Security on NetApp Filer

Storage systems usually store data critical for organization like databases, mailboxes, employee files, etc. Typically you don’t provide access to NAS from Internet. If Filer has real IP address to provide CIFS or NFS access inside organization you can just close all incoming connections from outside world on frontier firewall. But what if networking engineer mess up firewall configuration? If you don’t take even simple security measures then all your organization data is at risk.

Here I’d like to describe basic means to secure NetApp Filer:

  • Disable rsh:

options rsh.enable off

  • Disable telnet:

options telnet.enable off

  • Restrict SSH access to particular IP addresses. Take into consideration that if you enabled AD authentication Administrator user and Administrators group will implicitly have access to ssh.

options ssh.access host=ip_address_1,ip_address_2

  • You can configure Filer to allow files access via HTTP protocol. If you don’t have HTTP license or you don’t use HTTP then disable it:

options http.enable off

  • Even if you don’t have HTTP license you can access NetApp FilerView web interface to manage Filer. You can access it via SSL or plain connection, apparently SSL is more secure:

options http.admin.enable off

options http.admin.ssl.enable on

  • Restrict access to FilerView:

options httpd.admin.access host=ip_address_1,ip_address_2

  • If you don’t use SNMP then disable it:

options snmp.enable off

  • I’m using NDMP to backup Filer’s data. It’s done through virtual network. I restrict NDMP to work only between Filers (we have two of them) and backup server and only through particular virtual interface:

On Filer1:

options ndmpd.access “host=backup_server_ip,filer2_ip_address AND if=interface_name”

options ndmpd.preferred_interface interface_name

On Filer2:

options ndmpd.access “host=backup_server_ip,filer1_ip_address AND if=interface_name”

options ndmpd.preferred_interface interface_name

  • Disable other services you don’t use:

options snapmirror.enable off

options snapvault.enable off

  • Module which is responsible for SSH and FilerView SSL connections is called SecureAdmin. You probably won’t need to configure it since it’s enabled by default. You can verify if ssh2 and ssl connections are enabled by:

secureadmin status

  • Make sure all built-in users have strong passwords. You can list built-in users by:

 useradmin user list

  • By default Filer has home directory CIFS shares for all users. If you don’t use them, disable them by deleting:

/etc/cifs_homedir.cfg

  • Filer also has ETC$ and C$ default shares. I’d highly recommend to restrict access to these shares only to local Filer Administrator user. In fact, if you enabled AD authentication then also domain Administrator user and Administrators group will implicitly have access to these shares, even if you don’t  specify them in ACL. Delete all existing permissions and add:

cifs access share etc$ filer_system_name\Administrator Full Control
cifs access share c$ filer_system_name\Administrator Full Control

Basically this is it. Now you can say that you know hot to configure simple NetApp security.

Advertisements

Tags: , , , , , , , , , , , , , , , , , , , , ,

11 Responses to “Security on NetApp Filer”

  1. Rafael Guedes Says:

    Great post! Bookmarked! I would like to add some possible methods to restrict access to filer by blocking protocols using Data ONTAP “port firewall”. It is possible to block iscsi, nfs, cifs, ftp and snapmirror by interfaces:

    filer> options interface.blocked.iscsi
    filer> options interface.blocked.cifs
    filer> options interface.blocked.ftpd
    filer> options interface.blocked.snapmirror
    filer> options interface.blocked.nfs

  2. niktips Says:

    Good comment. Very useful thing as an additional level of security.

  3. Alba, servidores virtual Says:

    Alba, servidores virtual…

    […]Security on NetApp Filer « Niktips's Blog[…]…

  4. w1ll1ng Says:

    Nice.
    How do you connect to etc and c$ using local Filer Administrator credentials over cifs? (just says don’t have permission) taking into consideration you are using AD for authentication. As you mentioned it’s useless when using AD with host.equiv file

    Looking for more secure access to root vol using cifs than just AD

    • niktips Says:

      I can’t check right now, since I quit working with NetApp and primarily focused on IBM mid-range at the moment. Firstly, I must say I know nothing on how host.equiv affects CIFS access. So check if host.equiv misconfiguration could be the reason. To login credentials. Filer has local users. You can ssh to the console and using appropriate commands find what users you have. If I remember correctly Administrator was there by default. Maybe you need to change its password. Anyway, you can always add another user and give it access to particular share right from the filer console. Good luck.

  5. Sabin Mohan Says:

    Hi,

    I have to configure an NDMP backup for a virtual filer which is running on netapp 2240. I need to know could i get a direct ssh connection to virtual filer by authenticating username/password.

    • niktips Says:

      You can’t directly ssh to a vfiler, but you can use non-interactive shell, like: “ssh vfiler command”.

      • Sabin Mohan Says:

        ok…..can you just share me what is MD5 & Plain text authentication on netapp filers…… How can we verify and change this authentication methords on Netapp 2240 system…..

  6. They Call me Pete Says:

    Does anyone know how to block filerview access from ISCSI ports?

    • niktips Says:

      First of all you are not supposed to use FilerView anymore. There is Systems Manager for this purpose. Now what’s iSCSI ports? If you mean IPs you use to access iSCSI LUNs from, then they are no different from any other IPs. Use the same `httpd.admin.access` option.

  7. Kent Says:

    Thank you very much for this security cheat sheet !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: