNS No None
68 UDP DHCP-assigned IP address No None
69 TFTP TFTP No None
123 UDP Network Time Protocol (NTP) No None
162 UDP SNMP trap Yes None
445 TCP Common Internet File System(CIFS)
No None
636 TCP LDAP Over SSL (LDAPS) No 256-bit SSL
2049 TCP Network File System (NFS) No None
3269 TCP LDAPS for global catalog (GC) No 256-bit SSL
5353 UDP mDNS No None
Network ports
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 67
Table 64 Ports iDRAC uses as client (continued)
Portnumber
Type Function Configurableport
MaximumEncryption Level
Note: When Group Manager is enabled, iDRAC uses mDNS to communicate through port5353. However, when it is disabled, port 5353 is blocked by iDRAC's internal firewall andappears as open|filtered port in the port scans.
514 UDP Remote syslog Yes None
Data Domain Cloud Disaster RecoveryThe following ports should be opened for communication between the specified components:
Table 65 Required Data Domain Cloud Disaster Recovery ports
Port Description
111 Communication between Data Domain and CDRA
443 Communication between CDRA and AWS
443 Communication between CDRA and CDRS
443 Communication between CDRA and vCenter
443 Communication between a local restore VM and AWS
2049 Communication between Data Domain and CDRA
9443 Communication between Avamar and CDRA
Network ports
68 Dell EMC Integrated Data Protection Appliance Security Configuration Guide
INDEX
AActive Directory 24alerting 43auditing 40authentication 22, 24, 25, 29authentication, certificates 24authentication, keys 24authentication, local sources 23authentication, remote component 29authentication, role-based 32authentication, setup 23authenticity 50authorization 30authorization, default 30authorization, external 31authorization, rules 30
Ccertificate management 40certificates 24clients 50communications, security 36credential management 25credentials, default 26credentials, managing 28cryptographic modules 39cryptography 38cryptography, certificate management 40cryptography, certified modules 39cryptography, configuration 38customer service access 44
Ddata erasure 37data security 36default accounts 25deployment models 16
Eencryption, data at rest 37
Ffirewall 36
Iintegrity 50interfaces 43
Kkeys 24
LLDAP 24legal disclaimers 9local accounts, deleting 28local accounts, disabling 28lockout, user 23logging 40login banner 22login behavior 22login security 22logs, alerting 43logs, format 42logs, locations 41logs, management 41logs, protection 42logs, usage 41
Mmaintenance aids 45map, security controls 20
Nnetwork exposure 34network interfaces 35network ports 34network security 34networking 34
Ppasswords, complexity 28passwords, managing 28physical interfaces 43physical security 43, 44preface 9
Rremote connections 29requirements, customer 47roles 32roles, configuring 33roles, default 32roles, external association 34roles, mapping 33
Ssecurity controls map 20security updates 46security, communications 36service use, responsible 46serviceability 45statement of volatility 45
Dell EMC Integrated Data Protection Appliance Security Configuration Guide 69
Ttampering, evidence 44tampering, resistance 44
Uunauthenticated interfaces 25updates 46, 47
Vvolatility 45
Index
70 Dell EMC Integrated Data Protection Appliance Security Configuration Guide