This post is more than 5 years old
2 Posts
0
865
Gatekeeper Security - Service Provider
EMC Community,
I've been doing EMC Symmetrix storage in some shape or fashion for the last 7 years, but I was asked a question today about gatekeepers about which I wasn't entirely sure of the answer so I thought I'd post it here and see what I get back. If you're aware of a document that discusses this aspect, please feel free to point me in the right direction.
My understanding is that a gatekeeper is generally a dedicated device of about 3-10 cylinders that can be used for SYMAPI/SYMCLI commands to a Symm. Although, really, any device (even a normal data lun) can be used as a gatekeeper to send commands to a Symm. If VMAX luns are being presented to a customer's server in a service provider environment, and that customer happens to know how all of this stuff works, what's to prevent them from installing SYMCLI on their "customer server" and sending commands to the VMAX, perhaps to provision their own storage without the knowledge of the storage administration team (AKA, free storage)?
If I remember correctly, there's not really an type of security on the host-side of a gatekeeper device and I'm not sure if there is on the array side or not either.
Can someone please provide a definitive answer on this?
Thanks!
-Jason
pete2c
76 Posts
0
January 11th, 2013 10:00
The service provider could use SYMACL or SYMAUTH settings on the array to restrict certain hosts/users. SYMACL allows on certain hosts to access specified devices. SYMAUTH restricts storage-related operations to specific users.
Both of these technologies are detailed in the Symmetrix Solutions Enabler CLI Array Controls Guide. You can download it from https://support.emc.com or Powerlink.
jason_bixler
2 Posts
0
January 11th, 2013 10:00
Thanks guys. This is exactly what I was looking for.
Zikas
278 Posts
0
January 11th, 2013 10:00
Hi Jason, fisrt of all you don't install SYMCLI without any control to any server and without any reason. If you have many management servers then you can SYMAPI Server on one server and all the others managements have to communicate with the SYMAPI Server so you can have a little control on the management server and over the others. You can set security on the server regarding users if you Active Directory or LDAP. For the one that you can be sure is when you set SYMAUTH and Symmetrix Access Control you are pretty much sure that you are protecting your storage. There is an e-learning about Symmetrix Security. More or less you are right if you are saying that you cannot prevent 100% for an "intrusion" from a user using the management server.
codyhosterman
286 Posts
1
January 11th, 2013 10:00
By default this is true, but in an environment like this the storage team or storage provider should enable Symmetrix Access Controls (security by host) and/or Symmetrix Authorizations (security by user) to block or allow provisioning/management access from a given host and/or user.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 11th, 2013 12:00
it depends what you are doing, when we looked at symacl a few years ago it was not granular enough to restrict certain operations on certain devices. We use enterprise schedulers to run specific symcli command on certain hosts because there needs to be integration with LVM/ASM so we have to install symcli. Differnt strokes for different folks.
Look at ECC deployment in an environment where symacl is used, PITA
Zikas
278 Posts
0
January 14th, 2013 23:00
Thanks Dynamox