HPE Community
HPE EVA Storage
1822718 Members
3660 Online
109644 Solutions
New Discussion юеВ

Re: EVA 5000 with DMZ Hosts

 
gstonian
Trusted Contributor

тАО08-08-2008 02:01 AM

тАО08-08-2008 02:01 AM

EVA 5000 with DMZ Hosts


I have a project that wants to start using our SAN but the Security team is questioning this because the hosts in question are in the DMZ.

We use Cisco switches so could set up a seperate VSAN for those DMZ Hosts & our management server is within our network.

I've been unable to find any HP Docs which cover HP EVA Security using hosts in the DMZ.

Points awarded for any useful links/information

Thanks
0 Kudos
7 REPLIES 7
Uwe Zessin
Honored Contributor

тАО08-08-2008 03:06 AM

тАО08-08-2008 03:06 AM

Re: EVA 5000 with DMZ Hosts

An FC port can only be in one VSAN at a time. Maybe I'm not understanding your requirement correctly, but if you intend to do VSANs, I'd say that the EVA5000 can either be in the DMZ, or not.
.
0 Kudos
gstonian
Trusted Contributor

тАО08-08-2008 03:09 AM

тАО08-08-2008 03:09 AM

Re: EVA 5000 with DMZ Hosts

Sorry - maybe I confused things a little there talking about our cisco switches etc.

I'm mainly after any documentation about security concerns/issues using hosts in the DMZ connectng to the EVA.

I've seen other posts about this but nothing was really supplied.
0 Kudos
TTr
Honored Contributor

тАО08-08-2008 04:31 AM

тАО08-08-2008 04:31 AM

Re: EVA 5000 with DMZ Hosts

I don't have an EVA but based on other arrays that I have worked with I can comment the following.

A VSAN for SMZ hosts would be the way to go. You would connect the VSAN ports to 2 host ports on the EVA. This is where it becomes important. How are the built-in host ports on an EVA? Are they in an internal hub or a switch? If they are on a hub i.e. all LUNs are visible to all host ports, you will have exposure of your internal-protected LUNs to the DMZ host. Of course you have LUN masking but if the DMZ host is compromized, the hacker can start altering the WWN of the DMZ host HBAs and try to match the WWN of internal host HBAs and do an FC-login to internal LUNs.
If the EVA is using an FC switch for the host ports then it is much safer. The DMZ host can only see the LUNs on that port only.
Maybe a call to HP is warranted.
0 Kudos
Uwe Zessin
Honored Contributor

тАО08-08-2008 05:26 AM

тАО08-08-2008 05:26 AM

Re: EVA 5000 with DMZ Hosts

> The DMZ host can only see the LUNs on that port only.

A virtual disk is always presented on all 4 controller ports - if you can spoof a WWPN, you can bypass the EVA's LUN masking.
.
0 Kudos
TTr
Honored Contributor

тАО08-08-2008 05:36 AM

тАО08-08-2008 05:36 AM

Re: EVA 5000 with DMZ Hosts

> A virtual disk is always presented on all 4 controller ports

That would mean that the host ports on the EVA are on a mini HUB.
0 Kudos
Uwe Zessin
Honored Contributor

тАО08-08-2008 05:54 AM

тАО08-08-2008 05:54 AM

Re: EVA 5000 with DMZ Hosts

No, of course not. But unlike some other arrays you cannot control to which port a virtual disk is presented. If one of the host's WWPNs matches, access is possible.
.
0 Kudos
gstonian
Trusted Contributor

тАО09-10-2008 07:15 AM

тАО09-10-2008 07:15 AM

Re: EVA 5000 with DMZ Hosts

We didn't sue eva5000 in the end. We could of enabled port security on the cisco switches but was a costed option.

Thanks for responses
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.