Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sanitizing Brocade encrypted FC switch before returning to vendor

Posted on 2014-01-23
7
795 Views
Last Modified: 2014-01-25
We have a faulty encrypted Brocade fibre switch :
after vendor has replaced it, we need to sanitize it
before returning to supplier.

However, when we tried to reset its settings to factory
settings, it won't allow us.  Thus, we deleted the
FabricOS.


Q1:
What are the ways / measures people usually take
before returning suicch a switch?

Q2:
Is deleting the FabricOS good enough to sanitize it?

Q3:
Is there an NVRAM or HDD inside the switch that
could be easily removed from the machine for
degaussing

Q4:
By deleting the FabricOS, does it delete the config
0
Comment
Question by:sunhux
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:sunhux
ID: 39805469
Attached is a screen of the console messages after we've deleted
the FabricOS
BrocadeScr.zip
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 230 total points
ID: 39806707
Frankly, I do not know if there is a HDD inside it, but if you degauss the drive then you effectively destroy any warranty so they probably wouldn't even take it back.

I do work for DoD and government and in such situations the procedure is to contact the manufacturer directly.  If this was a HDD, for example, and you had top-secret data on it, then the RMA policy would be that you physically destroy the device and send proof (which is site-dependant, but can be nothing more than providing a serial number via an audited process).

Dead/dying hardware can't be properly initialized, so the only safe way to do this is via the manufacturer directly and ask what they will allow.  Believe me, there is a process. There may even be a vendor specific command for just such a thing,  that is only known by field support or OEMs.  In any event they absolutely have a way to deal with this.

Besides, deleting the O/S or initializing it doesn't mean that proprietary information gets destroyed.  Deleting is not the same as sanitizing.
0
 

Author Comment

by:sunhux
ID: 39808218
> degauss the drive then you effectively destroy any warranty so they probably
> wouldn't even take it back.

We have a word with the reseller & he's Ok with it.

 I just need to know if the Brocade encryption switch
a) stores its configurations (zoning info) in an NVRAM or a HDD ?
b) is this NVRAM or HDD easily removed?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 230 total points
ID: 39808241
You don't degauss NVRAM, and there is absolutely NVRAM.  You can't remove it without damaging the motherboard.  

I do not know if there is also a HDD, but I expect there is not.  If you destroy either, then it will turn the switch into a paperweight.

I expect if the reseller was aware that you will brick the switch if you go down this path then they wouldn't give you permission.   Call Brocade support directly and ask about the sanitization process.
0
 
LVL 63

Accepted Solution

by:
btan earned 270 total points
ID: 39808291
Just to add on if it is real encrypted switch, probably a mean is to consider wiping the crypto key used to encrypt the static storage (if any) in the switch.

As for the dynamic volatile memory, they should have live time as it doesnt persist unlike the Non-volatile type. In this case, the safer is not even to return to them and have some sort of RMA scheme to retain it and still in replacement. It will be higher cost but that depends on your org risk appetite, some company just destroy them or retain to certain life time which the data is of no longer good value or impact...

The switch doesnt seems to have "storage" as in its purpose is to perform encrypt to the SAN connected to it etc. Better to have support to clarify...it does come with smart card and the crypto is supposed to be open via card auth success. We do need to be wary what about recovery assuming card is spolit and where is this backup crypto key stored or password keyfile (they should be securely wiped)?

More info on brocade SAN protection
http://www.brocade.com/downloads/documents/books/securing-fibre-channel-fabrics-bk.pdf

The Brocade encryption device features the following:
• Up to 96 Gbps processing bandwidth for disk encryption
• Up to 48 Gbps processing bandwidth for tape encryption with
compression
• Encryption using the industry standard AES-256 algorithm
• Compression using a variant of gzip
• 8 Gbps FC port speeds
• Disk encryption latency of 15–20 microseconds
• Tape encryption and compression latency of 30–40 sec
• Brocade-developed encryption ASIC technology
• FC switching connectivity based on the Brocade Condor 2 ASIC
• Dual Ethernet ports for HA synchronization and heartbeats
• Smart Card reader used as a System Card (ignition key optional)

Below is an FAQ that be useful...
http://www.brocade.com/downloads/documents/faqs/brocade-encryption-faq.pdf

Q Can encryption be used to protect confidential information on decommissioned storage?
A Brocade provides support for Device Decommissioning, a license-free feature that
enables managed destruction of LUN data prior to decommissioning a disk array. Device
decommissioning deletes the key ID metadata on designated LUNs and within the
encryption device itself, providing a one-step, low-cost means of retiring arrays as an
alternative to expensive degaussing, physical destruction, or overwrite techniques. The
operation also creates an audit log of action to provide a verifiable means of the data
destruction. Once the data on the disk is destroyed, the key used to decrypt it is also
destroyed.
 
Device Decommissioning is supported in Brocade FOS 6.4 for EMC’s RSA RKM (DPM)
and NetApp LKM key managers. Brocade FOS 7.1 expands Device Decommissioning
support to HP ESKM, IBM TKLM, SafeNet KeySecure, and Thales TEKA.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 270 total points
ID: 39808295
Here is another interesting for performing destruction and they sell used switch too. They can be good channel to consult on destruction services too since they deal with re-selling.

http://www.liquidtechnology.net/used-brocade-switches.php

Data destruction

http://www.liquidtechnology.net/data-destruction-services.php
0
 

Author Comment

by:sunhux
ID: 39808511
There's only zoning info in the switches so I guess it's not
that sensitive to the extent that we need to degauss the
NVRAM but I'll see what our corporate security guys say

Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question appears often enough, how do I transfer my data from my old server to the new server while preserving file shares, share permissions, and NTFS permisions.  Here are my tips for handling such a transfer.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question