Security mechanism 3 - Login security

When the network connection and session are established, the IBM Service personnel will be able to log into the S-HMC, without a secure password, for the purpose of collecting problem determination and sending the problem determination to the IBM data collection site.

If problem analysis shows that additional actions are needed to further refine the problem definition, the next level of IBM Service may have a requirement for a higher level of access to the storage facility. If this is the case, all of the previous security measures will also apply, but to obtain a higher level of authorization, the service organization will be required to log in to secure userids on the S-HMC. These userids are protected by S-HMC user management.

S-HMC user management

The S-HMC’s user management is governed by the following rules:

￿The allowed number of users is pre-defined.

￿No additional users can be defined to the S-HMC.

￿The password to these predefined users can be changed by IBM support personnel.

￿Users with higher privileges are protected by a challenge/authentication scheme.

￿The root user ID is locked.

￿User login is only allowed from the private network, or from an IBM remote support service connection.

￿User activity is logged.

￿The S-HMC has auditing capabilities.

The functionality of standard software components is restricted to provide added security advantages when integrating the S-HMC into your private network. These restrictions are as follows:

￿The S-HMC acts as a firewall or proxy for incoming traffic.

￿The S-HMC does not have any IP forwarding or gateway capabilities.

￿Many standard services such FTP and TELNET do not exist on the S-HMC.

￿Only Secure Shell (SSH) is permitted over the remote connection.

￿No TCP/IP connection from the outside is allowed into the S-HMC, except the VPN connection.

￿In an Internet configuration, the following firewall ports need to be open: 500 udp, 500 esp (VPN), and 4500 udp.

￿The allowed destination IP addresses will only be the IBM services support centers: 207.25.252.196, 129.42.160.16, and 207.25.252.198.

9.2.4FTP Offload option

As an alternative to a VPN connection via the Internet, the S-HMC can be set up to use the file transfer protocol (ftp) for sending error data to IBM. It is the customer's responsibility to provide a secure path from the S-HMC to the destination server (testcase.software.ibm.com) on the Internet. Usually this involves some kind of ftp proxy or relay firewall. The S-HMC supports seven different types of ftp firewalls.

Connectivity via ftp is also required for downloading DS8000 code packages from an IBM remote code repository on the Internet.

166DS8000 Series: Concepts and Architecture

Page 188
Image 188
IBM DS8000 manual FTP Offload option, Security mechanism 3 Login security, HMC user management