This article has several security reminders and a brief summary of newer items for the DS8000 Storage family.
Code Updates and Security Bulletins.
One of the most important items in security and stability, is maintaining code up to date and patched. Notifications of updates are provided via the “My notification” service. Customers who have not subscribed to this service are encouraged to do so at My notification.
In general, security updates will only support the current code levels and the prior two levels. Supported levels are published at DS8000 Code Recommendation. When high severity vulnerabilities are detected, we will attempt (when possible) to provide fixes for a larger range of levels, and this will be noted in the applicable bulletins.
Customers need to plan for code updates approximately once a year to ensure that security patches can always be applied.
NIST-800-131a strict mode
More standards and recommendations are now requiring that only the TLS1.2 protocol be used on encrypted links.
in November 2013 release R7.2 of the DS8870 enabled support for NIST-800-sp131a mode. This mode enforces TLS1.2 on all applicable connections, provides at least 112 bit security, and disables DSCLI legacy port 1750. This legacy port is documented as having a weak RSA key ( 1024 bits) and signature, and should be disabled as soon as possible.
Future levels, will enable strict NIST-800-sp131a mode by default. Customers which have not updated clients, will be required to revert this setting.
Once again, supporting and enabling strict mode is strongly recommended.
NOTE that enabling this mode does require planning. For pre-requisites, please see: NIST SP 800-131A security conformance.
NOTE that the DS8700/DS8800 families do not presently support the NIST-800-131a conformance settings. The ability to disable the legacy DSCLI port is provided as of code levels 188.8.131.52/184.108.40.206. Consult the DSCLI the manageaccess and showaccess commands for the applicable settings.
Modems for Remote Support Access
Over the past years, the use of modems as an access method has declined considerably. This decline has caused modems and infrastructure devices to be progressively withdrawn by suppliers, requiring us to follow.
As a consequence of this trend, modem support was removed from the DS888x family. Present modem users are strongly encouraged to consider the alternatives of Assist on Site (AOS) or remote support center (rsc) for remote connections.
AOS users are strongly encouraged to update to the latest code levels, which support AOS V4. This will ensure access to the improved features and long term support.
In DS888x release R8.2, support is enabled for rsc, which is compatible with IBM XIV XRSC and is an alternative to AOS. Since rsc is compatible, it can reuse existing XIV XRSC proxy servers. rsc support will also be provided in future levels of DS8870.
Other DS888x Enhancements
Below is a summary of other relevant/interesting enhancements available in R8.2 and later. Please consult the applicable documentation for more details.
- Customer supplied key server certificates.
- Support for the KMIP key server protocol as well as the existing IPP protocol.
- Real time audit file offload via the rsyslog protocol.
- Native LDAP support for user authentication.
Customers can now supply their own certificates for key servers, allowing customization of expiration dates, root certificates and owner information.
DS8000 now supports KMIP as an alternative protocol. For more detail see IBM DS8880 Data-at-rest Encryption.
DS8000 log and audit files are exportable using rsyslog. Customers can set retention periods and incorporate this information in an external IDS or IPS.
Native LDAP user authentication is available, no longer requiring the use of an external gateway.