Highlighted
Michael_Roney
1 Copper

Prosphere - Security Concerns related to Discovery by UNIX Team

We've been using EMC Control Center for years and are now deploying ProSphere.

The Unix administrators are very concerned about the way ProSphere discovers and collects information from the unix/linux hosts.

  1. ProSphere pushes out a file that then needs to be run as root (via sudo).  The Unix admins state they have no way of controlling what EMC is putting in the file.  It is possible to have a file with trojan commands be pushed out and run as root on every host.
  2. The permissions/ownership of the file pushed out needs to be controlled better.
  3. Using /tmp for the location of the file pushed out by ProSphere and run via sudo is not best practice.

Is anyone else running into these issues when deploying ProSphere?

Are security audits reviewing this discovery/management design and not finding any issues?

I tried to open a product enhancement request to correct these issues, but was told that development already knows about this and there are no plans to change the discovery/management process.

I did try to alleviate the Unix team concerns by:

  • Reviewing the contents of the file pushed out by EMC with them.
  • Attempting to put the reviewed file on the host and lock it down so that ProSphere did not push out a new version - but ProSphere complained that is could not push out the file.
  • Link the location of the file in /tmp to a non-temp directory that is easier to secure on the host.

If there are other ways to address the Unix team concerns, please share the information.

Tags (2)
0 Kudos
6 Replies
schanis
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

Hi Michael

Thanks for your post on ProSphere host discovery.

The concerns you mention have been raised by some customers I have talked to.  There are several things we are looking at to address the issues

  1. Give the customer the ability to specify the location where the script is pushed to and not hard code it to /tmp.  NOTE: SCA does have this capability today
  2. Implement a code signing mechanism that ensures the contents of the script pushed to the host have not been altered
  3. Use an existing script that already exists on the host instead of automatically pushing the script out

I can't give you a time frame yet when they will be implemented. Do you think one or all of these changes will address the security concerns?

Steve Chanis

ASD SRM Product Management

Michael_Roney
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

Steve,

Thanks for the information.

I believe that all of the items you listed would very useful in alleviating the security concerns.  Items 1 and 3 were something that I had tried to implement myself using unix permissions and links.

Hopefully the changes you described can be implemented in a relatively short time.  We purchased replacement VNX and VMAX arrays and with the arrays purchased ProSphere licensing.  Our ECC support is now expired and until the security concerns are addressed, I will not be able to use ProSphere for Unix/Linux host discovery.

I beleive I can discover the hosts through the SAN Switch discovery process (using zone name standards), but I don't believe we will get as much functionality/reporting as with the full discovery process.

Michael Roney

Storage Architect Lead

California ISO Corporation

0 Kudos
schanis
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

What version of ECC are you currently using?  We are releasing UB14 in the next few weeks, it is focused on supporting some of the latest VMAX array features along with moving to Oracle 11g.  When UB14 is GA we will extend the support of the latest versions of ECC (UB12 and later) to June 2015.  The end of support date for the earlier UB's will not change however.

To your other point about host discovery through the SAN - ProSphere does support 'passive discovery'.  It can pull the host name out of your zone names (if it is included there) and determine some basic information

  • ip address by doing a DNS looklup
  • which arrays that host can access

Some of the things you don't get with this method

  • tying a specific host device to an array LUN
  • ability to collect performance information from the host
  • Detailed attribute informaton (OS, software installed on the host)
0 Kudos
Michael_Roney
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

We currently are running ECC version 6.1 UB12.  But, apparently when we purchased ProSphere with the 3 VNX and 2 VMAX arrays and did not purchase ECC licensing we lost the ability to get ECC updates (the DMX-4 arrays we were using are being retired and the ECC licensing was associated with them).

I was under the impression that we would be able to run both environments for some time as we transition to ProSphere, but it looks like Sales and Support are not in agreement on this issue.

We are had a professional services engagement with EMC a few years ago where they setup the Business Intelligence - Storage Infrastructure Dashboard which extracts information from StorageScope into Microsoft Reporting Services to create custom dashboards that management uses to get an overview of the storage environment.  We're looking at updating the tool/utility to work with ProSphere as well.

Thanks for the information on the 'passive discovery'.

0 Kudos
schanis
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

When you purchased ProSphere for the VNX and VMAX arrays it included ECC also, they are 'bundled' together and you can't separate them from an ordering perspective.  You can chose to not use one or the other but from a licensing perspective you are entitled to both.  ProSphere and ECC can run in the same environment, they don't depend or conflict with each other.

So you can continue to use ECC on those VNX and VMAX arrays during the transition to ProSphere, and you are entitled to any current and future ECC updates (same for ProSphere updates).  I'd be happy to clarify / help if you are getting a different message from EMC.

0 Kudos
Michael_Roney
1 Copper

Re: Prosphere - Security Concerns related to Discovery by UNIX Team

Thanks for the information.

I'm working with our EMC Sales Team, our EMC Professional Services team (working on the migration to the new arrays) and EMC Support now to resolve the ECC download access issue.  Hopefully the issue can be resolved quickly.

0 Kudos