Академический Документы
Профессиональный Документы
Культура Документы
Alex Osuna
Jesse Acosta
This IBM® Redpaper provides guidelines for the secure configuration of IBM
System Storage™ N series running Network Appliance Data ONTAP. It is
intended for storage and security administrators that wish to improve the overall
security posture of their storage networks. For each configuration area, we
provide only the most secure settings.
The second part of this IBM Redpaper provides a high-level discussion of Data
ONTAP security concepts in the context of a documentation map. Security
administrators should be able to use this map to develop a good working
knowledge of Data ONTAP security even if they have no previous storage
management experience.
Administrative access
This section describes Data ONTAP settings for administrative access.
Root password
Root password (Example 1) is used to set and modify user passwords. We
recommend implementing strong password options for root and user accounts.
Telnet access
Telnet access enables and disables telnet access to the N series storage system.
We recommend disabling telnet access (Example 3).
Note: Disabling both telnet and rsh access can provide tighter security.
HTTP access
HTTP access enables and disables HTTP (Web) access to the N series storage
system. We recommend that you disable HTTP access (Example 5).
Secureadmin
Secureadmin enables SecureAdmin for SSH and SSL security features. We
recommend installing SecureAdmin (Example 6).
Non-root users
Non-root users (Example 8 on page 4) creates additional accounts for the N
series storage system. We recommend creating non-root user accounts for each
administrator.
Automatic logout
Automatic logout enables (Example 9) and sets an automatic logout from the N
series storage system for console and network sessions. We recommend
enabling it. The specific number of minutes you configure should be based on
your local security policy.
Note: The default parameters for these are on with 60 minute timeouts.
HOSTS.EQUIV access
This file contains trusted remote hosts for access without authentication. We
recommend disabling this access (Example 11).
NFS settings
This section describes Data ONTAP configuration settings for NFS.
Kerberos authentication
Kerberos authentication enables Kerberos authentication for NFS and requires
NFS clients to support Kerberos. We recommend enabling it with this command:
isotuc1> nfs setup
Then, edit /etc/exports for the N series storage system to set sec=krb5,
sec=krb5i, or sec=krb5p in the options field of the exported file systems.
LDAP authorization
LDAP authorization enables LDAP directory lookup service for user
authorization. SSL is also supported for secure connection. We recommend
enabling it and either LDAP over SSL (Example 13) or SASL .
IPSec
IPSec enables IPSec between NFS clients and the N series storage system. We
recommend enabling AH authentication and ESP payload encryption.
You should also examine the /etc/exports file. See “The /etc/exports file” on
page 6 for more information.
The following examples show how these security services are used:
To specify one security type:
/vol/volx –sec=sys,rw=host1
To specify multiple security types:
/vol/volx –sec=krb5:krb5i:krb5p,rw=host1
CIFS settings
This section describes Data ONTAP configuration settings for CIFS.
Kerberos authentication
Kerberos authentication for CIFS enables Microsoft® Active Directory
authentication, which uses Kerberos by default. To do this, select an Active
Directory domain during CIFS setup. We recommend using this authentication.
LDAP authorization
LDAP authorization for CIFS enables Active Directory LDAP for user
authorization. We recommend that you enable LDAP signing and sealing with
SASL and enable LDAP over SSL.
SMB signing
SMB signing ensures the integrity of CIFS communications. We recommend
enabling it for both the N series (Example 17) and Windows® clients.
Guest access
This setting (Example 21) enables and disables CIFS guest access. We
recommend disabling it.
Multiprotocol settings
This section describes multiprotocol configuration settings for Data ONTAP.
Ignore ACLs
When ignore ACLs is on, ACLs do not affect root access from NFS. The option
defaults to off. We recommend that you disable it (Example 22 on page 10).
Default NT user
Default NT user specifies the NT user account to use when a UNIX user
accesses a file with NT security (has an ACL) and that UNIX user would not
otherwise be mapped. We recommend setting the option to a null string, denying
access (Example 25 on page 11).
Note: Perform this step only in multiprotocol systems that have NFS/CIFS
user mapping configured correctly; disabling it in an NFS-only N series
storage system results in access problems for legitimate users.
Note: Perform this step only in multiprotocol systems that have NFS/CIFS
user mapping configured correctly; disabling this access in a CIFS-only N
series storage system results in access problems for legitimate users.
Change permissions
When change permissions is enabled, only the root user can change the owner of
a file. We recommend enabling it (Example 28).
Cache credentials
Cache credentials specifies the number of minutes a WAFL credential cache
entry is valid. The value can range from 1 through 20160; we recommend 10
(Example 29 on page 12).
Network settings
This section describes network settings for Data ONTAP.
Incoming packets
This setting (Example 30) enables and disables the checking of incoming
packets for correct addressing. We recommend enabling packet checking.
MAC Fastpath
The N series storage system uses MAC address and interface caching
(“Fastpath”) to return responses to incoming network traffic using the same
interface as the incoming traffic. In some cases, the destination MAC address is
equal to the source MAC address of the incoming data. We recommend disabling
this option (Example 31). When it is enabled, it increases the possibility of ARP
spoofing and session hijacking attacks.
SnapMirror access
SnapMirror access sets the IP address and host name for nodes that can receive
SnapMirror/SnapVault backups. We recommend setting IP address and host
names to authorized users for backup (Example 33 on page 13).
NDMP
NDMP restricts control and data connections to authorized hosts. We
recommend limiting backup using NDMP to authorized hosts only (Example 35).
NDMP authentication
This configuration sets the NDMP authentication type (Example 36).
System services
This section describes Data ONTAP configuration settings for system services.
FTP
This enables and disables FTP. We recommend disabling it (Example 37).
SNMP
This enables and disables SNMP. We recommend disabling it (Example 39).
RSH
This enables and disables RSH. We recommend disabling it (Example 40).
Telnet
This enables and disables telnet. We recommend disabling it (Example 41).
TFTP
This enables and disables TFTP. We recommend disabling it (Example 42).
options ndmpd.access legacy Allow an NDMP server to accept a control connection request from
any client.
options rsh.access “host = Allow remote shell access for only one host, named gnesha.zo.
gnesha.zo”
options ssh.access “host=abc,xyz Allow ssh access for hosts abc and xyz when on network interface
AND if=e0” e0.
options snmp.access “if=e0,e1,e2” Allow access to SNMP for network interfaces e0, e1, and e2.
options httpd.access “if != e3” Do not allow access to HTTPD for network interface e3.
options snapmirror.access legacy Check access to sources from other N series storage systems.
options snapvault.access all Allow a SnapVault server to accept any client requests.
iSCSI settings
This section describes iSCSI settings for Data ONTAP.
Per-interface configuration
This enables and disables iSCSI drivers (Example 43) for each network interface.
We recommend enabling iSCSI only where you intend to use it.
The first section describes the administrative functions and interfaces that are
available to administrators and how to administer Data ONTAP securely. The
second section describes the limited set of security interfaces and functions that
are available to the users, describes their use, and includes warnings about
user-accessible functions and privileges that should be controlled.
Administrative guidance
The first step to understanding the security-relevant administrative functions and
interfaces of Data ONTAP is to learn about the basic steps required to access
and manage an N series storage system. The most important documentation on
It is important to note that the users described in chapter 6 are local and should
only be created and used for system administrators and not for normal users.
Basically, when the Data ONTAP documentation refers to users, local users, or
local user accounts, they should be interpreted as local administrator user
accounts. It is possible, in some small workgroup environments, to use these
local accounts for normal user access to files; however, there are many security
problems with this approach and those who wish to use Data ONTAP in a secure
manner should not consider it.
The N series storage system may also be managed using the SSH remote login
protocol or with an SSL-protected version of FilerView called Secure FilerView.
These two methods are only available if the SecureAdmin product is installed
After administrative access has been configured, the next step for managing a
secure N series storage system is to organize your data. The most important
documentation for this process is in chapters 6 and 8 of the IBM System Storage
N series Storage Management Guide:
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001227&aid=1
Although the choices for volume and qtree security styles may seem confusing at
first, the selection process is actually very simple for most customers:
If a volume or qtree is to be accessed predominantly or exclusively by NFS
clients, select unix.
If a volume or qtree is to be accessed predominantly or exclusively by CIFS
clients, select ntfs.
If a volume or qtree is to be accessed equally by both NFS and CIFS clients
and both types of clients require full control over file access security, select
mixed.
If a volume or qtree is to be used exclusively as a storage location for FCP or
iSCSI LUNs, the security style has no effect.
When you are creating volumes and qtrees for data management, we strongly
recommend organizing data by security requirements. For example, if the plan for
the N series storage system is to store data for two groups (maybe the Finance
and Engineering departments of company) with different access controls, placing
each data set in a separate qtree or in separate volumes makes security
configuration simpler.
After creating and configuring volumes and qtrees to store user data, you must
configure Data ONTAP to identify users so that it can control access to data.
Documentation about this subject is available in the File Access and Protocols
Management Guide:
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001596&aid=1
For security information, the most important sections of this document are:
Chapter 2: File Access Using NFS
Read the entire chapter, especially the section on providing secure NFS
access.
Chapter 3: File Access Using CIFS
– How CIFS users obtain UNIX credentials
– Sharing directories
– Displaying and changing share properties
– Understanding authentication issues
– Understanding local user accounts
– How share-level access control lists work
– Specifying how group IDs work with share-level ACLs
– Changing and displaying a share-level ACL
– Changing and displaying file-level ACLs
Chapter 7: File Sharing Between NFS and CIFS
– Using LDAP services
– Installing SecureShare Access
– Changing UNIX permissions and DOS attributes from Windows
An important concept to remember is that there are really two different realms of
security to manage when you use Data ONTAP for file access; one realm is the
security of the N series storage system running Data ONTAP, including security
controls on exported file systems (for NFS) and shared directories (for CIFS).
The other is security of individual files and directories. This control is exercised
from NFS clients using the chown and chmod UNIX commands or from CIFS
clients using the procedures in the “Changing and displaying file-level ACLs” and
“Changing UNIX permissions and DOS attributes from Windows” sections.
Because NFS, CIFS, iSCSI, and administrative clients use TCP/IP networking to
access Data ONTAP, the networking for the N series storage system should be
configured for maximum security. The most important documentation for this
purpose is the IBM System Storage N series Network Management Guide:
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001334&aid=1
We strongly recommend that you configure and enable IPSec (see chapter 8 of
the IBM System Storage N series Network Management Guide).
For systems configured to provide LUN access through iSCSI, read the Block
Access Management Guide for iSCSI and FCP. In particular, pay attention to the
following security-relevant sections:
Chapter 6: Managing iSCSI igroups
Chapter 12: Managing the iSCSI Network
– Managing security for iSCSI initiators
– Managing the iSCSI service on storage system interfaces
Important: Enable CHAP authentication for all iSCSI LUNs and select strong
CHAP passwords.
You can also enhance FCP security by implementing zoning restrictions on the
Fibre Channel switch that might be deployed as part of the configuration; check
the documentation for your switch for details. Many switch vendors provide two
forms of zoning, known as hard and soft. Hard zoning is based on the physical
port that a cable is connected to and provides a better level of security than soft
zoning in environments where the switch is in a physically secure location.
Regardless of the types of data stored in the system or which methods you use
to access that data, you must perform backups to protect the data if there is a
system failure or other disaster. Data ONTAP gives you the option of backing up
data to local tape devices, in which case there are no security considerations
other than ensuring that only authorized administrators gain possession of the
backup tapes.
Data ONTAP also provides several methods (SnapMirror, SnapVault, and NDMP)
you can use to perform backups over a TCP/IP network. This kind of network
backup has security considerations that must be addressed. You can find
information about how to configure security for these kinds of backups, in The
IBM System Storage N series Data Protection Online Backup and Recovery
Guide:
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001226&aid=1
Note: Open Systems SnapVault is a software product that protects data from
a Windows, UNIX, or Linux® system by backing it up to an N series storage
system running Data ONTAP. Security procedures for the Windows, Unix or
Linux backup client systems (other than SnapVault settings and NDMP) are
outside the scope of this document.
User guidance
For individual users that access data stored in an N series storage system
running Data ONTAP, the security configuration options are quite limited because
most of the security features and options are controlled by system
administrators. In fact, a user that accesses data in an iSCSI or FCP LUN cannot
modify or configure any security controls on the N series storage system.
When accessing files by NFS, most users become owners of one or more files or
directories. Users can only manage security with chmod and chown for files or
directories that they own, and only if the NFS file system they are accessing is
located in a volume or qtree with the unix or mixed security style. Users and
administrators should consult the documentation for their Unix operating system
for details on how to use these commands or their equivalents, as the specific
syntax and operation can vary between platforms. Users may find that chown
does not function (unless they are logged in as the "root" user) if the Data
ONTAP administrator has set the "wafl.root_only_chown" option; we strongly
recommend that this be set.
When accessing files by CIFS, most users become owners of one or more files
or directories. Users may only manage security on files or directories that they
own, and only if the CIFS filesystem they are accessing is located in a volume or
qtree with the "ntfs" or "mixed" security style.
Regardless of the methods individual users use to access and manage files
stored in the N series storage system, an external server in the environment,
such as a Kerberos, LDAP, or Microsoft Active Directory server, often performs
the user authentication or authorization. Administrators keep these servers
secure, but users must manage their passwords in accordance with local
password policies to prevent security incidents.
Thanks to Roger Sanders of the Network Appliance Corporation for his review.
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.
© Copyright International Business Machines Corporation 2008. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp. 25
Send us your comments in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks ®
Send your comments in an email to:
redbook@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099, 2455 South Road
Poughkeepsie, NY 12601-5400 U.S.A.
Trademarks Redpaper ™
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both: