DS8000 Service Documentation Version 6.3.3

Overview

The HMC manages all network connectivity and remote support as shown in Figure 1. Each storage facility is connected through a redundant private Ethernet fabric to one or two HMCs. The HMC is also connected to the customer's network and it functions as a firewall and application proxy between the networks.
Figure 1. Overview of the DS8000 network and remote support
Overview of the DS8000 network and remote support
The redundant Ethernet fabric consists of two separate Ethernet networks. Each network node has assigned nonroutable, private IP addresses. See Table 1. Communication on the private network is performed by proprietary socket communication and is secured by message authentication and by SSL-based encryption.
Table 1. Address ranges of the storage facility private network
Setting Address range
DS8000® Black network (eth0) DS8000 Gray network (eth3)
Default 172.16.0.0 to 172.16.255.255 172.17.0.0 to 172.17.255.255
Option 1 10.235.158.0 to 10.235.159.255 (10.235.158.0/23) 10.236.158.0 to 10.236.159.255 (10.236.158.0/23)
Option 2 192.168.162.0 to 192.168.163.255 (192.168.162.0/23) 192.168.164.0 to 192.168.165.255 (192.168.164.0/23)
Option 3 9.15.132.0 to 9.15.133.255 (9.15.132.0/23) 9.16.132.0 to 9.16.133.255 (9.16.132.0/23)

The HMC does not route traffic between the networks. There is no IP forwarding configured on the HMC. On the HMC, a firewall is configured to only enable ports and traffic that are needed for the DS8000 connectivity. All security-sensitive configuration changes (network, firewall, remote support) can only be performed on the local HMC. For audit purposes, each network node keeps log files of user activity and authentication.

The VPN is a point-to-point connection, initiated by a proprietary VPN client on the HMC and connected to the VPN server within the IBM Demilitarized Zone (DMZ). The connectivity entry point into the IBM infrastructure is also secured by a Demilitarized Zone (DMZ). The VPN employs the IPSec protocol with Triple DES encryption algorithm (168-bit). Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks.