Solved

Sanitizing Brocade encrypted FC switch before returning to vendor

Posted on 2014-01-23
7
775 Views
Last Modified: 2014-01-25
We have a faulty encrypted Brocade fibre switch :
after vendor has replaced it, we need to sanitize it
before returning to supplier.

However, when we tried to reset its settings to factory
settings, it won't allow us.  Thus, we deleted the
FabricOS.


Q1:
What are the ways / measures people usually take
before returning suicch a switch?

Q2:
Is deleting the FabricOS good enough to sanitize it?

Q3:
Is there an NVRAM or HDD inside the switch that
could be easily removed from the machine for
degaussing

Q4:
By deleting the FabricOS, does it delete the config
0
Comment
Question by:sunhux
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:sunhux
Comment Utility
Attached is a screen of the console messages after we've deleted
the FabricOS
BrocadeScr.zip
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 230 total points
Comment Utility
Frankly, I do not know if there is a HDD inside it, but if you degauss the drive then you effectively destroy any warranty so they probably wouldn't even take it back.

I do work for DoD and government and in such situations the procedure is to contact the manufacturer directly.  If this was a HDD, for example, and you had top-secret data on it, then the RMA policy would be that you physically destroy the device and send proof (which is site-dependant, but can be nothing more than providing a serial number via an audited process).

Dead/dying hardware can't be properly initialized, so the only safe way to do this is via the manufacturer directly and ask what they will allow.  Believe me, there is a process. There may even be a vendor specific command for just such a thing,  that is only known by field support or OEMs.  In any event they absolutely have a way to deal with this.

Besides, deleting the O/S or initializing it doesn't mean that proprietary information gets destroyed.  Deleting is not the same as sanitizing.
0
 

Author Comment

by:sunhux
Comment Utility
> degauss the drive then you effectively destroy any warranty so they probably
> wouldn't even take it back.

We have a word with the reseller & he's Ok with it.

 I just need to know if the Brocade encryption switch
a) stores its configurations (zoning info) in an NVRAM or a HDD ?
b) is this NVRAM or HDD easily removed?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 230 total points
Comment Utility
You don't degauss NVRAM, and there is absolutely NVRAM.  You can't remove it without damaging the motherboard.  

I do not know if there is also a HDD, but I expect there is not.  If you destroy either, then it will turn the switch into a paperweight.

I expect if the reseller was aware that you will brick the switch if you go down this path then they wouldn't give you permission.   Call Brocade support directly and ask about the sanitization process.
0
 
LVL 61

Accepted Solution

by:
btan earned 270 total points
Comment Utility
Just to add on if it is real encrypted switch, probably a mean is to consider wiping the crypto key used to encrypt the static storage (if any) in the switch.

As for the dynamic volatile memory, they should have live time as it doesnt persist unlike the Non-volatile type. In this case, the safer is not even to return to them and have some sort of RMA scheme to retain it and still in replacement. It will be higher cost but that depends on your org risk appetite, some company just destroy them or retain to certain life time which the data is of no longer good value or impact...

The switch doesnt seems to have "storage" as in its purpose is to perform encrypt to the SAN connected to it etc. Better to have support to clarify...it does come with smart card and the crypto is supposed to be open via card auth success. We do need to be wary what about recovery assuming card is spolit and where is this backup crypto key stored or password keyfile (they should be securely wiped)?

More info on brocade SAN protection
http://www.brocade.com/downloads/documents/books/securing-fibre-channel-fabrics-bk.pdf

The Brocade encryption device features the following:
• Up to 96 Gbps processing bandwidth for disk encryption
• Up to 48 Gbps processing bandwidth for tape encryption with
compression
• Encryption using the industry standard AES-256 algorithm
• Compression using a variant of gzip
• 8 Gbps FC port speeds
• Disk encryption latency of 15–20 microseconds
• Tape encryption and compression latency of 30–40 sec
• Brocade-developed encryption ASIC technology
• FC switching connectivity based on the Brocade Condor 2 ASIC
• Dual Ethernet ports for HA synchronization and heartbeats
• Smart Card reader used as a System Card (ignition key optional)

Below is an FAQ that be useful...
http://www.brocade.com/downloads/documents/faqs/brocade-encryption-faq.pdf

Q Can encryption be used to protect confidential information on decommissioned storage?
A Brocade provides support for Device Decommissioning, a license-free feature that
enables managed destruction of LUN data prior to decommissioning a disk array. Device
decommissioning deletes the key ID metadata on designated LUNs and within the
encryption device itself, providing a one-step, low-cost means of retiring arrays as an
alternative to expensive degaussing, physical destruction, or overwrite techniques. The
operation also creates an audit log of action to provide a verifiable means of the data
destruction. Once the data on the disk is destroyed, the key used to decrypt it is also
destroyed.
 
Device Decommissioning is supported in Brocade FOS 6.4 for EMC’s RSA RKM (DPM)
and NetApp LKM key managers. Brocade FOS 7.1 expands Device Decommissioning
support to HP ESKM, IBM TKLM, SafeNet KeySecure, and Thales TEKA.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 270 total points
Comment Utility
Here is another interesting for performing destruction and they sell used switch too. They can be good channel to consult on destruction services too since they deal with re-selling.

http://www.liquidtechnology.net/used-brocade-switches.php

Data destruction

http://www.liquidtechnology.net/data-destruction-services.php
0
 

Author Comment

by:sunhux
Comment Utility
There's only zoning info in the switches so I guess it's not
that sensitive to the extent that we need to degauss the
NVRAM but I'll see what our corporate security guys say

Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now