Airgap for ECS
Introduction
The add-on solution for Data Security for ECS offers maximum data protection with an automated cyber vault. This solution provides Enterprise Airgap capabilities, ensuring secure data isolation and automated synchronization for your ECS environment. It fully integrates with existing ECS infrastructure, simplifying compliance with the NIST cybersecurity framework.
The Enterprise Airgap for ECS automates data synchronization using a containerized ECS Sync, providing high throughput and scalability. The Vault agent manages job scheduling directly, eliminating the need for complex out-of-band setups.
Data Security Compliance with NIST Key Framework Attributes
Framework Attribute | How Data Security Complies | Compliance Status |
---|---|---|
Identify | Threat identified by user name and IP address | Compliant |
Protect | Stops the threat with user lockout in real time | Compliant |
Detect | User behavior-based, tripwire, and well-known extension detection | Compliant |
Respond | Alerting email, syslog, and automated snapshot creation | Compliant |
Recover | Object level tracking and recovery from bucket versions | Compliant |
Key Features
- S3 to S3 Airgap Support: Supports secure replication between S3 buckets.
- CAS to CAS Airgap Support: Support for Content Addressable Storage (CAS) replication.
- Inside-the-Vault Automation: Provides seamless automation capabilities within the vault environment.
- Enterprise Airgap: Hardened solution with in-band management, offering complete automation from a VM inside the vault.
- Smart Airgap Technology: Synchronizes data only when safe, reducing risks. Scheduling is managed by the Vault agent for reliable control.
- Per S3 Bucket Level Replication: Supports granular replication at the individual bucket level.
- Data Immutability: Uses ECS object lock and bucket versioning to protect data from unauthorized modifications.
- Rapid Recovery: The ECS cluster in the vault provides an immutable data copy at petabyte scale, ensuring integrity during recovery.
- Many-to-One Protection: Allows you to consolidate multiple source ECS clusters into a single ECS Vault cluster.
- IAM User Lockout: Locks out IAM users to prevent unauthorized actions.
- Job History and Reports: Access detailed job history and airgap reports through the user interface. Reports can also be emailed on a schedule.
- In-Band Management and Alerts: Monitor Vault storage capacity, hardware, and space availability with managed alerts.
Pre-Requisites
Performance Considerations
-
Get Up-to-Date Performance Estimates
For the latest performance metrics, refer to ECSSync's performance page: General Performance Metrics.
-
Recommendations and Best Practices
-
Use five job definitions per Airgap ECSSync instance for optimal performance.
-
Throughput rates per ECSSync instance are detailed in the link above. Enterprise Airgap can scale from 3 to 99 instances as needed.
-
Load Balancer Support
If you have a load balancer in front of your ECS, configure its IP during the "Add Managed Device" step. To access this option, navigate to Eyeglass Menu -> Add Managed Device -> ECS. This links the load balancer's IP to your ECS and ensures that airgap jobs managed by the vault agent connect to the correct ECS cluster.
Deployment Diagram
Configuration
-
Follow the Installation Guide for Ransomware Defender for ECS
Ransomware Defender for ECS. -
Deploy Dell Vault Hardware
Deploy the Dell Vault hardware with VMware pre-installed. -
Deploy Enterprise Vault Agent ECA Cluster
Deploy the Enterprise Vault Agent ECA cluster to the vault hardware. Refer to the guide for details. -
Configure Firewall Settings
Configure the firewall as specified in the port table in the "Firewall Requirements" section. -
Install Enterprise Airgap License Key Install the Enterprise Airgap license key in Eyeglass using the License Manager.
-
Access License Manager
- Go to Eyeglass Main Menu -> License Management.
- Navigate to: License Management > Manage Licenses > Browse.
- Upload the zipped file downloaded in the previous step.
tipFor more information, see Register Superna License
-
-
Set Up Eyeglass IP Address and API Token on Vault Agent
-
Set Up Eyeglass
- Open the main menu in Eyeglass and select "Eyeglass REST API."
- Create a new token, name it "vault," and copy the token. Use this value where "yyyyyy" is required.
tipfor more information regarding "Eyeglass REST API", see "Token Generation and Authentication".
-
Configure Vault Agent
-
Log in to the vault agent as
ecaadmin
. -
Open Configuration File
-
Run the following command to open the configuration file:
nano /opt/superna/eca/eca-env-common.conf
-
-
Add Eyeglass Location
-
Add the Eyeglass location:
export EYEGLASS_LOCATION=x.x.x.x
-
-
Add Eyeglass API Token
-
Add the Eyeglass API token:
export EYEGLASS_API_TOKEN=yyyyyy
-
-
Enable Object Services for Enterprise Airgap
-
Enable Object Services for Enterprise Airgap:
export ECS_SYNC_CFG=true
-
-
Save and Exit Configuration
- Save and exit the configuration file using
control + x
.
- Save and exit the configuration file using
-
Restart ECA Cluster
-
Restart the ECA cluster:
ecactl cluster down
ecactl cluster up
-
-
-
-
Follow These Steps to Configure the Vault Agent
-
Add ECS Clusters to the Vault Agent
-
Run the following command to add ECS clusters to the vault agent:
ecactl ecs add --host x.x.x.x --user <user>
-
Enter the IP address of the management interface and the service account user. Refer to the Eyeglass Service Account Minimum Privileges for details.
-
Repeat the process for each managed production and vault ECS cluster.
-
Verify Configuration
-
To verify the added clusters, run:
ecactl ecs list
-
-
-
One-Time ECS Sync Instance Configuration
-
Access the ECS Sync UI:
https://x.x.x.x/ecssyncui
-
Login Credentials
- Log in with
ecaadmin
and the default password3y3gl4ss
.
- Log in with
-
Configure Path and Email Address
- Click the Config tab and enter the config path
/opt/emc/ecs-sync/config
and provide an email address
noteThis email will not be used for any alerting but is required as an input
- Click the Config tab and enter the config path
-
Update Sync Settings
- Uncheck the option labeled "Auto Archive: automatically archive completed syncs."
-
Configure ECS Sync Jobs
- Access ECS Sync UI
-
Access the ECS Sync UI:
https://x.x.x.x/ecssyncui
infoEach vault agent has an ecssync container, enter the ip address of each instance to add jobs to the copy engine
-
Login Credentials
- Log in using
ecaadmin
and the default password3y3gl4ss
.
noteAlways change the default password. Follow the steps provided here for details.
- Log in using
-
Add Jobs
- See detailed steps below for adding jobs in the "How to Create ECSSync Jobs" section.
-
Save Jobs
- Save the job configurations after making changes.
-
- Access ECS Sync UI
-
Add ECSSync Jobs to Vault Agent
Add ECSSync jobs to the vault agent for management and integration with Eyeglass.-
List Configured Jobs
ecactl ecssync listjobs
This command lists all configured jobs.
-
Add Job to Managed List
ecactl ecssync addjob --job xxxx
infoReplace
xxxx
with the job name from the list. This adds the job to the managed job list. -
-
Push ECS Job Definitions to Eyeglass
- Register Jobs
-
Push all defined and added jobs to the vault agent for management, monitoring, and scheduling in Eyeglass.
ecactl ecssync updatejobs
-
- Register Jobs
-
Log in to Eyeglass
- Open Airgap Icon
- Access ECS Sync Config Tab
- The newly added jobs should appear automatically and show a status of "Not Scheduled."
- Enable Ransomware Defender Airgap Control
- Click the checkbox to enable Ransomware Defender Smart Airgap control and set the schedule for each ECS Sync job listed.
- Save Changes
- Click "Save" after making any changes to a policy.
- Set the schedule and save
- Repeat for each policy that displays not scheduled.
-
-
Open Jobs Icon to Enable the Job
- Click the jobs icon to enable the job.
- The default state is disabled, and no sync jobs will run until enabled.
-
Verify Vault Agent Schedule Change
-
Log in to the vault agent.
-
Run the command to list schedules:
ecactl ecssync schedules
-
The schedule should be displayed for each policy configuration.
-
-
Test a Sync Job
-
Start a Job from Vault Agent CLI
-
Run the following command to force start a job:
ecactl ecssync startjob --job xxxx
Replace
xxxx
with the name of the policy configured, which you can verify by running:ecactl ecssync checkjobs
-
Verify Job Status in ECS Sync GUI
- Once the sync job has been started from the command line, you can verify the status directly in the ECS Sync GUI.
- Navigate to the "Status" tab in the ECS Sync UI.
- Look for the "Active Operations" section, where you will see the job listed along with its progress details.
- The job should display a progress bar indicating the completion percentage. It will show "100% Complete" once the job finishes successfully.
- Verify that there are no errors reported under the job entry. The "ETA" and "data transfer rate" will also be displayed for additional context.
noteDo not archive jobs. They are managed by the Vault Agent, and archiving them manually can disrupt job management.
- List All Jobs
- List all configured and active jobs in the Vault Agent for monitoring and review.
-
-
-
-
Done
How to Create ECSSync Jobs
Airgap Operations
Vault Agent CLI Commands for Airgap
Performance Table for CAS Files
File Count/Size | Time | Rate (Size per Second) | Rate (Objects per Second) | Threads Allocated | CPU Usage (%) During Copy | Memory Usage (%) During Copy | Number of CPUs Used |
---|---|---|---|---|---|---|---|
787,095 files (8B each) | 3h 23m 57s | 73.42 KB/s | 62 files/s | 1 | ecssync: 74.58%, mariadb: 34.35%, others as below | ecssync: 44.47%, mariadb: 17.97%, others as below | 1 |
CPU and Memory Graphs During Copy
CPU Usage Graph:
Memory Usage Graph:
See Also
For installation and operations for Airgap for PowerScale, see the Airgap Installation guide and Airgap Jobs guide.