Isilon OneFS 7.1 Security Configuration Guide · Security configuration overview Isilon OneFS...

IsilonOneFSVersion 7.1

Security Configuration Guide

Copyright © 2013-2014 EMC Corporation. All rights reserved. Published in USA.

Published March, 2014

EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind withrespect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for aparticular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.

EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and othercountries. All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com). Fordocumentation on EMC Data Domain products, go to the EMC Data Domain Support Portal (https://my.datadomain.com).

EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.EMC.com

2 OneFS 7.1 Security Configuration Guide

Introduction to this guide 5

About this guide..............................................................................................6Isilon scale-out NAS overview..........................................................................6Where to go for support...................................................................................6

OneFS security configuration 7

Security configuration overview.......................................................................8System requirements...................................................................................... 8System security features................................................................................. 8User interfaces................................................................................................ 9Cautions and warnings..................................................................................10Terminology.................................................................................................. 10Related documents....................................................................................... 12

Authentication and access 13

Authentication and access control overview.................................................. 14Authentication and access control features......................................14

Authentication.............................................................................................. 15Kerberos authentication protocol..................................................... 15Authentication provider security features......................................... 15Default authentication providers...................................................... 16

Access zones................................................................................................ 17Access zone features....................................................................... 17

Identity management.................................................................................... 17Access tokens..................................................................................18

Roles.............................................................................................................19Built-in roles.................................................................................... 19OneFS privileges.............................................................................. 22Command-line interface privileges................................................... 24

Data access control.......................................................................................28Data access security features........................................................... 29ACLs................................................................................................ 29UNIX permissions.............................................................................30Mixed-permission environments...................................................... 30

Protocols 33

Client-side protocols..................................................................................... 34SMB.............................................................................................................. 34

SMB protocol security features.........................................................34SMB share default permissions........................................................35

NFS............................................................................................................... 35NFS protocol security features..........................................................35NFS export default permissions........................................................36

Hadoop overview.......................................................................................... 36HTTP and HTTPS............................................................................................ 37

Certificates.......................................................................................37FTP................................................................................................................ 37

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

OneFS 7.1 Security Configuration Guide 3

NDMP............................................................................................................37

Communication security settings 39

Port usage.....................................................................................................40Default OneFS services..................................................................................45

Auditing 47

File auditing.................................................................................................. 48Supported event types.................................................................................. 48Supported audit tools................................................................................... 49

Data security settings 51

Data-at-rest encryption overview................................................................... 52Data-at-rest encryption features....................................................... 52

SmartLock overview...................................................................................... 52SmartLock features.......................................................................... 52

System security alerts 55

Events and notifications................................................................................56Event notification methods.............................................................. 56

SNMP monitoring.......................................................................................... 56

Other security 59

Antivirus overview......................................................................................... 60Anitvirus threat responses............................................................... 60

Remote support using ESRS Gateway............................................................ 61

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

CONTENTS


CHAPTER 1

Introduction to this guide

This section contains the following topics:

u About this guide......................................................................................................6u Isilon scale-out NAS overview..................................................................................6u Where to go for support...........................................................................................6

Introduction to this guide 5

About this guideThis guide explains why and how to use the security features that are available for yourIsilon OneFS cluster. This guide is intended for administrators who are responsible for theoverall configuration and operation of the Isilon OneFS cluster.

Isilon scale-out NAS overviewThe EMC Isilon scale-out NAS storage platform combines modular hardware with unifiedsoftware to harness unstructured data. Powered by the distributed OneFS operatingsystem, an EMC Isilon cluster delivers a scalable pool of storage with a globalnamespace.

The platform's unified software provides centralized web-based and command-lineadministration to manage the following features:

u A symmetrical cluster that runs a distributed file system

u Scale-out nodes that add capacity and performance

u Storage options that manage files, block data, and tiering

u Flexible data protection and high availability

u Software modules that control costs and optimize resources

Where to go for supportYou can contact EMC Isilon Technical Support for any questions about EMC Isilonproducts.

Online Support Live Chat

Create a Service Request

Telephone Support United States: 800-782-4362 (1-800-SVC-4EMC)

Canada: 800-543-4782

Worldwide: +1-508-497-7901

For local phone numbers in your country, see EMC CustomerSupport Centers.

Help with onlinesupport

For questions specific to EMC Online Support registration oraccess, email [email protected].

Introduction to this guide


https://support.emc.com/servicecenter/liveChat/

https://support.emc.com/servicecenter/createSR/

http://www.emc.com/collateral/contact-us/h4165-csc-phonelist-ho.pdf

http://www.emc.com/collateral/contact-us/h4165-csc-phonelist-ho.pdf

mailto:[email protected]

CHAPTER 2

OneFS security configuration

This publication includes the following topics:

u Security configuration overview...............................................................................8u System requirements.............................................................................................. 8u System security features......................................................................................... 8u User interfaces........................................................................................................ 9u Cautions and warnings..........................................................................................10u Terminology.......................................................................................................... 10u Related documents............................................................................................... 12

OneFS security configuration 7

Security configuration overviewIsilon OneFS implements a variety of security features to control user and network accessand monitor system access and use.

Strong system security features are increasingly necessary to comply with newregulations and ensure greater protection against system attacks. A basic understandingof these features is important to implementing Isilon OneFS security features.

Note

To perform most configuration tasks, you must log on as a as a user who is a member ofthe SystemAdmin or SecurityAdmin role. To update some cluster settings, you must logon as the root user. For more information about roles, privileges, and root-onlycommands, see Roles and privileges.

For configuration-task procedures and additional information, see the OneFS WebAdministration Guide or the OneFS CLI Reference Guide. The Related documents sectionlists other OneFS-related publications that are part of the OneFS documentation suite.

System requirementsThe following table describes the EMC Isilon software, hardware, network, and storage-configuration requirements.

Table 1 System requirements

Software Isilon OneFS 7.1

Hardware Compatible Isilon nodes

Network 1GigE or 10GigE front end

Storage No specific storage requirements

System security featuresThe EMC Isilon OneFS system implements a variety of features to control access andprotect data.

Security support Description- -Data To secure data access, EMC Isilon provides data-at-rest encryption on

clusters of self-encrypting nodes.

Data access To protect system resources against unauthorized access, OneFS supportsstrict user identification and authentication, role-based access, andadministrator-defined complex password policies.

Data transmission To support the transmission of encrypted data, OneFS supports the SSLsecurity protocol.



Security support Description- -Ports and services To ensure that unnecessary services and dynamic ports are not used by

OneFS, services can be enabled or disabled as needed from the command-line interface.

Cluster monitoring To monitor the health and status of the cluster, OneFS provides configurablesettings to automate EMC Isilon cluster event notifications.

Although many of these features require explicit configuration and management, othersare included as basic components of software operation and therefore the default.

Note

EMC Isilon OneFS system features are described more fully elsewhere in thedocumentation library. See Related documents for a list of other publications.

User interfacesDepending on your preference, location, or task, OneFS provides several interfaces formanaging the EMC Isilon cluster.

Interface Description Comment- - -OneFS webadministrationinterface

The browser-based OneFS webadministration interface providessecure access with OneFS-supportedbrowsers. You can use this interface toview robust graphical monitoringdisplays and to perform cluster-management tasks.

The OneFS web administrationinterface uses port 8080 as itsdefault port.

OneFS command-line interface

You can run OneFS isi commands in

the command-line interface toconfigure, monitor, and manage thecluster. Access to the command-lineinterface is through a secure shell(SSH) connection to any node in thecluster.

The OneFS command-line interfaceprovides an extended standardUNIX command set for managingthe cluster.

OneFS Platform API The OneFS Platform API providesaccess to cluster configuration,management, and monitoringfunctionality through an HTTP-basedinterface.

You should have a solidunderstanding of HTTP/1.1 andexperience writing HTTP-basedclient software before youimplement client-based softwarethrough the Platform API.

OneFS RESTfulAccess to theNamespace API

You can create, delete, and modify dataon the OneFS file system through theRESTful Access to the Namespace(RAN) application programing interface(API).

You should have a solidunderstanding of HTTP/1.1 andexperience writing HTTP-basedclient software before youimplement client-based softwarethrough the RAN API.

Node front panel The front panel of each node containsan LCD screen with five buttons, which

Node status, events, clusterdetails, capacity, IP and MACaddresses, throughput, and drive


User interfaces 9

Interface Description Comment- - -

you can use to monitor node andcluster details.

status are available through thenode front panel.

Note

Accelerator nodes do not havefront panels.

Cautions and warningsYou should not proceed with security configuration if you have questions about any of theinformation in this document.

If any of the information in this document is unclear, contact your EMC Isilon CustomerSupport Representative for assistance.

TerminologyThe following terms and abbreviations describe some of the features and technology ofthe EMC Isilon OneFS system and Isilon cluster.

Access-based enumeration (ABE)In a Microsoft Windows environment, ABE filters the list of available files and foldersto allow users to see only those that they have permissions to access on a fileserver.

Access control entry (ACE)In a Microsoft Windows environment, and access control entry is an element of anaccess control list (ACL). This element defines access rights to a file for a user orgroup.

Access control list (ACL)A list of access control entries (ACEs) that provide information about the users andgroups allowed access to an object.

ACL policyThe policy that defines which access control methods (NFS permissions and/orWindows ACLs) are enforced when a user accesses a file on the system in anenvironment that is configured to provide multiprotocol access to file systems. TheACL policy is set through the web administration interface.

AuthenticationThe process for verifying the identity of a user trying to access a resource or object,such as a file or a directory.

Certificate Authority (CA)A trusted third party that digitally signs public key certificates.

Certificate Authority CertificateA digitally signed association between an identity (a Certificate Authority) and apublic key to be used by the host to verify digital signatures on public keycertificates.



Command-line interface (CLI)An interface for entering commands through a shell window to perform clusteradministration tasks.

Digital certificateAn electronic ID issued by a certificate authority that establishes user credentials. Itcontains the user identity (a hostname), a serial number, expiration dates, a copy ofthe public key of the certificate holder (used for encrypting messages and digitalsignatures), and a digital signature from the certificate-issuing authority so thatrecipients can verify that the certificate is valid.

Directory serverA server that stores and organizes information about a computer network's usersand network resources, and that allows network administrators to manage useraccess to the resources. X.500 is the best-known open directory service. Proprietarydirectory services include Microsoft Active Directory.

EMC Support Remote Services GatewayEMC Secure Remote Support (ESRS) enables 24x7 proactive, secure, high-speedremote monitoring and repair for many EMC products.

Hypertext Transfer Protocol (HTTP)The communications protocol used to connect to servers on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS)HTTP over SSL. All network traffic between the client and server system is encrypted.In addition, HTTPS provides the option to verify server and client identities. Typically,server identities are verified and client identities are not.

KerberosAn authentication, data integrity, and data-privacy encryption mechanism that isused to encode authentication information. Kerberos coexists with NTLM (Netlogonservices) and provides authentication for client/server applications using secret-keycryptography.

LDAP-based directoryA directory server that provides access through LDAP. Examples of LDAP-baseddirectory servers include OpenLDAP and SUN Directory Server.

Lightweight Directory Access Protocol (LDAP)An information-access protocol that runs directly over TCP/IP. LDAP is the primaryaccess protocol for Active Directory and LDAP-based directory servers. LDAP Version3 is defined by a set of Proposed Standard documents in Internet Engineering TaskForce (IETF) RFC 2251.

Network File System (NFS)A distributed file system that provides transparent access to remote file systems.NFS allows all network systems to share a single copy of a directory.

Network Information Service (NIS)A service that provides authentication and identity uniformity across local areanetworks and allows you to integrate the cluster with your NIS infrastructure.Designed by Sun Microsystems, NIS can be used to authenticate users and groupswhen they access the cluster.

OpenLDAPThe open source implementation of an LDAP-based directory service.

Platform APIA RESTful HTTP-based interface, through which the cluster can be managed andmonitored automatically.


Terminology 11

Public Key Infrastructure (PKI)A means of managing private keys and associated public key certificates for use inPublic Key Cryptography.

RESTful access to namespace (RAN) APIA OneFS protocol for accessing files and directories, including their OneFS specificmetadata. The RAN API allows clients to set and get access control lists (ACLs)through HTTP with the RAN API.

Simple Network Management Protocol (SNMP)A protocol that can be used to communicate management information between thenetwork management stations and the agents in the network elements.

Secure Socket Layer (SSL)A security protocol that provides encryption and authentication. SSL encrypts dataand provides message and server authentication. SSL also supports clientauthentication if required by the server.

Transport Layer Security (TLS)The successor protocol to SSL for general communication authentication andencryption over TCP/IP networks. TLS version 1 is nearly identical with SSL version 3.

X.509:A widely used standard for defining digital certificates.

Related documentsThe complete documentation set for EMC Isilon OneFS is available online.

You can find information that is related to the features and functionality described in thisdocument in the following documents. These documents are available from EMC OnlineSupport (https://support.emc.com).

u OneFS Web Administration Guide

u OneFS CLI Administration Guide

u OneFS Event Reference

u OneFS Site Preparation and Planning Guide

u OneFS Upgrade Planning and Process Guide

u OneFS Backup and Recovery Guide

u OneFS Platform API Reference

u OneFS RESTful Access to the Namespace API Reference

u OneFS Release Notes

u Isilon Third-Party Software and Hardware Compatibility Guide

u EMC Isilon Multiprotocol Data Access with a Unified Security Model (white paper)

u Managing identities with the Isilon OneFS user mapping service (white paper)



CHAPTER 3

Authentication and access

This section contains the following topics:

u Authentication and access control overview.......................................................... 14u Authentication...................................................................................................... 15u Access zones........................................................................................................ 17u Identity management............................................................................................ 17u Roles.....................................................................................................................19u Data access control............................................................................................... 28

Authentication and access 13

Authentication and access control overviewOneFS supports several methods for ensuring that your cluster remains secure, includingUNIX- and Windows-style permissions for data-level access control. Access zones androle-based administration control access to system configuration settings.

OneFS is designed for a mixed environment that allows you to configure both WindowsAccess Control Lists (ACLs) and standard UNIX permissions on the cluster file system.Windows and UNIX permissions cannot coexist on a single file or directory. However,OneFS uses identity mapping between Windows and UNIX permissions.

Note

In most situations, the default settings are sufficient. You can configure additional accesszones, custom roles, and permissions policies as necessary for your particularenvironment.

Authentication and access control featuresYou can configure settings for the following features for authentication and accesscontrol.

Feature Description Comment- - -Access zones OneFS includes a built-in access zone

named System.By default, new authenticationproviders, SMB shares, and NFSexports are added to the Systemzone. When you create a new IPaddress pool, you must assign it toan access zone.

Authentication Unique user accounts can be a localuser account or user accounts from anActive Directory, LDAP, or NIS.

You can configure access to eachuser account type.

Roles With roles, you can assign privileges tousers and groups. By default, only the"root" and "admin" users can log in tothe command-line interface (CLI)through SSH or the web administrationinterface through HTTP. The root oradmin user can add other users tobuilt-in or custom roles that containthe privileges that are required to login and perform administrativefunctions.

It is good practice to assign users toroles that contain the minimum set ofprivileges that are necessary. Tocreate or assign roles, you must belogged on as a member of theSecurity Administrator role.

Identitymanagement

Identity management enables user-identity integration to provide identicalpermissions to system resources forUnix and Windows users.

All directory services identities for auser can be combined and managedto control access through thesupported protocols to directoriesand files across the cluster.

Mixed-environmentsupport

OneFS is designed for a mixedenvironment, so you can configureboth Windows Access Control Lists

Although Windows and UNIXpermissions cannot coexist on asingle file or directory, OneFS uses



Feature Description Comment- - -

(ACLs) and standard UNIX permissionson the cluster file system.

identity mapping to translatebetween Windows and UNIXpermissions as needed.

AuthenticationOneFS supports local and remote authentication providers to verify that users attemptingto access the cluster are who they claim to be. Anonymous access, which does notrequire authentication, is supported for protocols that allow it.

OneFS supports the concurrent use of multiple authentication provider types, which areanalogous to directory services. For example, OneFS is often configured to authenticateWindows clients with Active Directory and to authenticate UNIX clients with LDAP. It isimportant that you understand their interactions before enabling multiple providers onthe cluster.

Note

OneFS is RFC 2307-compliant.

NIS, designed by Sun Microsystems, can also be used to authenticate users and groupswhen they access the EMC Isilon cluster.

Kerberos authentication protocolYou can enable Kerberos for stronger authentication.

If you configure an Active Directory provider, Kerberos authentication is providedautomatically. Both Active Directory and MIT Kerberos are supported on the EMC Isiloncluster.

Authentication provider security featuresYou can configure one or multiple concurrent authentication provider types for yoursecurity purposes.

Note

To use an authentication provider, it must be added to an access zone.

OneFS is RFC 2307-compliant.

Description Security feature Comment- - -LDAP l Simple bind

authentication (with andwithout SSL).

l Kerberos support.

l Encrypted passwords.

OneFS supports SSL encryptionand authentication on theLDAP connection between theEMC Isilon cluster and anLDAP-based directory server.You can create multiple LDAPinstances for accessing serverswith different user data.


Authentication 15

Description Security feature Comment- - -Active Directory User and group

authentication.Whenever possible, a singleActive Directory instanceshould be used when alldomains have a trustrelationship. Multipleinstances should be used onlyto grant access to multiple setsof mutually-untrusteddomains.

NIS Authentication and identityuniformity across local areanetworks.

Multiple servers can bespecified for redundancy andload balancing.

Note

NIS is different from NIS+,which OneFS does not support.

File provider Authoritative third-partysource of user and groupinformation to the cluster. Athird-party source is useful inUNIX and Linux environmentsthat synchronize /etc/passwd, /etc/group, and

etc/netgroup files across

multiple servers

The built-in System fileprovider includes services tolist, manage, and authenticateagainst system accounts suchas root, admin, and nobody.

Note

It is recommended that you donot modify the System fileprovider.

Local provider Authentication and lookupfacilities for user accountsthat were added by anadministrator. Local groupscan include built-in groupsand Active Directory groups asmembers.

Local users contain attributesof both Window and Unixusers. You configure a localpassword policy for each nodein the cluster to enforcepassword complexity.

You must be logged on as amember of the SecurityAdministrator role to define thepassword quality policy.

Default authentication providersWhen you first install OneFS, two default providers are created on the EMC Isilon cluster.

By default, OneFS creates one file provider and one local provider when you install theOneFS system. The default file provider is also known as the System provider and iscreated with two default accounts: root and admin. The default local provider includesvarious Windows built-in groups.



Note

You can configure multiple instances of each provider type, but it is good practice toinclude only a single instance of a provider type in an access zone. When you configurean authentication provider, it is added to the built-in System zone, which alreadyincludes the default local and file provider.

Access zonesAccess zones provide a way to partition cluster configuration into self-contained units,which enable administrators to configure a subset of parameters as a virtual cluster.Access zones contain all of the necessary configuration settings to supportauthentication and identity management services in OneFS.

OneFS includes a built-in access zone named System that contains all configuredauthentication providers, all available SMB shares, and all available NFS exports.

Note

By default, all cluster IP addresses connect to the System zone.

Access zone featuresYou can configure access zones to leverage the following features for your environment.

Feature Description Comment- - -Overlappingshare-namesupport

If multiple SMB share have thesame display name, OneFSsupports the overlapping displaynames if the name appears onlyonce per access zone.

For example, you can assign the name"home" as the display name for a sharein zone A and a different share in zoneB.

Multiple accesszone support

You can create additional accesszones and configure each zonedifferently. Each access zone canbe configured with its own set ofauthentication providers, usermapping rules, and SMB shares.

Multiple access zones are particularlyuseful for server consolidation, forexample when merging multipleWindows file servers that arepotentially joined to different untrustedforests.

Note

NFS users can be authenticated againstonly the System zone.

SMB-protocolaccess auditingon individualaccess zones

You can audit SMB-protocol accesson individual access zones.

For audited zones, you can modify thedefault list of successful and failedprotocol events that are audited.

Identity managementIn environments with several different types of directory services, OneFS maps the usersand groups from the separate services to provide a single unified identity on the EMC


Access zones 17

Isilon cluster and uniform access control to files and directories, regardless of theincoming protocol. This process is called identity mapping.

Isilon clusters are frequently deployed in multiprotocol environments with multiple typesof directory services, such as Active Directory and LDAP. When a user with accounts inmultiple directory services logs in to an Isilon cluster, OneFS combines the user’sidentities and privileges from all the directory services into a native access token. Youcan configure OneFS settings to include a list of rules for token manipulation to controluser identity and privileges. For example, you can set a user mapping rule to merge anActive Directory identity and an LDAP identity into a single token that works for access tofiles stored over both SMB and NFS. The token can include groups from Active Directoryand LDAP. The mapping rules that you create can solve identity problems bymanipulating access tokens in many ways, including the following examples:

u Authenticate a user with Active Directory but give the user a UNIX identity.

u Select a primary group from competing choices in Active Directory or LDAP.

u Disallow login of users that do not exist in both Active Directory and LDAP.

For more information about identity management, see the white paper Managingidentities with the Isilon OneFS user mapping service (white paper) at EMC OnlineSupport (https://support.emc.com).

Access tokensAn access token is created when the user first makes a request for access.

Access tokens represent who a user is when performing actions on the cluster and supplythe primary owner and group identities to use during file creation. Access tokens are alsocompared against the ACL or mode bits during authorization checks.

During user authorization, OneFS compares the access token, which is generated duringthe initial connection, with the authorization data on the file. All user and identitymapping occurs during token generation; no mapping takes place during permissionsevaluation.

An access token includes all UIDs, GIDs, and SIDs for an identity, in addition to all OneFSprivileges. OneFS exclusively uses the information in the token to determine whether auser has access to a resource. It is important that the token contains the correct list ofUIDs, GIDs, and SIDs.

An access token is created from one of the following sources:

Source Authorization method- -Username SMB impersonate user

Kerberized NFSv3

Kerberized NFSv4

mountd root mapping

HTTP

FTP

Privilege Attribute Certificate (PAC) SMB NTLM

Active Directory Kerberos

User identifier (UID) NFS AUTH_SYS mapping



RolesYou can permit and limit access to administrative areas of your EMC Isilon cluster on aper-user basis through the use of roles.

OneFS includes built-in administrator roles with predefined sets of privileges that cannotbe modified. The following list describes what you can and cannot do through roles:

u You can assign privileges through role membership.

u You can add any user to a role as long as the user can authenticate to the cluster.

u You can create custom roles and assign privileges to those roles.

u You can add users singly or as groups, including well-known groups.

u You can assign a user as a member of more than one role.

u You can add a group to a role, which grants to all users who are members of thatgroup all of the privileges associated with the role.

u You cannot assign privileges directly to users or groups.

Note

When OneFS is first installed, only users with root- or admin-level can log in and assignusers to roles.

Built-in rolesBuilt-in roles include privileges to perform a set of administrative functions.

The following tables describe each of the built-in roles from most powerful to leastpowerful. The tables include the privileges and read/write access levels (if applicable)that are assigned to each role. You can assign users and groups to built-in roles and toroles that you create.

Table 2 SecurityAdmin role

Description Privileges Read/writeaccess

- - -Administer security configuration on the cluster,including authentication providers, local users andgroups, and role membership.

ISI_PRIV_LOGIN_CONSOLE N/A

ISI_PRIV_LOGIN_PAPI N/A

ISI_PRIV_LOGIN_SSH N/A

ISI_PRIV_AUTH Read/write

ISI_PRIV_ROLE Read/write

Table 3 SystemAdmin role


- - -Administer all aspects of cluster configuration thatare not specifically handled by the SecurityAdminrole.

ISI_PRIV_LOGIN_CONSOLE N/A



Roles 19

Table 3 SystemAdmin role (continued)


- - -ISI_PRIV_LOGIN_SSH N/A

ISI_PRIV_SYS_SHUTDOWN N/A

ISI_PRIV_SYS_SUPPORT N/A

ISI_PRIV_SYS_TIME N/A

ISI_PRIV_ANTIVIRUS Read/write

ISI_PRIV_AUDIT Read/write

ISI_PRIV_CLUSTER Read/write

ISI_PRIV_DEVICES Read/write

ISI_PRIV_EVENT Read/write

ISI_PRIV_FTP Read/write

ISI_PRIV_HTTP Read/write

ISI_PRIV_ISCSI Read/write

ISI_PRIV_JOB_ENGINE Read/write

ISI_PRIV_LICENSE Read/write

ISI_PRIV_NDMP Read/write

ISI_PRIV_NETWORK Read/write

ISI_PRIV_NFS Read/write

ISI_PRIV_NTP Read/write

ISI_PRIV_QUOTA Read/write

ISI_PRIV_REMOTE_SUPPORT Read/write

ISI_PRIV_SMARTPOOLS Read/write

ISI_PRIV_SMB Read/write

ISI_PRIV_SNAPSHOT Read/write

ISI_PRIV_STATISTICS Read/write

ISI_PRIV_SYNCIQ Read/write

ISI_PRIV_VCENTER Read/write

ISI_PRIV_NS_TRAVERSE N/A

ISI_PRIV_NS_IFS_ACCESS N/A

Table 4 AuditAdmin role

Description Privileges Read/write access- - -View all system configuration settings. ISI_PRIV_LOGIN_CONSOLE N/A



Table 4 AuditAdmin role (continued)

Description Privileges Read/write access- - -


ISI_PRIV_LOGIN_SSH N/A

ISI_PRIV_ANTIVIRUS Read-only

ISI_PRIV_AUDIT Read-only

ISI_PRIV_CLUSTER Read-only

ISI_PRIV_DEVICES Read-only

ISI_PRIV_EVENT Read-only

ISI_PRIV_FTP Read-only

ISI_PRIV_HTTP Read-only

ISI_PRIV_ISCSI Read-only

ISI_PRIV_JOB_ENGINE Read-only

ISI_PRIV_LICENSE Read-only

SI_PRIV_NDMP Read-only

ISI_PRIV_NETWORK Read-only

ISI_PRIV_NFS Read-only

ISI_PRIV_NTP Read-only

ISI_PRIV_QUOTA Read-only

ISI_PRIV_REMOTE_SUPPORT Read-only

ISI_PRIV_SMARTPOOLS Read-only

ISI_PRIV_SMB Read-only

ISI_PRIV_SNAPSHOT Read-only

ISI_PRIV_STATISTICS Read-only

ISI_PRIV_SYNCIQ Read-only

ISI_PRIV_VCENTER Read-only

Table 5 VMwareAdmin role


- - -Administers remotely all aspects of storageneeded by VMware vCenter.


ISI_PRIV_ISCSI Read/write

ISI_PRIV_NETWORK Read/write

ISI_PRIV_SMARTPOOLS Read/write

ISI_PRIV_SNAPSHOT Read/write


Built-in roles 21

Table 5 VMwareAdmin role (continued)


- - -ISI_PRIV_SYNCIQ Read/write

ISI_PRIV_VCENTER Read/write

ISI_PRIV_NS_TRAVERSE N/A

ISI_PRIV_NS_IFS_ACCESS N/A

OneFS privilegesPrivileges in OneFS are assigned through role membership; privileges cannot be assigneddirectly to users and groups.

Table 6 Login privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_LOGIN_CONSOLE Log in from the console Action

ISI_PRIV_LOGIN_PAPI Log in to the Platform APIand the webadministration interface

Action

ISI_PRIV_LOGIN_SSH Log in through SSH Action

Table 7 System privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_SYS_SHUTDOWN Shut down the system Action

ISI_PRIV_SYS_SUPPORT Run cluster diagnostictools

Action

ISI_PRIV_SYS_TIME Change the system time Action

Table 8 Security privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_AUTH Configure external

authentication providersRead/write

ISI_PRIV_ROLE Create new roles andassign privileges

Read/write



Table 9 Configuration privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_ANTIVIRUS Configure antivirus

scanningRead/write

IS_PRIV_AUDIT Configure auditcapabilities

Read/write

ISI_PRIV_CLUSTER Configure cluster identityand general settings

Read/write

ISI_PRIV_DEVICES Create new roles andassign privileges

Read/write

ISI_PRIV_EVENT View and modify systemevents

Read/write

ISI_PRIV_FTP Configure FTP server Read/write

ISI_PRIV_HTTP Configure HTTP server Read/write

ISI_PRIV_ISCSI Configure iSCSI server Read/write

ISI_PRIV_JOB_ENGINE Schedule cluster-widejobs

Read/write

ISI_PRIV_LICENSE Activate OneFS softwarelicenses

Read/write

ISI_PRIV_NDMP Configure NDMP server Read/write

ISI_PRIV_NETWORK Configure networkinterfaces

Read/write

ISI_PRIV_NFS Configure the NFS server Read/write

ISI_PRIV_NTP Configure NTP Read/write

ISI_PRIV_QUOTA Configure file systemquotas

Read/write

ISI_PRIV_REMOTE_SUPPORT

Configure remote support Read/write

ISI_PRIV_SMARTPOOLS Configure storage pools Read/write

ISI_PRIV_SMB Configure the SMB server Read/write

ISI_PRIV_SNAPSHOT Schedule, take, and viewsnapshots

Read/write

ISI_PRIV_SNMP Configure SNMP server Read/write

ISI_PRIV_STATISTICS View file systemperformance statistics

Read/write

ISI_PRIV_SYNCIQ Configure SyncIQ Read/write

ISI_PRIV_VCENTER Configure VMware forvCenter

Read/write


OneFS privileges 23

Table 10 Namespace privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_NS_TRAVERSE Traverse and view

directory metadataAction

ISI_PRIV_NS_IFS_ACCESS Access the /ifs directory

tree through thenamespace REST service

Action

Table 11 Platform API-only privileges

OneFS privilege User right Privilege type- - -ISI_PRIV_EVENT View and modify system

eventsRead/write

ISI_PRIV_LICENSE Activate OneFS softwarelicenses

Read/write

ISI_PRIV_STATISTICS View file systemperformance statistics

Read/write

Command-line interface privilegesYou can perform most tasks granted by a privilege through the command-line interface.

Some OneFS commands require root access; however, if you do not have root access,most of the commands associated with a privilege can be performed through the sudoprogram. The system automatically generates a sudoers file of users based on existingroles.

Prefixing a command with sudo allows you to run commands that require root access. Forexample, if you do not have root access, the following command fails:

isi sync policy list

However, if you are on the sudoers list, the following command succeeds:

sudo isi sync policy list

The following tables list all One FS commands available, the associated privilege or root-access requirement, and whether sudo is required to run the command.

Note

If you are running in compliance mode, additional sudo commands are available.

Table 12 Privileges sorted by CLI command

isi command Privilege Requires sudo- - -isi alert ISI_PRIV_EVENT x

isi audit ISI_PRIV_AUDIT



Table 12 Privileges sorted by CLI command (continued)

isi command Privilege Requires sudo- - -isi auth - excluding isi authrole

ISI_PRIV_AUTH

isi auth role ISI_PRIV_ROLE

isi avscan ISI_PRIV_ANTIVIRUS x

isi batterystatus ISI_PRIV_STATISTICS x

isi config root

isi dedupe - excluding isidedupe stats

ISI_PRIV_JOB_ENGINE

isi dedupe stats ISI_PRIV_STATISTICS

isi devices ISI_PRIV_DEVICES x

isi domain root

isi email ISI_PRIV_CLUSTER x

isi events ISI_PRIV_EVENT x

isi exttools root

isi fc root

isi filepool ISI_PRIV_SMARTPOOLS

isi firmware root

isi ftp ISI_PRIV_FTP x

isi get root

isi hdfs root

isi iscsi ISI_PRIV_ISCSI x

isi job ISI_PRIV_JOB_ENGINE

isi license ISI_PRIV_LICENSE x

isi lun ISI_PRIV_ISCSI x

isi ndmp ISI_PRIV_NDMP x

isi networks ISI_PRIV_NETWORK x

isi nfs ISI_PRIV_NFS

isi perfstat ISI_PRIV_STATISTICS x

isi pkg root

isi quota ISI_PRIV_QUOTA

isi readonly root


Command-line interface privileges 25

Table 12 Privileges sorted by CLI command (continued)

isi command Privilege Requires sudo- - -isi remotesupport ISI_PRIV_REMOTE_SUPPORT

isi servicelight ISI_PRIV_DEVICES x

isi services root

isi set root

isi smartlock root

isi smb ISI_PRIV_SMB

isi snapshot ISI_PRIV_SNAPSHOT

isi snmp ISI_PRIV_SNMP x

isi stat ISI_PRIV_STATISTICS x

isi statistics ISI_PRIV_STATISTICS x

isi status ISI_PRIV_STATISTICS x

isi storagepool ISI_PRIV_SMARTPOOLS

isi sync ISI_PRIV_SYNCIQ

isi tape ISI_PRIV_NDMP x

isi target ISI_PRIV_ISCSI x

isi update root

isi version ISI_PRIV_CLUSTER x

isi worm root

isi zone ISI_PRIV_AUTH

Table 13 CLI commands sorted by privilege

Privilege isi commands Requires sudo- - -ISI_PRIV_ANTIVIRUS isi avscan x

ISI_PRIV_AUDIT isi audit

ISI_PRIV_AUTH isi auth - excluding isi auth role

isi zone

ISI_PRIV_CLUSTER isi email

isi version

x

ISI_PRIV_DEVICES isi devices

isi servicelight

x



Table 13 CLI commands sorted by privilege (continued)

Privilege isi commands Requires sudo- - -ISI_PRIV_EVENT isi alert

isi events

x

ISI_PRIV_FTP isi ftp x

ISI_PRIV_ISCSI isi iscsi

isi lun

isi target

x

ISI_PRIV_JOB_ENGINE isi job

isi dedupe - excluding isi dedupestats

ISI_PRIV_LICENSE isi license x

ISI_PRIV_NDMP isi ndmp

isi tape

x

ISI_PRIV_NETWORK isi networks x

ISI_PRIV_NFS isi nfs

ISI_PRIV_QUOTA isi quota

ISI_PRIV_ROLE isi auth role

ISI_PRIV_REMOTE_SUPPORT isi remotesupport

ISI_PRIV_SMARTPOOLS isi filepool

isi storagepool

ISI_PRIV_SMB isi smb

ISI_PRIV_SNAPSHOT isi snapshot

ISI_PRIV_SNMP isi snmp x

ISI_PRIV_STATISTICS isi batterystatus

isi dedupe stats

isi perfstat

isi stat

isi statistics

isi status

x

ISI_PRIV_SYNCIQ isi sync

root isi config

isi domain

isi exttools

isi fc


Command-line interface privileges 27

Table 13 CLI commands sorted by privilege (continued)

Privilege isi commands Requires sudo- - -

isi firmware

isi get

isi hdfs

isi pkg

isi readonly

isi services

isi set

isi smartlock

isi update

isi worm

Data access controlOneFS supports two types of authorization data on a file: Windows-style access controllists (ACLs) and POSIX mode bits (UNIX permissions). The type of authorization that isused is based on the ACL policies that are set and on the file-creation method.

Access to a file or directory can be governed by either a Windows access control list (ACL)or UNIX mode bits. Regardless of the security model, OneFS enforces access rightsconsistently across access protocols. A user is granted or denied the same rights to a filewhen using SMB for Windows file sharing as when using NFS for UNIX file sharing.

An EMC Isilon cluster includes global policy settings that enable you to customize thedefault ACL and UNIX permissions to best support your environment. Generally, files thatare created over SMB or in a directory that has an ACL receive an ACL; otherwise, OneFSrelies on the POSIX mode bits that define UNIX permissions. In either case, the owner canbe represented by a UNIX identifier (UID or GID) or by its Windows identifier (SID). Theprimary group can be represented by a GID or SID. Although mode bits are present whena file has an ACL, the mode bits are provided only for protocol compatibility and are notused for access checks.

Note

Although you can configure ACL policies to optimize a cluster for UNIX or Windows, youshould do so only if you understand how ACL and UNIX permissions interact.

The OneFS file system installs with UNIX permissions as the default. By using WindowsExplorer or OneFS administrative tools, you can give a file or directory an ACL. In additionto Windows domain users and groups, ACLs in OneFS can include local, NIS, and LDAPusers and groups. After you give a file an ACL, OneFS stops enforcing the file's mode bits,which remain only as an estimate of the effective permissions.



Data access security featuresYou can configure policies to control permissions, although default OneFS settings areusually sufficient for most security purposes.

Description Security feature Comments- - -Access-control lists(ACLs)

You can configure ACL policies thatcontrol how permissions areprocessed and managed.

As an alternative, you can set theglobal EMC Isilon cluster permissionspolicy to balanced mode, which isdesigned to automate file sharingmanagement for a network that mixesUNIX and Windows systems.

Windows-style (NT)credentials for Unixusers

OneFS creates a synthetic ACL thatapproximates the mode bits of aUNIX file.

Based on RFC 3530, the file’s internalrepresentation, which is an estimationof the mode bits, is used to generate asynthetic ACL.

SMB access ofUNIX-created filesNFS access ofWindows-createdfiles

OneFS integrates user identities toprovide identical permissions tosystem resources for Unix usersand Windows users. Users haveseamless multiprotocol dataaccess over SMB and NFS.

Although Windows and UNIXpermissions cannot coexist on a singlefile or directory, OneFS uses identitymapping to translate betweenWindows and UNIX permissions asneeded.

Home directorypermissions

When a home directory is createdduring a login through SSH or FTP,it is set up with mode bits; if ahome directory is created duringan SMB connection, it receiveseither mode bits or an ACL.

You can configure settings so thathome directories can be dynamicallycreated at login time for users whoauthenticate against external sources.

ACLsIn Windows environments, file and directory permissions, referred to as access rights, aredefined in access control lists (ACLs). Although ACLs are more complex than mode bits,ACLs can express much more granular sets of access rules. OneFS uses the ACLprocessing rules commonly associated with Windows ACLs.

A Windows ACL contains zero or more access control entries (ACEs), each of whichrepresents the security identifier (SID) of a user or a group as a trustee. In OneFS, an ACLcan contain ACEs with a UID, GID, or SID as the trustee. Each ACE contains a set of rightsthat allow or deny access to a file or folder. An ACE can optionally contain an inheritanceflag to specify whether the ACE should be inherited by child folders and files.

Note

Instead of the standard three permissions available for mode bits, ACLs have 32 bits offine-grained access rights. Of these, the upper 16 bits are general and apply to all objecttypes. The lower 16 bits vary between files and directories but are defined in a way thatallows most applications to use the same bits for files and directories.

Rights can be used for granting or denying access for a given trustee. A user's access canbe blocked explicitly through a deny ACE. Access can also be blocked implicitly by


Data access security features 29

ensuring that the user does not directly (or indirectly through a group) appear in an ACEthat grants the right in question.

UNIX permissionsIn a UNIX environment, file and directory access is controlled by POSIX mode bits, whichgrant read, write, or execute permissions to the owning user, the owning group, andeveryone else.

OneFS supports the standard UNIX tools for viewing and changing permissions, ls,chmod, and chown. For more information, run the man ls, man chmod, and manchown commands.

All files contain 16 permission bits, which provide information about the file or directorytype and the permissions. The lower 9 bits are grouped as three 3-bit sets, called triples,which contain the read, write, and execute (rwx) permissions for each class of users—owner, group, and other. You can set permissions flags to grant permissions to each ofthese classes.

Unless the user is root, OneFS uses the class to determine whether to grant or denyaccess to the file. The classes are not cumulative; the first class matched is used. It istherefore common to grant permissions in decreasing order.

Mixed-permission environmentsWhen a file operation requests an object’s authorization data (for example, with the ls-l command over NFS or with the Security tab of the Properties dialog box in WindowsExplorer over SMB), OneFS attempts to provide that data in the requested format. In anenvironment that mixes UNIX and Windows systems, some translation may be requiredwhen performing create file, set security, get security, or access operations.

NFS access of Windows-created filesIf a file contains an owning user or group that is a SID, the system attempts to map it to acorresponding UID or GID before returning it to the caller.

In UNIX, authorization data is retrieved by calling stat(2) on a file and examining theowner, group, and mode bits. Over NFSv3, the GETATTR command functions similarly. Thesystem approximates the mode bits and sets them on the file whenever its ACL changes.Mode bit approximations need to be retrieved only to service these calls.

Note

SID-to-UID and SID-to-GID mappings are cached in both the OneFS ID mapper and thestat cache. If a mapping has recently changed, the file might report inaccurateinformation until the file is updated or the cache is flushed.

SMB access of UNIX-created filesNo UID-to-SID or GID-to-SID mappings are performed when creating an ACL for a file; allUIDs and GIDs are converted to SIDs or principals when the ACL is returned.

OneFS uses a two-step process for returning a security descriptor, which contains SIDs forthe owner and primary group of an object:1. The current security descriptor is retrieved from the file. If the file does not have a

discretionary access control list (DACL), a synthetic ACL is constructed from the file’slower 9 mode bits, which are separated into three sets of permission triples—oneeach for owner, group, and everyone. For details about mode bits, see "UNIXpermissions."



2. Two access control entries (ACEs) are created for each triple: the allow ACE containsthe corresponding rights that are granted according to the permissions; the deny ACEcontains the corresponding rights that are denied. In both cases, the trustee of theACE corresponds to the file owner, group, or everyone. After all of the ACEs aregenerated, any that are not needed are removed before the synthetic ACL is returned.


Mixed-permission environments 31

CHAPTER 4

Protocols

This section includes the following topics:

u Client-side protocols............................................................................................. 34u SMB...................................................................................................................... 34u NFS....................................................................................................................... 35u Hadoop overview.................................................................................................. 36u HTTP and HTTPS.................................................................................................... 37u FTP........................................................................................................................ 37u NDMP....................................................................................................................37

Protocols 33

Client-side protocolsYou can use some or all of the following client-side protocol features on your EMC Isiloncluster.

Note

All authentication providers can provide authentication and identification for allprotocols. That is, when you configure a provider, users for that provider can access allprotocols.

Authentication type Encryption type- - -Protocol Kerberos NTLM Plain text Session token Sign/Integrity Seal/Security

- - - - - - -SMB x x x

NFS x x x

HDFS x x

HTTP x x x x (SSL)

FTP x

SMBYou can configure SMB shares to provide Windows clients network access to file systemresources on the cluster. You can grant permissions to users and groups to carry outoperations such as reading, writing, and setting access permissions on SMB shares.

SMB protocol security featuresYou can configure SMB protocol security features to restrict access to the cluster.

You must be logged on as a member of the SystemAdmin role to configure SMB protocolsettings.

Feature Description Comment- - -Share permissions You can create special SMB

shares that include expansionvariables in the share path toenable users to access theirhome directories byconnecting to the share. Youcan also enable dynamiccreation of home directoriesthat do not exist at SMBconnection time.

Share permissions are checkedwhen files are accessed,before the underlying filesystem permissions arechecked. Either of thesepermissions can preventaccess to that file or directory.

Host-based access-control lists(ACLs)

You can configure clients bymachine IP address to permitor deny access to OneFSsystem resources.

Configuration of host-basedACLs can be by IP address orhostname.

Protocols


Feature Description Comment- - -Access-based enumeration(ABE)

You can enable or disableconfiguration settings on filesto allow or prevent users fromseeing shared files that theydo not have permission toaccess.

Permissions are checked onevery file.

Share-based ABE You can enable or disableconfiguration settings on SMBshares to allow or preventusers from seeing shareresources that they do nothave permission to access.

Session timeout You can enforce a sessiontimeout for the SMB protocol.

Session timeout is enabled bydefault.

File auditing You can view file informationabout who accessed the file,the time of access, the IPaddress, and permissions.

File auditing is available for theSMB protocol only.

SMB share default permissionsYou should remove the default SMB share or configure explicit permissions for that shareon a newly installed EMC Isilon cluster.

When OneFS is first installed on the cluster, a single SMB share is created. The root file-system path for this share is /ifs, and the default share permissions give Everyone fullaccess to this directory. You should either remove this share or change the permissionsto restrict access for Everyone.

NFSYou can configure NFS exports to provide UNIX clients network access to file systemresources on the cluster. OneFS supports asynchronous and synchronous communicationover NFS.

NFS protocol security featuresYou can configure NFS export security features to restrict access to the cluster.

You can make NFS more secure by configuring the following settings:

u Define read-only access for some (or all) files or directories.

u Limit root access.

u Hide export and mount information if a client does not have mount permissions forthe file system corresponding to that entry.

If strong authentication is required, you can configure Secure NFS, which uses Kerberos.For more information about configuring NFS with Kerberos, see Access tokens in theOneFS Web Administration Guide.

Protocols

SMB share default permissions 35

Note

You must be logged on as a member of the SystemAdmin role to configure NFS settings.

Feature Description Comment- - -NFS exports By default, when OneFS is installed, one

NFS export is created. The file systempath for this export is /ifs.

User root-squashing

You can create a user root-squashingrule to limit permissions to theroot /ifs directory, so that a remote

root user is prevented from unauthorizedalteration of files.

Note

When OneFS is first installed, thedefault NFS export maps the rootuser to Nobody and allows allhosts to connect to the rootdirectory, /ifs. You should

perform the following actions:

l Remove the default export orchange access permissions ifyou retain it.

l Create a root-squashing rulefor Nobody.

File-based access You can enable or disable file-basedaccess to allow or prevent users fromseeing shared resources that they do nothave permission to access.

If no export permissions aregranted for a user, files in thatexport are not displayed.

Kerberosauthentication

You can configure Kerberosauthentication.

OneFS supports both ActiveDirectory and MIT Kerberos.

Kerberos integrityand securitymodes

You can configure Kerberosauthentication to verify that data has notbeen tampered with and to enforce astronger security mode.

NFS export default permissionsYou should remove the default NFS export or configure explicit permissions for thatexport on a newly installed EMC Isilon cluster.

When OneFS is first installed on the cluster, a single NFS export is created. The root file-system path for this share is /ifs, and the default export permissions map the root userto Nobody. You should either remove this export or change the permissions to restrictaccess for Nobody by creating a user root-squashing rule.

Hadoop overviewHadoop is a flexible, open-source framework for large-scale distributed computation.

The OneFS file system can be configured for native support of the Hadoop Distributed FileSystem (HDFS) protocol, enabling your cluster to participate in a Hadoop system.

Protocols


HDFS integration requires you to activate a separate license. To obtain additionalinformation or to enable HDFS support for your EMC Isilon cluster, contact your EMC Isilonsales representative.

HTTP and HTTPSOneFS includes a configurable HTTP service, which is used to request files that are storedon the cluster and to interact with the web administration interface.

OneFS supports both HTTP and its secure variant, HTTPS. Each node in the cluster runs aninstance of the Apache HTTP Server to provide HTTP access. You can configure the HTTPservice to run in different modes.

Both HTTP and HTTPS are supported for file transfer, but only HTTPS is supported forPlatform API calls. The HTTPS-only requirement includes the web administration interface.In addition, OneFS supports a form of the web-based DAV (WebDAV) protocol thatenables users to modify and manage files on remote web servers. OneFS performsdistributed authoring, but does not support versioning and does not perform securitychecks. You can enable DAV in the web administration interface.

CertificatesYou can renew the Secure Sockets Layer (SSL) certificate for the Isilon web administrationinterface or replace it with a third-party SSL certificate.

All Platform API communication, which includes communication through the webadministration interface, is over SSL. You can replace or renew the self-signed certificatewith a certificate that you generate. To replace or renew an SSL certificate, you must belogged on as root.

FTPThe FTP service is disabled by default. You can set the FTP service to allow any node inthe cluster to respond to FTP requests through a standard user account.

When configuring FTP access, make sure that the specified FTP root is the home directoryof the user who logs in. For example, the FTP root for local user jsmith should beifshome/jsmith. You can enable the transfer of files between remote FTP servers andenable anonymous FTP service on the root by creating a local user named anonymous orftp.

Note

OneFS includes a secure FTP service called vsftpd, which stands for Very Secure FTP

Daemon, that you can configure for standard FTP file transfers.

NDMPYou can configure NDMP authentication on your EMC Isilon cluster.

NDMP maintains its owner user and password database. These users cannot access thecluster through any other protocol.

Protocols

HTTP and HTTPS 37

CHAPTER 5

Communication security settings


u Port usage.............................................................................................................40u Default OneFS services..........................................................................................45

Communication security settings 39

Port usageStandardized protocols allow other computers to exchange data with the OneFS system.

The TCP/IP protocol suite uses numbered ports to describe the communication channelwithin the protocol. Generally, the OneFS system uses a well-known port for receivingincoming data. That ephemeral port number is used by the client to send data. Portnumbers and IP addresses are included in a data packet, which allows other systems tomake determinations about the data stream. TCP and UDP protocols within the TCP/IPsuite use ports that range from 1 to 65535.

Note

IPV6 with IPsec is not supported.

Port numbers are assigned and maintained by the Internet Assigned Numbers Authority(IANA) and are divided into three ranges:

1. Well-known ports, ranging from 0 to 1023.

2. Registered ports, ranging from 1024 to 49151.

3. Dynamic or private ports, ranging from 49152 to 65535.

Port Name Protocol Type/Connection

Usage anddescription

Effect if closed Enabled oninstallation

- - - - - - -20 ftp-data TCP/

IPv4/IPv6

External/Outbound

FTP access(disabled bydefault); datachannel for FTPservice

FTP access isunavailable.

21 ftp TCP/IPv4/IPv6

External/Inbound

FTP access; controlchannel for FTPaccess

FTP access isunavailable.

22 ssh TCP/IPv4/IPv6

External/Inbound

Secure Shell logonservice; ESRSconsolemanagement

Note

ESRS is not IPV6-compliant.

SSH secureshell access isunavailable.

x

23 telnet TCP External/Inbound

Telnet: telnetd Telnet access toOneFS isunavailable.

25 smtp TCP/IPv4 External/Outbound

Email deliveries Email alertsoutbound fromOneFS areunavailable.

53 domain TCP/UDP/IPv4

External/Outbound

Domain NameService requests

SmartConnect isunavailable.






- - - - - - -53 domain UDP/

IPv4External/Inbound

Domain NameService cachingresolver running onlocalhost only

SmartConnect isunavailable ; allnon-localidentity servicesare affected ordegraded.

80 http TCP/IPv4/IPv6

External/Inbound

HTTP for file access HTTP access tofiles isunavailable.

88 kerberos TCP/UDP/IPv4/IPv6

External/Outbound

Kerberosauthenticationservices used toauthenticate usersagainst MicrosoftActive Directorydomains

111 sunrpc TCP/UDP/IPv4/IPv6

External/Inbound

ONC/RPCportmapper usedto locate servicessuch as NFS andmountd

Cannot beclosed; disruptscorefunctionality.

x

123 ntp UDP/IPv4/IPv6

External/Inbound

Network TimeProtocol used tosynchronize hostclocks within thecluster

Time is notsynchronizedamong arrays.

x

137 netbios-ns IPv4 External/Inbound

NetBIOS NameService used forWindowsworkgroupbrowsing

Disablesservices relatedto SMB.

138 netbios-gdm

IPv4 External/Inbound

NetBIOS DatagramService used forWindowsworkgroupbrowsing


139 netbios-ssn

TCP/IPv4 External/Inbound

NetBIOS SessionService used forlegacy SMB clientsupport


163 snmp UDP/IPv4

External/Inbound

Simple NetworkManagementProtocol support

SNMPcommunicationsare notavailable.

x

300 nfsmountd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 mountservices(nfsmountd,

x


Port usage 41




- - - - - - -nfsstatd, andnfslockd areenabled bydefault)

302 nfsstatd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 notificationservices

x

304 nfslockd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 lockingservices

x

307 isi-cbind_d

UDP/IPv4

External/Inbound

Cluster DNS cachedaemon

Disabling is notrecommended.

389 ldap TCP/IPv4/IPv6

External/Outbound

LDAP Directoryservice queriesused by OneFSIdentity services

Unsecure LDAPauthenticationqueries areunavailable.Secure LDAP isconfigurable asan alternative.

389 ldap UDP/IPv4

External/Outbound

Microsoft ActiveDirectory domainlocation requests

443 https TCP/IPv4/IPv6

External/Inbound

HTTPS for the webadministrationinterface,SupportIQ, RAN(RESTful Access toNamespace) API,and the ESRSgateway

Note

ESRS is not IPV6-compliant.

HTTPs access tothe OneFS webadministrationinterface andthe RAN API isunavailable.SupportIQ isunavailable.Connection toESRS cannot beestablished.

445 microsoft-ds

TCP/IPv4 External/Outbound

SMB/SMB2 Clientconnections to MSAD domaincontrollers


445 microsoft-ds

TCP/IPv4/IPv6

External/Inbound

SMB/SMB2 accessto OneFS

x

514 syslog UDP/IPv4

Internal/Inbound

Syslog services Syslog alerts toexternal serversare not sent.

x






- - - - - - -636 ldap TCP/

IPv4/IPv6

External/Outbound

LDAP Directoryservice queriesused by OneFSIdentity services

Default port forLDAPS.

639 msdp UDP/IPv4

Internal

640 entrust-sps

UDP/IPv4

Internal

989 ftps-data(implicit)

TCP/IPv4/IPv6

External/Outbound

Secure FTP access(disabled bydefault); securedata channel forFTP service

Secure FTPaccess isunavailable.

990 ftps(implicit)

TCP/IPv4/IPv6

External/Inbound

Secure FTP access;control channel forFTP access

Secure FTPaccess isunavailable.

2049 nfs TCP/UDP/IPv4/IPv6

External/Inbound

NFS: nfsd NFS services areunavailable,which is animportantcomponent ofthe OneFSinteraction,even if no NFSexports arevisibleexternally.

x

2098 n/a TCP/IPv4/IPv6

External/Inbound

SyncIQ:isi_repl_pworker

SyncIQ isunavailable.


External/Inbound

SyncIQ:isi_repl_bandwidth



External/Inbound

SyncIQ SyncIQ isunavailable.

3260 iscsi-target

TCP/IPv4/IP

External/Inbound

Disables iSCSIaccess. Toaccess thecluster withiSCSI, you mustactivate aniSCSI license.For moreinformation,contact your


Port usage 43




- - - - - - -EMC Isilon salesrepresentative.

3268 n/a TCP/IPv4 External/Outbound

MS AD globalcatalog searchrequests usedwhen joined to anAD domain


External/Inbound

SyncIQ:isi_migr_sworker


x (when aSyncIQlicense isactivated)

6116 isi_stats_d External/Inbound

7117 isi_stats_d External/Inbound

8020 hdfs TCP External/Inbound

HDFS (HadoopFilesystem)

HDFS isunavailable.

8021 hdfs TCP/IPv4/IP

External/Inbound

HDFS (HadoopFilesystem)

HDFS isunavailable.

8080 n/a TCP/IPv4/IP

External/Inbound

Isilon OneFS webadministrationinterface, ESRSweb management(webadministrationinterface)

Webadministrationinterface isunavailable. IfRAN is enabled,the webadministrationinterface isaccessed viaport 8080 and8081.

8081 n/a TCP Internal Isilon OneFSAdministrationSSL-enabledWebUI

Webadministrationinterface isunavailable. IfRAN is enabled,the webadministrationinterface isaccessed viaport 8080 and8081.



Default OneFS servicesSeveral services are enabled by default when you first install a EMC Isilon cluster.

To improve OneFS security, you should restrict access to the OneFS cluster by disablingnetwork services that are not used in your environment. You can enable or disablenetwork services by running the isi services command. For information aboutparameters and options available for this command, see the OneFS CLI AdministrationGuide.

The following services are enabled by default.

Name Service Default state- - -apache2 Apache2 web server Enabled

isi_hdfs_d Hadoop FS daemon Enabled

isi_iscsi_d iSCSI target daemon Enabled

isi_migrate SyncIQ service Enabled

isi_object_d Isilon object interface Enabled

isi_webui Isilon web administration interface Enabled

nfs NFS server Enabled

rpcbind RPC bind service Enabled

smb SMB service Enabled

snmpd SNMP server Enabled

sshd Secure shell server Enabled


Default OneFS services 45

CHAPTER 6

Auditing


u File auditing.......................................................................................................... 48u Supported event types.......................................................................................... 48u Supported audit tools........................................................................................... 49

Auditing 47

File auditingYou can audit SMB-protocol activity on the EMC Isilon cluster. All audit data is stored andprotected in the cluster file system and organized in files called audit topics.

By default, audited access zones track only events that are used by VaronisDatAdvantage, including successful and failed attempts to access files or directories.

Feature Description Comment- - -SMBprotocolauditing

Audit one or more access zonesin the cluster.

If you enable protocol auditing for an accesszone, file-access events through the SMBprotocol are recorded in the protocol audittopic. The protocol audit topic is consumable byauditing applications that support the EMCCommon Event Enabler (CEE), such as VaronisDatAdvantage for Windows.

Third-partytool support

Export SMB audit data to VaronisDatAdvantage or other third-partyvendors that support the EMCCommon Event Enabler (CEE)framework.View system configurationactivity on each node through acommand-line tool.

Although recent versions of VaronisDatAdvantage do not directly audit read andwrite attempts, the intention to read or write iscaptured by the access bits for a create event.

Supported event typesYou can view or modify the event types that are audited in an access zone. By default,OneFS audits only the event types that are supported by Varonis DatAdvantage.

The following event types are configured by default on each audited access zone:

Event name Example protocol activity- -create Create a file or directory

Open a file, directory, or share

Mount a share

Delete a file

rename Rename a file or directory

delete Delete a file or directory

set_security Attempt to modify file or directory permissions

The following event types are available for forwarding through CEE but are unsupportedby Varonis DatAdvantage:

Event name Example protocol activity- -read The first read request on an open file handle

Auditing


Event name Example protocol activity- -write The first write request on an open file handle

close The client is finished with an open file handle

get_security The client reads security information for an open file handle

The following protocol audit events are not exported through CEE and are unsupported byVaronis DatAdvantage:

Event name Example protocol activity- -logon SMB session create request by a client

logoff SMB session logoff

tree_connect SMB first attempt to access a share

Supported audit toolsYou can configure OneFS to send protocol auditing logs to servers that support the EMCCommon Event Enabler (CEE).

CEE has been tested and verified to work with the following applications.

Note

It is recommended that you install and configure third-party auditing applications beforeyou enable the OneFS auditing feature. Otherwise, the backlog consumed by the tool maybe so large that results may be stale for a prolonged time.

Application Supported features Audit events- - -Varonis DatAdvantage for Windows Usable Access Auditing

Recommendations, Analytics, and Modeling

Data Owner Identification and Involvement

create

delete

rename

set_security

Auditing

Supported audit tools 49

CHAPTER 7

Data security settings


u Data-at-rest encryption overview........................................................................... 52u SmartLock overview.............................................................................................. 52

Data security settings 51

Data-at-rest encryption overviewYou can enhance data security with a EMC Isilon cluster that contains only self-encrypting-drive nodes, providing data-at-rest protection.

The OneFS system is available as a cluster that is composed of Isilon OneFS nodes thatcontain only self-encrypting drives (SEDs). The system requirements and management ofdata at rest on self-encrypting nodes are identical to that of nodes that do not containself-encrypting drives. Clusters of mixed node types are not supported.

Data-at-rest encryption featuresWhen you store data on an EMC Isilon cluster of self-encrypting drives, additional securityfeatures are available.

Feature Comment- -Firmware implementation ofthe encryption algorithm

The encryption algorithm and key length are implemented withinthe self-encrypted drive and not configurable.

256-bit data AES encryptionkey

All data written to the storage device is encrypted when it is stored,and all data read from the storage device is decrypted when it isread.

Authentication Authentication is performed by encryption keys, which never leavethe drive. Successful authentication unlocks the drive for dataaccess.

Data access Data access is controlled by combining the drive authentication keywith on-disk data-encryption keys.

For more information about Isilon OneFS data-at-rest encrypted clusters, contact yourEMC Isilon representative.

SmartLock overviewYou can prevent users from modifying and deleting files on an EMC Isilon cluster with theSmartLock software module. You must activate a SmartLock license on a cluster toprotect data with SmartLock.

With the SmartLock software module, you can create SmartLock directories and commitfiles within those directories to a write once read many (WORM) state. You cannot eraseor re-write a file committed to a WORM state. After a file is removed from a WORM state,you can delete the file. However, you can never modify a file that has been committed toa WORM state, even after it is removed from a WORM state.

SmartLock featuresYou can configure SmartLock settings to meet regulatory compliance requirements.

Feature Description Comment- - -Compliancemode

Enables data protection incompliance with theregulations defined by U.S.

You can upgrade a cluster to Smartlockcompliance mode during the initial clusterconfiguration process, before you activate theSmartLock license. To upgrade a cluster to



Feature Description Comment- - -

Securities and ExchangeCommission rule 17a-4.

SmartLock compliance mode after the initialcluster configuration process, contact IsilonTechnical Support.

SmartLockdirectories

Provides manual or automaticfile commits to a WORM state,and the ability to create twotypes of SmartLock directories:enterprise and compliance.

You can create compliance directories only ifthe cluster has been upgraded to SmartLockcompliance mode. Before you can createSmartLock directories, you must activate aSmartLock license on the cluster.

SmartLockcommands

Provides command-line file-retention control throughWORM commands.

WORM commands apply specifically to theSmartLock tool and are available only ifSmartLock license is activated on the cluster.


SmartLock features 53

CHAPTER 8

System security alerts


u Events and notifications........................................................................................56u SNMP monitoring.................................................................................................. 56

System security alerts 55

Events and notificationsYou can monitor the health and performance of your EMC Isilon cluster through OneFSevent notifications.

You can select the OneFS hardware, software, network, and system events that you wantto monitor, and you can cancel, quiet, or unquiet events. In addition, you can configureevent notification rules to send an email notification or SNMP trap when a threshold isexceeded.

Event notification methodsYou can configure event notification rules to generate and deliver event notificationswhen an event occurs.

You can notify users by email, SupportIQ, or SNMP trap.

EmailYou can designate recipients and specify SMTP, authorization, and security settings.You can specify batch email settings and the email notification template.

SupportIQYou can specify a protocol that you prefer to use for notifications: HTTPS, SMTP, orboth.

SNMP trapYou can send SNMP traps to one or more network monitoring stations or trapreceivers. Each event can generate one or more SNMP traps. You can downloadmanagement information base files (MIBs) from the cluster. The ISILON-TRAP-MIBdescribes the traps that the cluster can generate, and the ISILON-MIB describes theassociated varbinds that accompany the traps.

Note

You must configure an event notification rule to generate SNMP traps.

SNMP monitoringYou can enable SNMP monitoring on individual nodes on your EMC Isilon cluster, and youcan also monitor cluster information from any node.

The default Linux SNMP tools or a GUI-based SNMP tool of your choice can be used tomonitor the Isilon cluster, noting the following considerations:

u All SNMP access is read-only.

u SNMP v1 and v2c is the default, but you can configure settings for SNMP v3 alone orSNMP v1, v2c, and v3.

Note

When SNMP v3 is used, OneFS requires the SNMP-specific security level ofAuthNoPriv as the default when querying the cluster. The security level AuthPriv is notsupported.



Two OneFS-specific MIBs are stored in /usr/local/share/snmp/mibs/ on a OneFSnode. The OneFS ISILON-MIBs are OneFS-specific and augment information that isavailable in standard MIBS.


SNMP monitoring 57

CHAPTER 9

Other security


u Antivirus overview................................................................................................. 60u Remote support using ESRS Gateway.................................................................... 61

Other security 59

Antivirus overviewYou can scan the files you store on an Isilon cluster for computer viruses and othersecurity threats by integrating with third-party scanning services through the InternetContent Adaptation Protocol (ICAP). OneFS sends files through ICAP to a server runningthird-party antivirus scanning software. These servers are referred to as ICAP servers.ICAP servers scan files for viruses.

After an ICAP server scans a file, it informs OneFS of whether the file is a threat. If a threatis detected, OneFS informs system administrators by creating an event, displaying nearreal-time summary information, and documenting the threat in an antivirus scan report.You can configure OneFS to request that ICAP servers attempt to repair infected files. Youcan also configure OneFS to protect users against potentially dangerous files bytruncating or quarantining infected files.

Before OneFS sends a file to be scanned, it ensures that the scan is not redundant. If afile has already been scanned and has not been modified, OneFS will not send the file tobe scanned unless the virus database on the ICAP server has been updated since the lastscan.

Note

Antivirus scanning is available only if all nodes in the cluster are connected to theexternal network.

Anitvirus threat responsesYou can configure the system to repair, quarantine, or truncate any files that the ICAPserver detects viruses in.

OneFS and ICAP servers react in one or more of the following ways when threats aredetected:

AlertAll threats that are detected cause an event to be generated in OneFS at the warninglevel, regardless of the threat response configuration.

RepairThe ICAP server attempts to repair the infected file before returning the file to OneFS.

QuarantineOneFS quarantines the infected file. A quarantined file cannot be accessed by anyuser. However, a quarantined file can be removed from quarantine by the root user ifthe root user is connected to the cluster through secure shell (SSH).

If you backup your cluster through NDMP backup, quarantined files will remainquarantined when the files are restored. If you replicate quarantined files to anotherIsilon cluster, the quarantined files will continue to be quarantined on the targetcluster. Quarantines operate independently of access control lists (ACLs).

TruncateOneFS truncates the infected file. When a file is truncated, OneFS reduces the size ofthe file to zero bytes to render the file harmless.

You can configure OneFS and ICAP servers to react in one of the following ways whenthreats are detected:

Other security


Repair or quarantineAttempts to repair infected files. If an ICAP server fails to repair a file, OneFSquarantines the file. If the ICAP server repairs the file successfully, OneFS sends thefile to the user. Repair or quarantine can be useful if you want to protect users fromaccessing infected files while retaining all data on a cluster.

Repair or truncateAttempts to repair infected files. If an ICAP server fails to repair a file, OneFStruncates the file. If the ICAP server repairs the file successfully, OneFS sends the fileto the user. Repair or truncate can be useful if you do not care about retaining alldata on your cluster, and you want to free storage space. However, data in infectedfiles will be lost.

Alert onlyOnly generates an event for each infected file. It is recommended that you do notapply this setting.

Repair onlyAttempts to repair infected files. Afterwards, OneFS sends the files to the user,whether or not the ICAP server repaired the files successfully. It is recommended thatyou do not apply this setting. If you only attempt to repair files, users will still beable to access infected files that cannot be repaired.

QuarantineQuarantines all infected files. It is recommended that you do not apply this setting. Ifyou quarantine files without attempting to repair them, you might deny access toinfected files that could have been repaired.

TruncateTruncates all infected files. It is recommended that you do not apply this setting. Ifyou truncate files without attempting to repair them, you might delete dataunnecessarily.

Remote support using ESRS GatewayEMC Isilon clusters support enablement of the ESRS Gateway.

The EMC Secure Remote Support (ESRS) Gateway is a secure, IP-based customer servicesupport system. The EMC ESRS Gateway features include 24x7 remote monitoring andsecure authentication with AES 256-bit encryption and RSA digital certificates. You canselect monitoring on a node-by node basis, allow or deny remote support sessions, andreview remote customer service activities.

The ESRS Gateway is similar to SupportIQ and performs many of the same functions:

u Send alerts regarding the health of your devices.

u Enable support personnel to run the same scripts used by SupportIQ to gather datafrom your devices.

u Allow support personnel to establish remote access to troubleshoot your cluster.

An important difference between SupportIQ and the ESRS Gateway is that SupportIQmanagement is cluster-wide; SupportIQ manages all nodes. The ESRS Gateway managesnodes individually; you select which nodes should be managed.

You can only enable one remote support system on your Isilon cluster. The EMC productsyou use and your type of environment determine which system is most appropriate foryour Isilon cluster:

Other security

Remote support using ESRS Gateway 61

u If your environment comprises one or more EMC products that can be monitored, usethe ESRS Gateway.

u If ESRS is currently implemented in your environment, use the ESRS Gateway.

u If your use of ESRS requires the ESRS Client, use SupportIQ. Isilon nodes do notsupport ESRS Client connectivity.

u If you have a high-security environment, use the ESRS Gateway.

u If the only EMC products in your environment are Isilon nodes, use SupportIQ.

See the most recent version of the document titled EMC Secure Remote SupportTechnical Description for a complete description of EMC Secure Remote Support featuresand functionality.

Additional documentation on ESRS can be found on the EMC Online Support site.

Other security


Isilon OneFS 7.1 Security Configuration Guide · Security configuration overview Isilon OneFS...

Documents

Transcript of Isilon OneFS 7.1 Security Configuration Guide · Security configuration overview Isilon OneFS...