Hardening Dell Storage Center (SC) – Compellent
Over the last year or so, I’ve helped multiple companies recover from ransomware events utilizing snapshots on their storage arrays. In several of these instances, the customer’s backups were compromised along with their production environment. A storage array can be a nice part of a recovery strategy, as they seem to be targeted less frequently than other parts of your data-center.
If you want to help make sure that your storage array is there for you when you need it, however, you need to make sure it is as secure as possible. Most of these steps are applicable to any storage array, but I’ve made this guide specific to the Dell Storage Center array with a few particular recommendations.
Here are some best practices for hardening your Dell Storage Center / Compellent:
Change your default Admin password. Many Dell SC systems were deployed using the same Admin user. Note that the username is case sensitive, some are “admin” and some are “Admin”. In many cases, they were deployed with a 3 digit password. Change it!
If you are using Fibre Channel, use individual zones for each initiator. Do not just create one giant zone with all your hosts in it. From here: “Each HBA port requires its own Fibre Channel zone that contains itself and the SC Series front–end ports. Independent zones should be created for each HBA installed in the host.“
If you are using iSCSI, make sure you utilize authentication.
Separate / firewall your management and data networks. Physical isolation is best, because it also protects against attacks that may target shared hardware.
Secure your DNS and NTP services. The storage array relies on these being secure and accurate. Compromised DNS will break down many of the other protections.
Whether you are using local or directory authentication, make sure you implement strong password policies. The Storage Center does not support MFA, so this is the best thing we can do.
If you are using directory authentication, consider requiring a separate admin account for access to the storage arrays. Apply higher levels of rigor regarding password complexity and expiration to these accounts.
Apply the principle of least privilege to your storage center accounts. If an account only requires access to reporting, do not give it administrative rights.
Make sure the iDRAC is cabled, ideally on a segregated and firewalled network, and has a strong non-default password applied. I have seen the iDRAC be critical in resumption of services after an attack.
If possible, replicate your data to a remote storage array. Tunnel your replication traffic via VPN.
Physically control access to your SAN. The easiest way to compromise one of these arrays is to simply take the whole thing.
Make sure that the web browsers you are using for administrative access are supported and up to date. An attack could start with an incorrectly validated cert, or even an admin clicking through an invalid certificate. Like DNS, proper certificate hygiene is important.
If you want your data to be secure at rest, utilize self-encrypting drives with external key management services.
Run your Dell Storage Manager (DSM) appliance on an external server. We frequently find an isolated external physical server is a good spot to run DSM. This way, if your virtualization cluster is affected, you may still be able to manage your storage to begin recovery.
Make sure you are taking snapshots on a reasonable schedule. If you expire your snapshots every 4 hours, they probably won’t be of any use to you in a ransomware situation. How often you take snapshots, and how long you keep them is an important consideration.
For more ideas, check out the official Dell guide to securing the Dell SC Storage Array, located Here
Do you have any ideas for how to secure a Dell SC storage array? Any questions on the steps above? Would you like to see a guide for hardening other storage arrays? Let me know in the comments below.