IBM System Storage N Series Best Storage Self Exam

8/8/2019 IBM System Storage N Series Best Storage Self Exam

1/26

Redpaper

Copyright IBM Corp. 2008. All rights reserved. ibm.com/redbooks 1

IBM System Storage N series Best

Practices for Secure Configuration

This IBM Redpaper provides guidelines for the secure configuration of IBMSystem Storage N series running Network Appliance Data ONTAP. It is

intended for storage and security administrators that wish to improve the overallsecurity posture of their storage networks. For each configuration area, we

provide only the most secure settings.

The second part of this IBM Redpaper provides a high-level discussion of Data

ONTAP security concepts in the context of a documentation map. Securityadministrators should be able to use this map to develop a good working

knowledge of Data ONTAP security even if they have no previous storagemanagement experience.

Note: As with any other information technology, an improvement in the overalllevel of security can result in a reduction in functionality or usability and

administrators should be cautious when applying these configurations to avoidan interruption of required services.

Alex Osuna

Jesse Acosta
http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/


2/26

2 IBM System Storage N series Best Practices for Secure Configuration

Security configuration best practices

This section provides specific settings and option values that you can use to

configure an N series storage system so that it is as secure as possible. Many of

these settings do not need to be modified in a new system because they arealready set to the most secure value by default; however, this complete list canassist with the audit of already-deployed systems.

Administrative access

This section describes Data ONTAP settings for administrative access.

Root passwordRoot password(Example 1) is used to set and modify user passwords. Werecommend implementing strong password options for root and user accounts.

Example 1 Root password

isotuc1> passwdLogin: rootNew password:*******Retype new password: *******

Trusted host accessTrusted host access (Example 2) enables or disables access to N series storagesystems by certain hosts without authentication. We recommend disabling this

option.

Example 2 Trusted host access

isotuc1> options trusted.hosts - (Disables telnet for all hosts)isotuc1> options trusted.hosts + (Enables telnet for up to 5 hosts)isotuc1> options trusted.hosts * (Allows telnet access all hosts)

Telnet accessTelnet access enables and disables telnet access to the N series storage system.We recommend disabling telnet access (Example 3).

Example 3 Telnet access off

isotuc1> options telnet.enable off


3/26

IBM System Storage N series Best Practices for Secure Configuration 3

RSH accessRSH access enables and disables RSH access to the N series storage system.We recommend disabling RSH access (Example 4).

Example 4 RSH off

isotuc1> options rsh.enable off

HTTP accessHTTP accessenables and disables HTTP (Web) access to the N series storagesystem. We recommend that you disable HTTP access (Example 5).

Example 5 Disabling HTTP access

isotuc1> options httpd.admin.access host=none

Secureadmin

Secureadmin enables SecureAdmin for SSH and SSL security features. Werecommend installing SecureAdmin (Example 6).

Example 6 Installing SecureAdmin

isotuc1> secureadmin setup f sshisotuc1> secureadmin enable sshisotuc1> secureadmin setup sslisotuc1> secureadmin enable ssl

Restrict SSH loginsRestrict SSH logins filters access to SSH to only authorized SSH clients. Werecommend limiting access to authorized SSH clients only (Example 7).

Example 7 Restricting SSH logins

isotuc1> options ssh.access host=[ipaddress],[ipaddress],[hostname]

Non-root usersNon-root users (Example 8 on page 4) creates additional accounts for the Nseries storage system. We recommend creating non-root user accounts for eachadministrator.

Note: Disabling both telnet and rsh access can provide tighter security.

Note: Setting this access to hosts=none denies access to FilerView.


4/26


Example 8 Creating non-root user accounts

isotuc1> useradmin useradd [username]

Automatic logoutAutomatic logoutenables (Example 9) and sets an automatic logout from the Nseries storage system for console and network sessions. We recommend

enabling it. The specific number of minutes you configure should be based onyour local security policy.

Example 9 Enabling automatic logout and setting timeouts

isotuc1> options autologout.console.enable onisotuc1> options autologout.telnet.enable on

isotuc1> options autologout.console.timeout 30isotuc1> options autologout.telnet.timeout 15

Logging administrative accessLogging administrative access enables and configures logging for administrativesessions. We recommend enabling this logging (Example 10). The log file sizeyou specify depends on your local security policy, but it should be large enough

to record at least several days of administrative usage. You may set this to a largevalue (several megabytes) and then adjust it after you see how quickly it fills up inyour environment.

Example 10 Enabling logging for administrative sessions

isotuc1> options auditlog.enable onisotuc1> options auditlog.max_file_size [logfilesize]

HOSTS.EQUIV accessThis file contains trusted remote hosts for access without authentication. We

recommend disabling this access (Example 11).

Example 11 Disabling hosts.equiv access

isotuc1> options httpd.admin.hostsequiv.enable off

Note: The default parameters for these are on with 60 minute timeouts.

Note: The data is logged into /etc/log/auditlog.


5/26


Password checksPassword checks controls whether a check for minimum-length and passwordcomposition is performed when you specify new passwords. We recommendenabling them (Example 12). The default for this is on. It does not apply to root or

administrator.

Example 12 Enabling password checks

isotuc1> options security.passwd.rules.enable on

Role-based access controlRole-based access controlis a method for managing the set of actions that a useror administrator can perform in an N series storage system. Using role-based

access controls, you can define sets of capabilities (roles) that are not assignedto any particular user. Users are assigned to groups based on their job functions,

and each group is granted the set of roles for performing them.

NFS settings

This section describes Data ONTAP configuration settings for NFS.

Kerberos authenticationKerberos authenticationenables Kerberos authentication for NFS and requiresNFS clients to support Kerberos. We recommend enabling it with this command:

isotuc1> nfs setup

Then, edit /etc/exports for the N series storage system to set sec=krb5,

sec=krb5i, or sec=krb5p in the options field of the exported file systems.

LDAP authorizationLDAP authorization enables LDAP directory lookup service for userauthorization. SSL is also supported for secure connection. We recommend

enabling it and either LDAP over SSL (Example 13) or SASL .

Example 13 Enabling LDAP over SSL

isotuc1> options ldap.ssl.enable onisotuc1> options ldap.enable on

IPSecIPSec enables IPSec between NFS clients and the N series storage system. Werecommend enabling AH authentication and ESP payload encryption.


6/26


Exports fileThe exports file provides lists of file systems in the N series storage system that

are exported (Example 14). We recommend ensuring that only data file systemsare exports and not administrative file systems, such as /etc. Additionally, ensure

that all world readable exports are read-only.

Example 14 Exports file list

/etc/exports/vol/vol0-sec=sys,ro,rw=192.168.3.182,root=192.168.3.182,nosuid/#/vol/vol1-sec=sys,rw,root=192.168.3.182,nosuid//vol/vol0/home-sec=sys,rw,root=192.168.3.182,nosuid/vol/test-sec=sys,rw,root=192.168.3.182,nosuid/vol/test2-sec=sys,rw

/vol/test1-sec=sys,rw,root=192.168.3.182,nosuid/vol/test3-sec=sys,rw,root=192.168.3.182,nosuid

You should also examine the /etc/exports file. See The /etc/exports file onpage 6 for more information.

NFS over TCPNFS over TCP(Example 15) enables NFS sessions using TCP packets instead

of UDP. We recommend enabling it. TCP is generally more secure than UDP andcan facilitate the use of NFS over firewall boundaries. However, it also opens up

so many ports in both directions that usually it is better to deploy the NFS clientsand servers in the same security zone rather than pass the traffic over a firewall.

Example 15 Enabling NFS over TCP

isotuc1> options nfs.tcp.enable onisotuc1> options nfs.udp.enable off

NFS mount requestNFS mount request(Example 16) enables and disables the NFS mount requestover ports with high numbers. We recommend using ports with low numbers only.

Example 16 Enabling mount request

isotuc1> options nfs.mount_rootonly on

The /etc/exports fileThe man na_exports command provides a description of all the available

options for NFS export. This section describes the options related to security.
http://-/?-http://-/?-http://-/?-http://-/?-


7/26


Access rules

You must make sure that the appropriate security options are used in the NFS

export files to prevent unsolicited clients from mounting or gaining elevatedaccess rights to the desired volumes in the N series storage system. For

example, suppose that you want to grant read-write permission on volume/vol/volx to host1, read-only permission to host2, and no other hosts can mount

the volume. To do this with Data ONTAP 7.x and higher, enter:

/vol/volx -rw=host1,ro=host2

Security-related export options

The following NFS export options are related to security; you must use theseoptions appropriately to secure the data in an NFS environment:

anonThis option specifies the effective user ID (or name) of all anonymous or rootNFS client users that access the file system path. An anonymous NFS client

user does not provide valid NFS credentials; a root NFS client user has a userID of 0. Data ONTAP determines a users file access permissions by checkingthe effective user ID against the /etc/passwd file of the NFS server. By default,

the effective user ID of all anonymous and root NFS client users is 65534. Todisable root access by anonymous and root NFS client users, set the anon

option to 65535. To grant root user access to all anonymous and root NFS

client users, set the anon option to 0. This is equivalent to the no_root_squashoption in some other NFS servers.

nosuid

This option disables setuid and setgid executables and mknod commands in

the file system path. Unless the file system is a root partition of a disklessNFS client, set nosuid to prevent NFS client users from creating setuid

executables and device nodes that careless or cooperating NFS server userscould use to gain root access.

sec

Data ONTAP supports the specification of multiple security (sec) options foreach exported resource. The administrator can determine how secure NFS

access is to the N series storage system. Basically, the following two securityservice types are supported:

UNIX (AUTH_SYS) authentication (sys): This is the default securityservice used by Data ONTAP. It does not use strong cryptography and is

the least secure of the security services. Basically, AUTH_SYS credentials

are a user ID and up to 17 group IDs. A user that logs in as a superuser ona UNIX system could use su to become a user with authorization for fullaccess to a volume. One way to prevent this is to implement strong

authentication mechanisms such as Kerberos.


8/26


Kerberos version 5: This service provides the following three securitymethods:

Authentication (krb5): This method uses strong cryptography to prove a

users identity to a filer and to prove a filers identity to a user.

Integrity (krb5i): This method provides a cryptographic checksum of thedata portion of each request and the response message to eachrequest. This defends against tampering with filer NFS traffic.

Privacy (krb5p): This method encrypts the contents of packets

bidirectionally, including procedure arguments and user data, using ashared session key established by the client from the filer.

The following examples show how these security services are used:

To specify one security type:

/vol/volx sec=sys,rw=host1

To specify multiple security types:

/vol/volx sec=krb5:krb5i:krb5p,rw=host1

CIFS settings

This section describes Data ONTAP configuration settings for CIFS.

Kerberos authenticationKerberos authentication for CIFS enables Microsoft Active Directoryauthentication, which uses Kerberos by default. To do this, select an ActiveDirectory domain during CIFS setup. We recommend using this authentication.

LDAP authorizationLDAP authorization for CIFS enables Active Directory LDAP for userauthorization. We recommend that you enable LDAP signing and sealing withSASL and enable LDAP over SSL.

SMB signingSMB signingensures the integrity of CIFS communications. We recommendenabling it for both the N series (Example 17) and Windows clients.

Example 17 SMB signing for the N series storage system

isotuc1> options cifs.disable_server_smbsign off

For the Windows clients, set EnableSecuritySignature and

RequireSecuritySignature in the registry.


9/26


Share level permissionsThis sets the share level permission for CIFS shares. We recommend changing

the share level ACL to authorized users only (Example 18) and removingEveryone/Full Control.

Example 18 Share level permissions

isotuc1> cifs access [-g]

Audit CIFS accessAudit CIFS access enables and disables CIFS access audits. We recommendenabling it (Example 19).

Example 19 Enabling CIFS access auditsisotuc1> options cifs.audit.enable on

Anonymous connections (restrict anonymous)You can use anonymous connections to give anonymous users access to a list ofCIFS shares in the N series storage system or to prevent this access. We

recommend preventing this access (Example 20).

Example 20 Disabling access to CIFS shares

isotuc1> options cifs.restrict_anonymous.enable on

Guest accessThis setting (Example 21) enables and disables CIFS guest access. Werecommend disabling it.

Example 21 Guest access

isotuc1> options cifs.guest_account

Multiprotocol settings

This section describes multiprotocol configuration settings for Data ONTAP.

Ignore ACLs

When ignore ACLs is on, ACLs do not affect root access from NFS. The optiondefaults to off. We recommend that you disable it (Example 22 on page 10).


10/26


Example 22 Disabling ignore ACLs

isotuc1> options cifs.nfs_root_ignore_acl off

CIFS bypass traverse checkingWhen CIFS bypass traverse checkingis on (the default), directories in the path toa file do not require the X (traverse) permission. This option does not apply to

UNIX qtrees. We recommend that you enable traverse checking by turning thisoption off (Example 23).

Example 23 Turning off CIFS bypass traverse checking

isotuc1> options cifs.bypass_traverse_checking off

CIFS GID checksThis option affects security checking for Windows clients of files with UNIX

security, where the requestor is not the file owner. In all cases, Windows clientrequests are checked against the share-level ACL. If the requestor is the owner,the user permissions are used to determine the access permissions.

If the requester is not the owner and if cifs.perm_check_use_gid is on, it meansthat files with UNIX security are checked using normal UNIX rules (that is, if the

requester is a member of the files owning group, then the group permissions areused; otherwise, the other permissions are used). If the requester is not theowner and if cifs.perm_check_use_gid is off, files with UNIX security style are

checked in a way that works better for controlling access with share-level ACLs.In that case, the requesters desired access is checked against the files group

permissions, and the other permissions are ignored. In effect, the grouppermissions are used as though the Windows client were always a member of

the files owning group, and the other permissions are not used.

We recommend enabling CIFS GID checks to require UNIX style security(Example 24).

Example 24 Enabling CIFS GID checks

isotuc1> options cifs.perm_check_use_gid on

Default NT userDefault NT userspecifies the NT user account to use when a UNIX user

accesses a file with NT security (has an ACL) and that UNIX user would nototherwise be mapped. We recommend setting the option to a null string, denying

access (Example 25 on page 11).


11/26


Example 25 Setting default NT user to deny access

isotuc1> options wafl.default_nt_user

Default UNIX userDefault UNIX userspecifies the UNIX user account to use when an NT userattempts to log in and that NT user would not otherwise be mapped. Werecommend setting the option to a null string, denying access (Example 26).

Example 26 Setting default UNIX to deny access

isotuc1> options walf.default_unix_user

Root to administrator mappingWhen root to administrator mappingis on (the default), an NT administrator ismapped to the UNIX root. We recommend disabling it by default (Example 27).

Example 27 Disabling root to administrator mapping

isotuc1> options walf.nt_admin_priv_map_to_root off

Change permissions

When change permissions is enabled, only the root user can change the owner ofa file. We recommend enabling it (Example 28).

Example 28 Allowing only root access to change permissions to files

isotuc1> options walf.root_only_chown on

Cache credentialsCache credentials specifies the number of minutes a WAFL credential cache

entry is valid. The value can range from 1 through 20160; we recommend 10(Example 29 on page 12).

Note: Perform this step only in multiprotocol systems that have NFS/CIFS

user mapping configured correctly; disabling it in an NFS-only N seriesstorage system results in access problems for legitimate users.

Note: Perform this step only in multiprotocol systems that have NFS/CIFSuser mapping configured correctly; disabling this access in a CIFS-only N

series storage system results in access problems for legitimate users.
http://-/?-http://-/?-


12/26


Example 29 Setting cache credential minutes to 10

isotuc1> options walf.wcc_minutes_valid 10

Network settingsThis section describes network settings for Data ONTAP.

Incoming packetsThis setting (Example 30) enables and disables the checking of incomingpackets for correct addressing. We recommend enabling packet checking.

Example 30 Incoming packets configuration

isotuc1> options ip.match_any_ifaddr off

MAC FastpathThe N series storage system uses MAC address and interface caching

(Fastpath) to return responses to incoming network traffic using the sameinterface as the incoming traffic. In some cases, the destination MAC address isequal to the source MAC address of the incoming data. We recommend disabling

this option (Example 31). When it is enabled, it increases the possibility of ARP

spoofing and session hijacking attacks.

Example 31 Disabling MAC Fastpath

isotuc1> options ip.fastpath.enable off

Logging ping floodLogging ping floodenables and disables ping flood attack logging. We

recommend enabling it (Example 32).

Example 32 Enabling ping flood attack logging

isotuc1> options ip.ping_throttle.alarm_interval 5

SnapMirror accessSnapMirror access sets the IP address and host name for nodes that can receiveSnapMirror/SnapVault backups. We recommend setting IP address and host

names to authorized users for backup (Example 33 on page 13).


13/26


Example 33 Setting IP address and host names to authorized users for backup.

isotuc1> options snapmirror.access host=[ipaddress],[hostname]

SnapMirror source accessSnapMirror source access enables and disables the IP address-basedverification of SnapMirror destination N series storage systems by source N

series storage systems. We recommend that you enable source addressverification (Example 34).

Example 34 Enable SnapMirror source address verification

isotuc1> options snapmirror.checkip.enable on

NDMPNDMPrestricts control and data connections to authorized hosts. Werecommend limiting backup using NDMP to authorized hosts only (Example 35).

Example 35 Limiting backup using NDMP

isotuc1> options ndmpd.access host=[ipaddress],[hostname]

NDMP authenticationThis configuration sets the NDMP authentication type (Example 36).

Example 36 Enabling NDMP authentication type

isotuc1> options ndmpd.authtype md5

DataFabric Manager (now Operations Manager)

This configuration displays the version of DataFabric Manager (now OperationsManager). We recommend ensuring that version 3.0 or higher is used.

System services

This section describes Data ONTAP configuration settingsfor system services.

FTPThis enables and disables FTP. We recommend disabling it (Example 37).

Example 37 Disabling FTP

isotuc1> options ftpd.enable off


14/26


PCNFSThis enables and disables PCNFS. We recommend disabling it (Example 38).

Example 38 Disabling PCNFS

isotuc1> options pcnfs.enable off

SNMPThis enables and disables SNMP. We recommend disabling it (Example 39).

Example 39 Disabling SNMP

isotuc1> options snmp.enable off

RSHThis enables and disables RSH. We recommend disabling it (Example 40).

Example 40 Disabling RSH

isotuc1> options rsh.enable off

TelnetThis enables and disables telnet. We recommend disabling it (Example 41).

Example 41 Disabling telnet

isotuc1> options telnet.enable off

TFTPThis enables and disables TFTP. We recommend disabling it (Example 42).

Example 42 Disabling TFTP

isotuc1> options tftpd.enable off

Protocol access filterData ONTAP permits the installation of filters for rsh, telnet, ssh, httpd, httpd.admin, snmp, ndmpd, SnapMirror, and SnapVault. (For a detailed description of

the usage, refer to the man page of the na_protocolaccess option.) The filters

can specify host names, IP addresses, IP subnets, or interface names, which areeither allowed or disallowed for each protocol. Each application ( attaches thefilter to the listening socket. Table 1 on page 15 shows some examples.


15/26


Table 1 Protocol access control examples

iSCSI settings

This section describes iSCSI settings for Data ONTAP.

Per-interface configurationThis enables and disables iSCSI drivers (Example 43) for each network interface.We recommend enabling iSCSI only where you intend to use it.

Example 43 Disabling iSCSi interface

isotuc1> iscsi interface disable [-f ] {-a | }

Default security methodThis selects the security method to use for initiators that do not have a security

method specified. We recommend setting the default iSCSI security method todeny (Example 44), disabling access.

Example 44 Disabling access for initiators with no defined security method

isotuc1> iscsi default s deny

Command Description

options ndmpd.access legacy Allow an NDMP server to accept a control connection request from

any client.

options rsh.access host =

gnesha.zo

Allow remote shell access for only one host, named gnesha.zo.

options telnet.access

host=10.42.69.1/24

Allow access for Telnet subnet 10.42.69.

options ssh.access host=abc,xyz

AND if=e0

Allow ssh access for hosts abc and xyz when on network interface

e0.

options snmp.access if=e0,e1,e2 Allow access to SNMP for network interfaces e0, e1, and e2.

options httpd.access if != e3 Do not allow access to HTTPD for network interface e3.

options httpd.admin.access

host=champagne,tequila

Allow access to administrative HTTPD for two hosts.

options telnet.access host=- Disallow all access to Telnet.

options snapmirror.access legacy Check access to sources from other N series storage systems.

options snapvault.access all Allow a SnapVault server to accept any client requests.


16/26


Initiator security methodInitiator security methodspecifies the security method to be used for eachspecific iSCSI initiator. We recommend using CHAP authentication (Example 45)for all iSCSI initiators. The next section shows you how to generate a random

128-bit CHAP password.

Example 45 Specifying CHAP authentication for iSCSI initiators

isotuc1> iscsi security add i initiator s CHAP p password n name

Random CHAP passwordsThis method (Example 46) generates a 128-bit random password that can beused with iSCSI CHAP authentication. We recommend using this or another

method of your choice to generate completely random passwords for use withiSCSI CHAP authentication.

Example 46 Generating a random CHAP password

isotuc1> iscsi security generate

Security documentation map

This section is an overview of the security-relevant documentation that isavailable for Data ONTAP. It is intended to help security administrators that arenot storage experts learn enough about Data ONTAP security quickly to make

good deployment and configuration decisions. This is not an exhaustive list of allpossible security resources, but it is a very good starting point. This

documentation map refers to the current Data ONTAP documentation; however,documentation for other versions of Data ONTAP is organized in a similar

manner. Always refer to the documentation for the version of Data ONTAP that

you are actually using.

The first section describes the administrative functions and interfaces that are

available to administrators and how to administer Data ONTAP securely. Thesecond section describes the limited set of security interfaces and functions that

are available to the users, describes their use, and includes warnings aboutuser-accessible functions and privileges that should be controlled.

Administrative guidanceThe first step to understanding the security-relevant administrative functions andinterfaces of Data ONTAP is to learn about the basic steps required to access

and manage an N series storage system. The most important documentation on


17/26


this subject is chapters 2, 4, 6 and 7 of the IBM System Storage N series SystemAdministration Guide(GC26-7974-00). In particular, pay close attention to the

following sections:

Chapter 2: Interfacing with Data ONTAP

How you administer a storage system

Chapter 4: Accessing the Storage System Managing access from administration hosts. Controlling system access

Chapter 6: Managing Administrator Access

Managing users

Managing roles

Chapter 7: Performing General System Maintenance Synchronizing system time Configuring message logging

Configuring audit logging Maintaining filer security through options

It is important to note that the users described in chapter 6 are local and should

only be created and used forsystem administrators and not for normal users.Basically, when the Data ONTAP documentation refers to users, local users, or

local user accounts, they should be interpreted as local administrator useraccounts. It is possible, in some small workgroup environments, to use theselocal accounts for normal user access to files; however, there are many security

problems with this approach and those who wish to use Data ONTAP in a securemanner should not consider it.

Because the security of the administrative interfaces of the N series storagesystem depend on limiting access to authorized administrators, it is extremelyimportant that administrator passwords be selected and managed very carefully.

Great caution should be exercised to ensure that administrator passwords aredifficult to guess; words found in any dictionary or wordlist (including names,

dates, place-names, social security, or other identifying numbers) should beavoided. Passwords should contain a mix of upper and lower case letters,

punctuation marks, symbols, and numbers. Data ONTAP provides an option tocheck for a minimum length and password composition when a new password ischosen; this option (security.passwd.rules.enable) is enabled by default but is

not a substitute for a clear password selection policy and administrator trainingon correct password selection.

The N series storage system may also be managed using the SSH remote loginprotocol or with an SSL-protected version of FilerView called Secure FilerView.These two methods are only available if the SecureAdmin product is installed


18/26


and configured in the N series storage system. SecureAdmin provides manysecurity advantages over administrative access by telnet, rsh, and http and

should be strongly considered by anyone who wants to maximize security. Formore information, see chapter 9 of the System Administration Guide:

http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001339&aid=1After administrative access has been configured, the next step for managing asecure N series storage system is to organize your data. The most importantdocumentation for this process is in chapters 6 and 8 of the IBM System Storage

N series Storage Management Guide:

http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001227&aid=1

In particular, pay attention to the following sections of chapter 8:

Understanding qtrees Creating qtrees Understanding security styles Changing security styles

Although the choices for volume and qtree security styles may seem confusing atfirst, the selection process is actually very simple for most customers:

If a volume or qtree is to be accessed predominantly or exclusively by NFS

clients, select unix.

If a volume or qtree is to be accessed predominantly or exclusively by CIFS

clients, select ntfs.

If a volume or qtree is to be accessed equally by both NFS and CIFS clientsand both types of clients require full control over file access security, select

mixed.

If a volume or qtree is to be used exclusively as a storage location for FCP or

iSCSI LUNs, the security style has no effect.

When you are creating volumes and qtrees for data management, we stronglyrecommend organizing data by security requirements. For example, if the plan for

the N series storage system is to store data for two groups (maybe the Financeand Engineering departments of company) with different access controls, placingeach data set in a separate qtree or in separate volumes makes security

configuration simpler.

After creating and configuring volumes and qtrees to store user data, you must

configure Data ONTAP to identify users so that it can control access to data.Documentation about this subject is available in the File Access and ProtocolsManagement Guide:

http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001339&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001227&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001596&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001596&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001339&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001227&aid=1


19/26


The users that are discussed in this chapter are notlocal administrative users.Instead, these are the non-administrator users who access data stored by the

system using NFS or CIFS.

For security information, the most important sections of this document are:

Chapter 2: File Access Using NFS

Read the entire chapter, especially the section on providing secure NFS

access.

Chapter 3: File Access Using CIFS

How CIFS users obtain UNIX credentials

Sharing directories Displaying and changing share properties

Understanding authentication issues Understanding local user accounts How share-level access control lists work

Specifying how group IDs work with share-level ACLs Changing and displaying a share-level ACL

Changing and displaying file-level ACLs

Chapter 7: File Sharing Between NFS and CIFS

Using LDAP services

Installing SecureShare Access Changing UNIX permissions and DOS attributes from Windows

An important concept to remember is that there are really two different realms of

security to manage when you use Data ONTAP for file access; one realm is thesecurity of the N series storage system running Data ONTAP, including securitycontrols on exported file systems (for NFS) and shared directories (for CIFS).

The other is security of individual files and directories. This control is exercised

from NFS clients using the chown and chmod UNIX commands or from CIFSclients using the procedures in the Changing and displaying file-level ACLs and

Changing UNIX permissions and DOS attributes from Windows sections.

The first kind of security is entirely controlled by authorized system

administrators, but the second kind is under the control of each individualnon-administrative user. Therefore, users mustreceive training and guidanceabout what policies and procedures should be followed for setting accesscontrols and permissions on files and directories. Even if the N series storage

system and the Data ONTAP operating system are managed securely, a userthat sets incorrect ACLs or permissions on a sensitive file may inadvertently

compromise the security of the data within that file. Therefore, programs thatensure constant awareness and education of individual, non-administrative userson local security policy are very important.


20/26


Although Data ONTAP provides support for the pc-nfs protocol, it is an inherentlyinsecure protocol and should be avoided.

Because NFS, CIFS, iSCSI, and administrative clients use TCP/IP networking toaccess Data ONTAP, the networking for the N series storage system should be

configured for maximum security. The most important documentation for thispurpose is the IBM System Storage N series Network Management Guide:


The following sections are particularly important:

Chapter 3: Network Routing Configuration

About routing in Data ONTAP

About fast path

Chapter 4: Host Name Resolution

Chapter 8: Internet Protocol Security Configuration

In addition to the information supplied in chapter 3, one important configurationfor secure deployments of N series storage systems with multiple network

interfaces is the ip.match_any_ifaddr option. By default this option is turned on,which increases performance of the system but also increases exposure to

certain types of IP forgery attacks. Turn this option off using options

ip.match_any_ifaddr off (Example 47) on the command line interface.

Example 47 Turning off ip.match_any_ifaddr

isotuc1> options ip.match_any_ifaddr off

We strongly recommend that you configure and enable IPSec (see chapter 8 ofthe IBM System Storage N series Network Management Guide).

For systems configured to provide LUN access through iSCSI, read the Block

Access Management Guide for iSCSI and FCP. In particular, pay attention to thefollowing security-relevant sections:

Chapter 6: Managing iSCSI igroups

Chapter 12: Managing the iSCSI Network

Managing security for iSCSI initiators

Managing the iSCSI service on storage system interfaces

Important: Enable CHAP authentication for all iSCSI LUNs and select strong

CHAP passwords.
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001334&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001334&aid=1


21/26


This manual also provides information about LUN access using FCP; chapter 7is particularly useful:


You can also enhance FCP security by implementing zoning restrictions on theFibre Channel switch that might be deployed as part of the configuration; check

the documentation for your switch for details. Many switch vendors provide twoforms of zoning, known as hardandsoft. Hard zoning is based on the physicalport that a cable is connected to and provides a better level of security than soft

zoning in environments where the switch is in a physically secure location.

Regardless of the types of data stored in the system or which methods you use

to access that data, you must perform backups to protect the data if there is asystem failure or other disaster. Data ONTAP gives you the option of backing up

data to local tape devices, in which case there are no security considerationsother than ensuring that only authorized administrators gain possession of thebackup tapes.

Data ONTAP also provides several methods (SnapMirror, SnapVault, and NDMP)you can use to perform backups over a TCP/IP network. This kind of network

backup has security considerations that must be addressed. You can findinformation about how to configure security for these kinds of backups, in The

IBM System Storage N series Data Protection Online Backup and Recovery

Guide:


These sections are of particular importance:

Chapter 4: Data Protection Using SnapMirror

Specifying destination filers on the source filer

Chapter 5: Data Protection using SnapVault

Setting up SnapVault backup on Open Systems platforms Managing SnapVault backup of Open Systems platforms.

Enabling SnapVault

Chapter 10 of this documentation also contains information about how to providevirus scanning services for files accessed via CIFS. This functionality requires a

third party AntiVirus Scanner system from McAfee, Computer Associates,

Note: Open Systems SnapVault is a software product that protects data from

a Windows, UNIX, or Linux system by backing it up to an N series storagesystem running Data ONTAP. Security procedures for the Windows, Unix or

Linux backup client systems (other than SnapVault settings and NDMP) areoutside the scope of this document.
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001526&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001226&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001526&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001226&aid=1


22/26


Symantec, or Trend. We strongly recommend deploying an antivirus server if youuse CIFS.

For more information about network-based NDMP tape backups, see:


The following sections in Chapter 5 of this document focus on security relevantfeatures:

Managing NDMP security features Specifying the NDMP versions

User guidance

For individual users that access data stored in an N series storage systemrunning Data ONTAP, the security configuration options are quite limited because

most of the security features and options are controlled by systemadministrators. In fact, a user that accesses data in an iSCSI or FCP LUN cannotmodify or configure any security controls on the N series storage system.

When accessing files by NFS, most users become owners of one or more files ordirectories. Users can only manage security with chmod and chown for files or

directories that they own, and only if the NFS file system they are accessing is

located in a volume or qtree with the unix or mixed security style. Users andadministrators should consult the documentation for their Unix operating system

for details on how to use these commands or their equivalents, as the specificsyntax and operation can vary between platforms. Users may find that chown

does not function (unless they are logged in as the "root" user) if the DataONTAP administrator has set the "wafl.root_only_chown" option; we strongly

recommend that this be set.

When accessing files by CIFS, most users become owners of one or more files

or directories. Users may only manage security on files or directories that theyown, and only if the CIFS filesystem they are accessing is located in a volume orqtree with the "ntfs" or "mixed" security style.

Regardless of the methods individual users use to access and manage filesstored in the N series storage system, an external server in the environment,

such as a Kerberos, LDAP, or Microsoft Active Directory server, often performsthe user authentication or authorization. Administrators keep these servers

secure, but users must manage their passwords in accordance with localpassword policies to prevent security incidents.
http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001593&aid=1http://www-1.ibm.com/support/docview.wss?uid=ssg1S7001593&aid=1


23/26


The team that wrote this Redpaper

This Redpaper was produced by a team of specialists from around the world

working at the International Technical Support Organization, PoughkeepsieCenter.

Alex Osuna is a Project Leader at the International Technical Support

Organization (ITSO), Tucson Center. He writes extensively and teaches IBMclasses worldwide on all areas of storage. Before joining the ITSO two years ago,

Alex worked as a IBM Tivoli Systems Engineer. Alex has over 29 years in the ITindustry, 20 of them specifically related to storage. He has more than 10

certifications from IBM, Microsoft, and Redhat.

Jesse Acosta is a Technical Support Engineer from AVNET Partner solutions.

Thanks to Roger Sanders of the Network Appliance Corporation for his review.


24/26



25/26

Copyright International Business Machines Corporation 2008. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by

GSA ADP Schedule Contract with IBM Corp. 25

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area.Any reference to an IBM product, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product, program, or service thatdoes not infringe any IBM intellectual property right may be used instead. However, it is the user'sresponsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document.The furnishing of this document does not give you any license to these patents. You can send licenseinquiries, in writing, to:

IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimerof express or implied warranties in cer tain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM maymake improvements and/or changes in the product(s) and/or the program(s) described in this publication at

any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirmthe accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on

the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the

sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to IBM for the purposes ofdeveloping, using, marketing, or distributing application programs conforming to IBM's applicationprogramming interfaces.


26/26

IBM System Storage N Series Best Storage Self Exam

Documents

Transcript of IBM System Storage N Series Best Storage Self Exam