Solved

Disk Sanitization on EMC CLARiiON

Posted on 2011-02-20
13
4,732 Views
Last Modified: 2012-05-11
I know this is a fairly generalized question, without having the exact EMC model number(s), etc.
I need to securely erase several EMC fibre-channel drive arrays.  (3 pass+verify)

The EMC is a platform that I am not familiar enough with to be confident with any standard tools, but I had read about the "symerase" tool that applies to EMC Symmetrix.   Hoping there was a similar reasonably priced tool for the Clariion.

If not, I wonder if anyone has any experience erasing these drives using any alternative methods?   For example, using an x86 server connected directly to the Fibre...

Any thoughts or suggestions are appreciated!
Thanks in advance!
0
Comment
Question by:joshky
  • 6
  • 4
  • 3
13 Comments
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34939702
From navisphere, destroy LUNs and storage groups
0
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34939728
FYI, the destroy option from navisphere or navicli from command line makes the destruction irreversible.
0
 

Author Comment

by:joshky
ID: 34939740
Thanks for the quick responses, ChopperCentury.   Does this process overwrite all addressable sectors, remapped sectors, and protected areas of the disk?   The 3-pass / verify I referred to would require this.   Correct me if I'm wrong (without the unit nearby to test) - but the steps you suggest sound like the equivalent of breaking a RAID group, leaving the members orphaned with the potential for reconstruction.

Does this process take quite a bit of time to perform?   Can you provide any command line help provided by the tool on the console?  (i.e. navicli /?)

Thanks again for your quick reply!
0
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34939859
Most EMC documentation is inside the Powerlink website. However, the following link includes the CLI commands. http://www.datadisk.co.uk/html_docs/emc/emc_navisphere_cs.html
As for navisphere, you launch this java app from going to the SP ip address of e clariion. You then navigate to the LUNs and unbind each, then destroy the storage groups....that will eradicate everything. Navisphere is very easy to navigate once you have it launched.
0
 
LVL 47

Accepted Solution

by:
dlethe earned 500 total points
ID: 34940127
That utility will NOT perform the 3-pass write + verify, nor even will it get to the protected areas of the disk.  I take it you are going for compliance, meaning the DoD-compliant write 1, write 0, write random, followed by a verify.   Since your question is generic, then I will tell you a few gotchas, and what you need to consider.

1) You need to attach the host computer in such a way (using a JBOD, or expansion enclosure) that is directly attached to the individual disks.  You can't run anything that talks to the disks behind the controller, i.e, you can't run any software that connects so that the host computer can see the LUNs.  This prevents pass-through to individual disks.  Even if the disk is configured as a non-RAID, it is still virtualized.

2) The other problem is that some EMCs use 520-byte HDD sectoring, which is going to throw off most software (and operating systems).  

google "smartmon-ux" it WILL do a DoD erase of 512, 520 and 528-byte sectored disks ...  It will work with SAS, FC, SATA, SCSI, etc ... and it will handle EMC disks, but just remember, you have to connect to the disks without the EMC controller getting in the middle of things.

0
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34943479
Sorry for the delayed response. To answer your question, the method I gave does not perform a 3-pass. However, it does make the data non-recoverable due to the proprietary RAID system of the EMC.

If you are looking to decommission the storage system and provide proof of non-recover...simply drill the drives, this will save time and give peace of mind to stakeholders and make auditors smile.
Most large corporations simply drill the drives (i.e. Wells Fargo, etc..)
Other than that you need a prescribed destruction procedure from the vendor but EMC will generally tell you to unbind LUN and destroy SG.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 47

Expert Comment

by:dlethe
ID: 34943617
"Drilling" the drives is not satisfactory.  It does not meet any compliance standards such as HIPAA.  I can not believe that any stakeholders/share holders will smile if you do not meet compliance.  Anybody can go dumpster diving and grab gigabytes of data from a "drilled" disk with the proper equipment.

Degaussing with proper equipment and grinding the platters so that no piece of the media is large enough to handle a block of data are the 2 methods that work assuming the NIST CLEAR or NIST PURGE or DOD 5220-M methods of secure are not viable options.  
0
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34943990
Yes, you can recover some data from a single hole, possibly.
Disagreed, this will and has satisfied HIPAA, PCI and federal regulators. The platter shatters with impact from a standard hammer after a few holes. Standard validated with sending drives to firms to attempt recovery.
Given shred is preferred but the equipment is expensive.

I'm out until the author is back in the conversation.
0
 

Author Comment

by:joshky
ID: 34946021
Thanks to both of you, and apologies for my absence.   ChopperCentury, physical destruction of the drives isn't an option.   And the data must not be recoverable.

dlethe, I appreciate your thorough responses!  Sounds like you've gotten your hands dirty a bit with drive erasure.  So, it sounds like I can keep all of the drives in the enclosure but it would work best with a separate server/HBA.  Would you recommend any particular Fibre Channel HBA to use in conjunction with the smartmon-ux utility?

I may have a follow-up question or two for you, if you don't mind!  Aside from that, I consider this question very well answered...
0
 
LVL 47

Expert Comment

by:dlethe
ID: 34946708
Chopper - not to put you on the spot, but I have seen standards on HIPAA, NIST, and others, and have done things with my day job actually working with developers to test products.  Changes were made to HIPAA in 2009 and "punching" is no longer compliant.

You have to read up on the HITECH act which was passed in 2009. Here is something on NIST (There are several variations, but NIST PURGE, NIST CLEAR and DoD-522M are variations on secure erase, and the only government standards that are, well, standards.

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Now I'm not perfect, so if you have an official government document that says drilling is acceptable that is dated after the passing of the HITECH act, then i would be interested in knowing about it.

==============
Anyway, whatever fibrechannel HBA you have today will be fine.  There aren't any HBAS that have embedded RAID, and that is what will mess you up.
0
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34947794
Good info, thanks. The standard I was referring to is an internal company standard for data destruction, not external.
My experience comes from the financial sector and HIPAA is not as paramount as PCI and federal examiner guidelines. Given there are FI's involved in medical banking that may fall under the crazy HIPAA rules.
As long as examiners were satisfied with drilling then I was as well.
I never feel on the spot, this is a learning tool even for those giving answers.

 However, I openly offer you a challenge to come reconstruct data from one of my drilled drives. The casing sounds like a sack of rocks :)

  Have a good night fellas.
0
 

Author Closing Comment

by:joshky
ID: 34948041
Awesome!
0
 
LVL 47

Expert Comment

by:dlethe
ID: 34948181
Chopper -  I assure you that data can be reconstructed from a tiny piece. I won't take you up on the challenge, because I don't have the equipment.  But consider that with areal density of 1Gbit per square mm on latest technology, then you can do the math and see how many GBytes worth of data can be recovered from just bits and pieces.  I have done some time with certain national security sites, and they don't use any of the techniques even mentioned here.  They have to basically turn the HDD into dust .. using equipment onsite.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now