Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5147
  • Last Modified:

Disk Sanitization on EMC CLARiiON

I know this is a fairly generalized question, without having the exact EMC model number(s), etc.
I need to securely erase several EMC fibre-channel drive arrays.  (3 pass+verify)

The EMC is a platform that I am not familiar enough with to be confident with any standard tools, but I had read about the "symerase" tool that applies to EMC Symmetrix.   Hoping there was a similar reasonably priced tool for the Clariion.

If not, I wonder if anyone has any experience erasing these drives using any alternative methods?   For example, using an x86 server connected directly to the Fibre...

Any thoughts or suggestions are appreciated!
Thanks in advance!
0
joshky
Asked:
joshky
  • 6
  • 4
  • 3
1 Solution
 
ChopperCenturyCommented:
From navisphere, destroy LUNs and storage groups
0
 
ChopperCenturyCommented:
FYI, the destroy option from navisphere or navicli from command line makes the destruction irreversible.
0
 
joshkyAuthor Commented:
Thanks for the quick responses, ChopperCentury.   Does this process overwrite all addressable sectors, remapped sectors, and protected areas of the disk?   The 3-pass / verify I referred to would require this.   Correct me if I'm wrong (without the unit nearby to test) - but the steps you suggest sound like the equivalent of breaking a RAID group, leaving the members orphaned with the potential for reconstruction.

Does this process take quite a bit of time to perform?   Can you provide any command line help provided by the tool on the console?  (i.e. navicli /?)

Thanks again for your quick reply!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ChopperCenturyCommented:
Most EMC documentation is inside the Powerlink website. However, the following link includes the CLI commands. http://www.datadisk.co.uk/html_docs/emc/emc_navisphere_cs.html
As for navisphere, you launch this java app from going to the SP ip address of e clariion. You then navigate to the LUNs and unbind each, then destroy the storage groups....that will eradicate everything. Navisphere is very easy to navigate once you have it launched.
0
 
DavidCommented:
That utility will NOT perform the 3-pass write + verify, nor even will it get to the protected areas of the disk.  I take it you are going for compliance, meaning the DoD-compliant write 1, write 0, write random, followed by a verify.   Since your question is generic, then I will tell you a few gotchas, and what you need to consider.

1) You need to attach the host computer in such a way (using a JBOD, or expansion enclosure) that is directly attached to the individual disks.  You can't run anything that talks to the disks behind the controller, i.e, you can't run any software that connects so that the host computer can see the LUNs.  This prevents pass-through to individual disks.  Even if the disk is configured as a non-RAID, it is still virtualized.

2) The other problem is that some EMCs use 520-byte HDD sectoring, which is going to throw off most software (and operating systems).  

google "smartmon-ux" it WILL do a DoD erase of 512, 520 and 528-byte sectored disks ...  It will work with SAS, FC, SATA, SCSI, etc ... and it will handle EMC disks, but just remember, you have to connect to the disks without the EMC controller getting in the middle of things.

0
 
ChopperCenturyCommented:
Sorry for the delayed response. To answer your question, the method I gave does not perform a 3-pass. However, it does make the data non-recoverable due to the proprietary RAID system of the EMC.

If you are looking to decommission the storage system and provide proof of non-recover...simply drill the drives, this will save time and give peace of mind to stakeholders and make auditors smile.
Most large corporations simply drill the drives (i.e. Wells Fargo, etc..)
Other than that you need a prescribed destruction procedure from the vendor but EMC will generally tell you to unbind LUN and destroy SG.
0
 
DavidCommented:
"Drilling" the drives is not satisfactory.  It does not meet any compliance standards such as HIPAA.  I can not believe that any stakeholders/share holders will smile if you do not meet compliance.  Anybody can go dumpster diving and grab gigabytes of data from a "drilled" disk with the proper equipment.

Degaussing with proper equipment and grinding the platters so that no piece of the media is large enough to handle a block of data are the 2 methods that work assuming the NIST CLEAR or NIST PURGE or DOD 5220-M methods of secure are not viable options.  
0
 
ChopperCenturyCommented:
Yes, you can recover some data from a single hole, possibly.
Disagreed, this will and has satisfied HIPAA, PCI and federal regulators. The platter shatters with impact from a standard hammer after a few holes. Standard validated with sending drives to firms to attempt recovery.
Given shred is preferred but the equipment is expensive.

I'm out until the author is back in the conversation.
0
 
joshkyAuthor Commented:
Thanks to both of you, and apologies for my absence.   ChopperCentury, physical destruction of the drives isn't an option.   And the data must not be recoverable.

dlethe, I appreciate your thorough responses!  Sounds like you've gotten your hands dirty a bit with drive erasure.  So, it sounds like I can keep all of the drives in the enclosure but it would work best with a separate server/HBA.  Would you recommend any particular Fibre Channel HBA to use in conjunction with the smartmon-ux utility?

I may have a follow-up question or two for you, if you don't mind!  Aside from that, I consider this question very well answered...
0
 
DavidCommented:
Chopper - not to put you on the spot, but I have seen standards on HIPAA, NIST, and others, and have done things with my day job actually working with developers to test products.  Changes were made to HIPAA in 2009 and "punching" is no longer compliant.

You have to read up on the HITECH act which was passed in 2009. Here is something on NIST (There are several variations, but NIST PURGE, NIST CLEAR and DoD-522M are variations on secure erase, and the only government standards that are, well, standards.

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Now I'm not perfect, so if you have an official government document that says drilling is acceptable that is dated after the passing of the HITECH act, then i would be interested in knowing about it.

==============
Anyway, whatever fibrechannel HBA you have today will be fine.  There aren't any HBAS that have embedded RAID, and that is what will mess you up.
0
 
ChopperCenturyCommented:
Good info, thanks. The standard I was referring to is an internal company standard for data destruction, not external.
My experience comes from the financial sector and HIPAA is not as paramount as PCI and federal examiner guidelines. Given there are FI's involved in medical banking that may fall under the crazy HIPAA rules.
As long as examiners were satisfied with drilling then I was as well.
I never feel on the spot, this is a learning tool even for those giving answers.

 However, I openly offer you a challenge to come reconstruct data from one of my drilled drives. The casing sounds like a sack of rocks :)

  Have a good night fellas.
0
 
joshkyAuthor Commented:
Awesome!
0
 
DavidCommented:
Chopper -  I assure you that data can be reconstructed from a tiny piece. I won't take you up on the challenge, because I don't have the equipment.  But consider that with areal density of 1Gbit per square mm on latest technology, then you can do the math and see how many GBytes worth of data can be recovered from just bits and pieces.  I have done some time with certain national security sites, and they don't use any of the techniques even mentioned here.  They have to basically turn the HDD into dust .. using equipment onsite.  
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now