This section outlines the planning and implementation process for a secure installation and configuration, describes several recommended deployment topologies for the systems, and explains how to secure a tape library.
To better understand security needs, the following questions must be asked:
Many resources in the production environment can be protected. Consider the resources needing protection when deciding the level of security that you must provide.
The tape drive must be protected from everyone on the Internet. But should the tape drive be protected from the employees on the intranet in your enterprise?
In some cases, a fault in a security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the tape drive. Understanding the security ramifications of each resource will help protect it properly.
By default, the tape drive uses ports listed in the following table. The firewall should be configured to allow traffic to use these ports and that any unused ports are blocked. The tape drives support IPv6 and IPv4.
| Port | T10000C |
|---|---|
|
22 tcp - SSH VOP |
X |
|
22 tcp - SFTP |
X |
|
161 udp - SNMPV1 Tape Drive agent requests - inbound stateful |
X |
|
162 udp - SNMPV1 Tape Drive traps and inform notifications - outbound stateless for traps, outbound stateful for inform |
X |
|
23 tcp - TELNET |
|
|
21 tcp - FTP |
|
|
9842 tcp - EPT |
|
|
3331 OKM - challenge and root CA service |
X |
|
3332 OKM – Enrollment. Cyber strength is AES256 |
X |
|
3334 OKM – Encryption key exchange. Cyber strength is AES256 |
X |
|
3335 OKM – Cluster discovery. Cyber strength is AES256 |
X |
Ports 21 and 23 will be disabled for our customers for T10000C. If a customer requires access to a non-secure TELNET or non-secure FTP or both, then a VOP configuration option is available.
VOP should only be installed on systems that are within the same protected network infrastructure as the tape drive. Customer access controls should be enforced on the systems where VOP is installed to assure restricted access to the tape drive. See Table 2-1 for ports used by VOP.
Refer to the following VOP user guide for web launch VOP install instructions.
http://www.oracle.com/technetwork/documentation/tape-storage-curr-187744.html#vop
This section documents security configuration changes that must be made after installation.
The customer admin account password should be changed by the customer at the site and is owned by the customer. The password security meets Oracle standards. An infinite number of passwords is available for use over the life of the tape drive. If the admin password is forgotten, it can be reset. The first password is the default password sent with the tape drive.
Basic password management rules, such as password length, and complexity must be applied to the administrator password.
The password management rules require at least one of each of the following rules.
Must be between 8 and 16 characters long
Lower case (a-z)
Upper case (A-Z)
Decimal digit (0-9)
Special characters (.?;:"{}[]()!@#$%&, ...)