PlateSpin Protect provides several features to help you safeguard your data and increase security.
As a security best practice, you should apply patches that address security vulnerabilities to your PlateSpin Server host, as you would for other Windows servers in your enterprise.
Micro Focus is aware of the side-channel analysis vulnerabilities described in CVEs 2017-5715, 2017-5753 and 2017-5754, known as Meltdown and Spectre. We strongly recommend that you apply security updates that address such threats as recommended by Microsoft for the Windows Server you use as the PlateSpin Server host. See Protect Your Windows Devices Against Spectre and Meltdown on the Microsoft Support website.
Transfer encryption makes the transmission of your workload data more secure during workload replication. When encryption is enabled, over-the-network data transfer from the source to the target is encrypted by using AES (Advanced Encryption Standard).
NOTE:Data encryption has a performance impact and might significantly slow down the data transfer rate by up to 30%.
You can enable or disable encryption individually for each workload by selecting the Encrypt Data Transfer option. See Workload Protection Details.
The PlateSpin Server enables SSL on the PlateSpin Server host, providing secure data transmission between your web browser and the PlateSpin Server with HTTPS (Hypertext Transfer Protocol Secure). The installation also adds a self signed certificate if no valid certificates are found.
PlateSpin Protect protects credentials by using an SSL connection for communications and the Windows cryptographic library to encrypt passwords.
Credentials that you use to access various systems (such as workloads and failback targets) are stored in the PlateSpin Protect database and are therefore covered by the same security safeguards that you have in place for your PlateSpin Server host.
In addition, credentials are included within diagnostics, which are accessible to accredited users. You should ensure that workload protection projects are handled by authorized staff.
PlateSpin Protect provides a comprehensive and secure user authorization and authentication mechanism based on user roles, and controls application access and operations that users can perform. See Configuring User Authorization and Authentication.
PlateSpin Protect includes Microsoft SQL Server Express Edition that you can optionally use with PlateSpin Server. Initially, the database engine uses a generated a password for the SQL system administrator user (sa). You can use your Windows Administrator credentials and SQL management tools to modify the password without needing to know the generated password.
For improved security, we strongly recommend that you modify the password for the SQL Server sa credentials after you set up PlateSpin Server in your environment. See Modifying the Password for the SQL Server Express System Administrator User
in the PlateSpin Protect Installation and Upgrade Guide.
PlateSpin Protect provides the ability to use Windows Authentication for access to the Microsoft SQL Server database. See Requirements for Windows Authentication to the Microsoft SQL Server Database.
Table 1-4 lists the default ports used by PlateSpin Protect. If you configure custom ports, you must open those ports instead. For communications between the PlateSpin Server and the source and target machines it manages, ensure that you also open the appropriate ports on any firewalls between them. Traffic for communications is bidirectional (incoming and outgoing). See also Access and Communication Requirements across Your Protection Network.
Table 1-4 Default Ports Used by PlateSpin Protect
|
Port Number |
Protocol |
Function |
Details |
|---|---|---|---|
|
|
|
(Not secure) Used for HTTP communications between the PlateSpin Server host and the source and target machines it manages. Open this port on your PlateSpin Server host, the source and target workloads, and the VMware ESXi hosts. |
|
|
|
(Secure) Used for HTTPS communications, if SSL is enabled, between the PlateSpin Server host and the source and target machines. Open this port on your PlateSpin Server host, the source and target workloads, the VMware ESXi hosts, and the vCenter host server. |
|
|
|
Used for data transfer between the source and target machines, including file-based transfer and block-based transfer. Open this port on the source and target machines for all workloads. Any firewall between a source and its target must also allow TCP port 3725. See Supported Configurations. |
|
|
|
Used for RPC/DCOM communications on Windows machines during the discovery process, and when taking control and rebooting the source machine. Open these ports for communications between the source and target machines for all Windows workloads. See Supported Windows Workloads. |
|
|
|
Used for NetBIOS communications (name service, datagram service, and session service). Open these ports for communications between the source and target machines for all Windows workloads. See Supported Windows Workloads. |
|
|
|
Used for SMB communications for the file transfer of the Take Control folder and files from the PlateSpin Server to the source machine. Open these ports on your PlateSpin Server host and the source workloads. |
|
|
|
|
|
|
|
Used for SSH and SCP communications on Linux machines during the discovery process. Open this port on the source and target machines for all Linux workloads. See Supported Linux Workloads. |
|
|
|
Used for SMTP traffic if email notification is enabled. Open this port on the PlateSpin Server host and the mail relay host. |
|
|
|
|
|
|
|
Used for Microsoft SQL Server communications for authentication and data exchange to a remote SQL Server. Open the SQL ports on your PlateSpin Server host and the remote SQL Server host, as well as on any firewalls between them. For more information the SQL Server port requirements, see Configure the Firewall to Allow Server Access in the Microsoft Developers Network. |
|
|
|
Used for the Microsoft SQL Server dedicated administrator connection. |
|
UDP |
|
Used for the Microsoft SQL Server named instances. This port might be required when you use named instances on a remote SQL Server. |
|
|
|
Used for the Microsoft SQL Server or RPC for LSA, SAM, and Netlogon. If you have configured Microsoft SQL Server to use a specific TCP port, you must open that port on the firewall. See Requirements for Windows Authentication to the Microsoft SQL Server Database. |