Document fins/I0911-1
FIN #: I0911-1
SYNOPSIS: Current Sun StorEdge 3900/6900 documentation incorrectly describes
implementation of secure access for Sun StorEdge Remote Response
configurations
DATE: Dec/16/02
KEYWORDS: Current Sun StorEdge 3900/6900 documentation incorrectly describes
implementation of secure access for Sun StorEdge Remote Response
configurations
---------------------------------------------------------------------
- Sun Proprietary/Confidential: Internal Use Only -
---------------------------------------------------------------------
FIELD INFORMATION NOTICE
(For Authorized Distribution by SunService)
SYNOPSIS: Current Sun StorEdge 3900/6900 documentation incorrectly describes
implementation of secure access for Sun StorEdge Remote Response
configurations.
Sun Alert: No
TOP FIN/FCO REPORT: No
PRODUCT_REFERENCE: Sun StorEdge 3900/6900
PRODUCT CATEGORY: Storage / Documentation
PRODUCTS AFFECTED:
Systems Affected
----------------
Mkt_ID Platform Model Description Serial Number
------ -------- ----- ----------- -------------
- Anysys - System Platform Independent -
X-Options Affected
------------------
Mkt_ID Platform Model Description Serial Number
------ -------- ----- ----------- -------------
- 3900 ALL 3900 StorEdge Array -
- 6900 ALL 6900 StorEdge Array -
PART NUMBERS AFFECTED:
Part Number Description Model
----------- ----------- -----
- - -
REFERENCES:
BugId: 4735401 - SSRR and Customer access to SSP - Incorrect documentation
in 816-5253-10.
Manual: 816-5253-10: Sun StorEdge 3900/6900 Series 1.1 Reference and Service
Manual
PROBLEM DESCRIPTION:
Current Sun StorEdge 3900/6900 documentation incorrectly states how to
implement secure access from a customer's LAN to a Sun StorEdge Remote
Response configuration. The existing documentation is misleading and
results in confusion for the customer as well as field personnel.
This issue affects any Sun StorEdge 3900/6900 platform configured with
Sun StorEdge Remote Response (SSRR) hardware and software.
As part of this configuration, customers are requested to attach a
modem for remote monitoring purposes. This modem connection creates
certain security issues which are addressed in several ways by the SSRR
software. Some customers desire access from their LAN to the 3900/6900
Storage Service Processor (SSP) in order to monitor the platform via
the installed StorADE software. This access is permitted, provided
that it is done in a secure manner.
The current documentation incorrectly specifies that the only solution
for accessing the SSP via a LAN is by installing an Ethernet hub. It
has been determined by Product Engineering that this policy is too
restrictive. It may cause problems for field personnel during
discussions with customers regarding implementation of a security
screen for the SSRR configuration.
This issue has been addressed by a change to the documentation. The
new documentation will provide a more generic solution. Instead of a
specific reference to hubs and firewalls, the new documentation will
provide a general statement directing the customer to implement a
private network consistent with their own security procedures.
Page 6-4 of the Sun StorEdge 3900 and 6900 Series 1.1 Reference and
Service Manual (816-5253-10) will be changed as follows:
PREVIOUS WORDING: For customers who activate the Sun StorEdge Remote
Response service and want to access the Storage Service
Processor through their local LAN, Sun suggests using
an additional Ethernet hub for this use. The optional
Ethernet hub provides additional firewall functionality
to protect the customer LAN from unauthorized access."
NEW WORDING: For customers who activate the Sun StorEdge Remote Response
service and want to access the Storage Service Processor
through their local LAN, Sun suggests that the customer
implement their standard security procedures as they see
fit for creating a private network with access from their
Local Area Network.
IMPLEMENTATION:
---
| | MANDATORY (Fully Pro-Active)
---
---
| | CONTROLLED PRO-ACTIVE (per Sun Geo Plan)
---
---
| X | REACTIVE (As Required)
---
CORRECTIVE ACTION:
The following recommendation is provided as a guideline for authorized
Sun Services Field Representatives who may encounter the above
mentioned problem.
When installing SSRR on a 3900/6900 platform, please advise the
customer of the following security information. This information will
be found on page 6-4 of the updated Sun StorEdge 3900/6900 Series 1.1
Reference and Service Manual.
"For customers who activate the Sun StorEdge Remote Response service
and want to access the Storage Service Processor through their local
LAN, Sun suggests that the customer implement their standard security
procedures as they see fit for creating a private network with access
from their Local Area Network.
COMMENTS:
There have been requests by customers who have implemented SSRR to have
local email notification capabilities included as part of their
requirements. This has been worked around (due to security violations
with sendmail) by manually sending email from the SSRR servers directly
to the customer.
StorADE is working on implementing other forms of sending email that
will not be in violation of most, if not all, security requirements.
--------------------------------------------------------------------------
Implementation Footnote:
i) In case of MANDATORY FINs, Sun Services will attempt to contact
all affected customers to recommend implementation of the FIN.
ii) For CONTROLLED PROACTIVE FINs, Sun Services mission critical
support teams will recommend implementation of the FIN (to their
respective accounts), at the convenience of the customer.
iii) For REACTIVE FINs, Sun Services will implement the FIN as the
need arises.
----------------------------------------------------------------------------
All released FINs and FCOs can be accessed using your favorite network
browser as follows:
SunWeb Access:
--------------
* Access the top level URL of http://sdpsweb.central/FIN_FCO/
* From there, select the appropriate link to query or browse the FIN and
FCO Homepage collections.
SunSolve Online Access:
-----------------------
* Access the SunSolve Online URL at http://sunsolve.central/
* From there, select the appropriate link to browse the FIN or FCO index.
Internet Access:
----------------
* Access the top level URL of https://spe.Sun.COM
--------------------------------------------------------------------------
General:
--------
* Send questions or comments to finfco-manager@Sun.COM
--------------------------------------------------------------------------
Copyright (c) 1997-2003 Sun Microsystems, Inc.