Security Hardening Guide for Netapp ONTAP 9

Security Hardening Guide for Netapp ONTAP 9

Security Hardening Guide for Lenovo® ONTAP 9® Guidelines for Secure Deployment of ONTAP 9 Abstract This technical report provides guidance and configuration settings for Lenovo® ONTAP® 9 to help organizations meet prescribed security objectives for information system confidentiality, integrity, and availability. Second Edition (April 2020) © Copyright Lenovo 2020. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant to a General Services Administration (GSA) contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F- 05925. 2 Security Hardening Guide for Lenovo ONTAP 9 © 2020 Lenovo. All rights reserved. TABLE OF CONTENTS 1 Introduction ........................................................................................................................................... 5 2 ONTAP Image Validation ...................................................................................................................... 5 2.1 Upgrade Image Validation .............................................................................................................................. 5 2.2 Boot-Time Image Validation ............................................................................................................................ 5 3 Local Storage Administrator Accounts .............................................................................................. 5 3.1 Roles, Applications, and Authentication .......................................................................................................... 5 3.2 Default Administrative Accounts ..................................................................................................................... 8 3.3 Certificate-Based API Access ....................................................................................................................... 10 3.4 Login and Password Parameters .................................................................................................................. 11 4 System Administration Methods ....................................................................................................... 13 4.1 Command-Line Access ................................................................................................................................. 13 4.2 Web Access .................................................................................................................................................. 15 5 Storage Administrative System Auditing ......................................................................................... 16 5.1 Sending Out Syslog ...................................................................................................................................... 16 5.2 Event Notification .......................................................................................................................................... 17 6 Storage Encryption ............................................................................................................................. 17 7 Data Replication Encryption .............................................................................................................. 18 8 Managing TLS and SSL ...................................................................................................................... 19 9 Creating a CA-Signed Digital Certificate .......................................................................................... 20 10 Online Certificate Status Protocol .................................................................................................... 20 11 Managing SSHv2 ................................................................................................................................. 20 12 Lenovo AutoSupport .......................................................................................................................... 21 13 Network Time Protocol ....................................................................................................................... 22 14 NAS File System Local Accounts (CIFS Workgroup) ..................................................................... 22 15 NAS File System Auditing .................................................................................................................. 23 16 CIFS SMB Signing and Sealing ......................................................................................................... 24 17 Securing NFS ...................................................................................................................................... 24 18 Kerberos 5 and Krb5p ........................................................................................................................ 26 3 Security Hardening Guide for Lenovo ONTAP 9 © 2020 Lenovo. All rights reserved. 19 Lightweight Directory Access Protocol Signing and Sealing ........................................................ 26 20 FPolicy ................................................................................................................................................. 26 20.1 Filtering Controls ........................................................................................................................................... 27 20.2 Async Resiliency ........................................................................................................................................... 27 21 Securing Logical Interfaces ............................................................................................................... 27 22 Securing Protocols and Ports ........................................................................................................... 28 Security Resources................................................................................................................................... 31 Where to Find Additional Information ..................................................................................................... 31 Contacting Support................................................................................................................................... 32 Notices ....................................................................................................................................................... 32 Trademarks ........................................................................................................................................................... 33 LIST OF TABLES Table 1) Predefined roles for cluster administrators. ...................................................................................................... 5 Table 2) Predefined roles for storage virtual machine administrators. ............................................................................ 6 Table 3) Authentication methods. ................................................................................................................................... 7 Table 4) Restrictions for management utility user accounts. ........................................................................................ 11 Table 5) Login banner parameters. .............................................................................................................................. 14 Table 6) MOTD parameters. ........................................................................................................................................ 14 Table 7) Supported ciphers and key exchanges. ......................................................................................................... 20 Table 8) Rules for access-level parameters in export rules. ......................................................................................... 25 Table 9) Rules for access parameter outcomes. .......................................................................................................... 25 Table 10) LIF security. .................................................................................................................................................. 27 Table 11) Commonly used protocols and ports. ........................................................................................................... 28 Table 12) Lenovo internal ports. ................................................................................................................................... 29 4 Security Hardening Guide for Lenovo ONTAP 9 © 2020 Lenovo. All rights reserved. 1 Introduction The evolution of the current threat landscape presents an organization with unique challenges for protecting its most valuable assets: data and information. The advanced and dynamic threats and vulnerabilities we face are ever increasing in sophistication. Coupled with an increase in the effectiveness of obfuscation and reconnaissance techniques on the part of potential intruders, storage managers must address the security of data and information in a proactive manner. This guide seeks to help operators and administrators in that task with the confidentiality, integrity, and availability integral to the Lenovo solution. 2 ONTAP Image Validation 2.1 Upgrade Image Validation Code signing helps verify that ONTAP images installed through nondisruptive image updates or automated nondisruptive image updates, CLIs, or ZAPIs are authentically produced by Lenovo and have not been tampered with. This feature is a no-touch security

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    33 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us