Skip to Main Content
IBM System Storage Ideas Portal


This portal is to open public enhancement requests against IBM System Storage products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Created by Guest
Created on Mar 17, 2014

V7000 Security Vulnerabilities related to DISA STIG findings

SPAWAR engineering component for the Dept of the Navy is considering the IBM V7000 for several Navy programs storage requirements. All systems/devices that are to be considered for procurement need to go through Security Technical Implementation Guides (STIGs) and the NSA Guides security audits, these are the configuration standards for DoD IA and IA-enabled devices/systems.
SPAWAR engineering recently completed an initial security audit of the V7000 system (some more automated scans to be done later, but these are all the manual checks(focus on CAT2), each listed below (along with the CAT severity of the finding):

1. (CAT 3 finding) The cryptographic module used by the V7000 is not on the FIPS 140-2 approved list. We were wondering if it is using one of the other listed IBM modules (since IBM has a lot of them on there).
2. (CAT 3 finding) The system does not seem to log access attempts (failed or successful) at all. It logs, in the Audit Log, the actions taken, but nothing regarding access attempts. Am I just missing this log, or is this accurate?
3. (Two CAT 2 findings) The system does not appear to allow for the creation of a DoD Login Banner for the GUI, nor for the CLI.
4. (Three CAT 2 findings) Timeouts (to the GUI, CLI and for TCP connections in general) are not configurable, and do not seem to be set at all. We need this set to 10 minutes for the GUI, 60 seconds for SSH, and to be able to drop TCP half-open connections (via a TCP timeout or other mechanism).
5. (CAT 2) NTP does not support authentication
6. (CAT 2) The system allows for 6 failed connection attempts before dropping the connection. This needs to be configurable to 3.
7. (CAT 3) The system does not allow for multiple NTP servers
8. (CAT 2) The management interface does not have an ACL to restrict allowed IPs (GUI or SSH)

Please note that SPAWAR cannot field any systems with unmitigated CAT 2 findings at all, so we would really need to have these addressed or at least find some form of mitigation (preferably the former).

Idea priority High
  • Guest
    Reply
    |
    Nov 24, 2020

    Delivered in 8.4.0 (4Q 2020)

    Customisable Login Message - 7.6.0
    Enhanced Audit Log - 19Q4
    Password and Login Rules - 20Q4

    Thank you for your support of Spectrum Virtualize. Please let me know if you have any questions or comments.

    philipclark@ibm.com

  • Guest
    Reply
    |
    Sep 4, 2015

    North American Electric Reliability Corporation (NERC) standards also require audit logging of access attempts, and logging of same to syslog.

    All North American utilities will be required to conform.
    This function required by 2Q 2016.

  • Guest
    Reply
    |
    Jun 12, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Storage
    Product - IBM Storwize V7000, V5000 and V3000

    For recording keeping, the previous attributes were:
    Brand - Tivoli
    Product family - Storage
    Product - IBM Storwize V7000, V5000 and V3000