This section outlines the planning and implementation process for a secure installation and configuration, describes several recommended deployment topologies for the systems, and explains how to secure a tape library.
To better understand security needs, the following questions must be asked:
Many resources in the production environment can be protected. Consider the resources needing protection when deciding the level of security that you must provide.
The library must be protected from everyone on the Internet. But should the library be protected from the employees on the intranet in your enterprise?
In some cases, a fault in a security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the tape drive. Understanding the security ramifications of each resource will help protect it properly.
By default, the library uses ports listed in the following table. The firewall should be configured to allow traffic to use these ports and that any unused ports are blocked. The SL8500 and SL3000 libraries support IPv4.
| Port | SL500 | SL3000 | SL8500 |
|---|---|---|---|
|
22 tcp - SSH CLI and SLC access - inbound stateful |
X |
X |
X |
|
115 tcp - SFTP code download from SLC inbound stateful |
X |
X |
X |
|
161 udp - SNMP library agent requests - inbound stateful |
X |
X |
X |
|
162 udp - SNMP library traps and inform notifications - outbound stateless for traps, outbound stateful for inform |
X |
X |
X |
|
68udp - dhcp client - inbound and outbound |
X |
||
|
50001-50016 tcp - HLI host access - inbound stateful |
X |
X |
|
|
33200-33500 udp - traceroute (CLI debugging of route tables) - outbound stateful |
X |
X |
When configuring SNMP, using SNMPv3 is strongly recommended over SNMPv2c for its confidentiality, integrity and authentication capabilities.
SLC should only be installed on systems that are within the same protected network infrastructure as the library. Customer access controls should be enforced on the systems where SLC is installed to assure restricted access to the library. See Table 2–1 for ports used by SLC
Refer to the following library user guides for web launch SLC install instructions.
SL500 User Guide
SL3000 User Guide
SL8500 User Guide
This section documents security configuration changes that must be made after installation.
The customer admin account password is managed by a One Time Password (OTP) infrastructure. There are 280 passwords available for use over the life of the library if the admin password is forgotten and has to be reset. The first OTP is on a label affixed to the frame. Your service representative will use this OTP when installing your library. You can then enter a password of your choice.