?
Solved

Sanitizing Brocade encrypted FC switch before returning to vendor

Posted on 2014-01-23
7
Medium Priority
?
835 Views
Last Modified: 2014-01-25
We have a faulty encrypted Brocade fibre switch :
after vendor has replaced it, we need to sanitize it
before returning to supplier.

However, when we tried to reset its settings to factory
settings, it won't allow us.  Thus, we deleted the
FabricOS.


Q1:
What are the ways / measures people usually take
before returning suicch a switch?

Q2:
Is deleting the FabricOS good enough to sanitize it?

Q3:
Is there an NVRAM or HDD inside the switch that
could be easily removed from the machine for
degaussing

Q4:
By deleting the FabricOS, does it delete the config
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:sunhux
ID: 39805469
Attached is a screen of the console messages after we've deleted
the FabricOS
BrocadeScr.zip
0
 
LVL 47

Assisted Solution

by:David
David earned 920 total points
ID: 39806707
Frankly, I do not know if there is a HDD inside it, but if you degauss the drive then you effectively destroy any warranty so they probably wouldn't even take it back.

I do work for DoD and government and in such situations the procedure is to contact the manufacturer directly.  If this was a HDD, for example, and you had top-secret data on it, then the RMA policy would be that you physically destroy the device and send proof (which is site-dependant, but can be nothing more than providing a serial number via an audited process).

Dead/dying hardware can't be properly initialized, so the only safe way to do this is via the manufacturer directly and ask what they will allow.  Believe me, there is a process. There may even be a vendor specific command for just such a thing,  that is only known by field support or OEMs.  In any event they absolutely have a way to deal with this.

Besides, deleting the O/S or initializing it doesn't mean that proprietary information gets destroyed.  Deleting is not the same as sanitizing.
0
 

Author Comment

by:sunhux
ID: 39808218
> degauss the drive then you effectively destroy any warranty so they probably
> wouldn't even take it back.

We have a word with the reseller & he's Ok with it.

 I just need to know if the Brocade encryption switch
a) stores its configurations (zoning info) in an NVRAM or a HDD ?
b) is this NVRAM or HDD easily removed?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Assisted Solution

by:David
David earned 920 total points
ID: 39808241
You don't degauss NVRAM, and there is absolutely NVRAM.  You can't remove it without damaging the motherboard.  

I do not know if there is also a HDD, but I expect there is not.  If you destroy either, then it will turn the switch into a paperweight.

I expect if the reseller was aware that you will brick the switch if you go down this path then they wouldn't give you permission.   Call Brocade support directly and ask about the sanitization process.
0
 
LVL 64

Accepted Solution

by:
btan earned 1080 total points
ID: 39808291
Just to add on if it is real encrypted switch, probably a mean is to consider wiping the crypto key used to encrypt the static storage (if any) in the switch.

As for the dynamic volatile memory, they should have live time as it doesnt persist unlike the Non-volatile type. In this case, the safer is not even to return to them and have some sort of RMA scheme to retain it and still in replacement. It will be higher cost but that depends on your org risk appetite, some company just destroy them or retain to certain life time which the data is of no longer good value or impact...

The switch doesnt seems to have "storage" as in its purpose is to perform encrypt to the SAN connected to it etc. Better to have support to clarify...it does come with smart card and the crypto is supposed to be open via card auth success. We do need to be wary what about recovery assuming card is spolit and where is this backup crypto key stored or password keyfile (they should be securely wiped)?

More info on brocade SAN protection
http://www.brocade.com/downloads/documents/books/securing-fibre-channel-fabrics-bk.pdf

The Brocade encryption device features the following:
• Up to 96 Gbps processing bandwidth for disk encryption
• Up to 48 Gbps processing bandwidth for tape encryption with
compression
• Encryption using the industry standard AES-256 algorithm
• Compression using a variant of gzip
• 8 Gbps FC port speeds
• Disk encryption latency of 15–20 microseconds
• Tape encryption and compression latency of 30–40 sec
• Brocade-developed encryption ASIC technology
• FC switching connectivity based on the Brocade Condor 2 ASIC
• Dual Ethernet ports for HA synchronization and heartbeats
• Smart Card reader used as a System Card (ignition key optional)

Below is an FAQ that be useful...
http://www.brocade.com/downloads/documents/faqs/brocade-encryption-faq.pdf

Q Can encryption be used to protect confidential information on decommissioned storage?
A Brocade provides support for Device Decommissioning, a license-free feature that
enables managed destruction of LUN data prior to decommissioning a disk array. Device
decommissioning deletes the key ID metadata on designated LUNs and within the
encryption device itself, providing a one-step, low-cost means of retiring arrays as an
alternative to expensive degaussing, physical destruction, or overwrite techniques. The
operation also creates an audit log of action to provide a verifiable means of the data
destruction. Once the data on the disk is destroyed, the key used to decrypt it is also
destroyed.
 
Device Decommissioning is supported in Brocade FOS 6.4 for EMC’s RSA RKM (DPM)
and NetApp LKM key managers. Brocade FOS 7.1 expands Device Decommissioning
support to HP ESKM, IBM TKLM, SafeNet KeySecure, and Thales TEKA.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1080 total points
ID: 39808295
Here is another interesting for performing destruction and they sell used switch too. They can be good channel to consult on destruction services too since they deal with re-selling.

http://www.liquidtechnology.net/used-brocade-switches.php

Data destruction

http://www.liquidtechnology.net/data-destruction-services.php
0
 

Author Comment

by:sunhux
ID: 39808511
There's only zoning info in the switches so I guess it's not
that sensitive to the extent that we need to degauss the
NVRAM but I'll see what our corporate security guys say

Thanks
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question