Isilon OneFS 7.1.1 Security Configuration Guide · The platform's unified software provides...

IsilonOneFSVersion 7.1.1

Security Configuration Guide

Copyright © 2013-2014 EMC Corporation. All rights reserved. Published in USA.

Published July, 2014

EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind withrespect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for aparticular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.

EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and othercountries. All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).

EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.EMC.com

2 OneFS 7.1.1 Security Configuration Guide

Introduction to this guide 5

About this guide..............................................................................................6Isilon scale-out NAS overview..........................................................................6Where to go for support...................................................................................6

OneFS security configuration 7

Security configuration overview.......................................................................8System requirements...................................................................................... 8System security features................................................................................. 8User interfaces................................................................................................ 9Cautions and warnings..................................................................................10Terminology.................................................................................................. 10Related documents....................................................................................... 12

Authentication and access 13

Authentication and access control overview.................................................. 14Authentication and access control features......................................14

Authentication.............................................................................................. 15Kerberos authentication protocol..................................................... 15Authentication provider security features......................................... 15Default authentication providers...................................................... 16

Access zones................................................................................................ 17Access zone features....................................................................... 17

Identity management overview......................................................................18Access tokens..................................................................................18

Roles.............................................................................................................19Built-in roles.................................................................................... 19OneFS privileges.............................................................................. 22Command-line interface privileges................................................... 25

Authorization................................................................................................ 29Data access security features........................................................... 29ACLs................................................................................................ 30UNIX permissions.............................................................................30Mixed-permission environments...................................................... 31

Protocols 33

Client-side protocols..................................................................................... 34SMB.............................................................................................................. 34

SMB protocol security features.........................................................34SMB share default permissions........................................................35

NFS............................................................................................................... 35NFS protocol security features..........................................................35NFS export default permissions........................................................36

Hadoop overview.......................................................................................... 36HTTP and HTTPS............................................................................................ 37

Certificates.......................................................................................37FTP................................................................................................................ 37

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

OneFS 7.1.1 Security Configuration Guide 3

NDMP............................................................................................................37

Communication security settings 39

Port usage.....................................................................................................40Default OneFS services..................................................................................44

Auditing 47

File and system auditing................................................................................48Supported audit tools................................................................................... 48Supported event types.................................................................................. 49

Data security settings 51

Data-at-rest encryption overview................................................................... 52Data-at-rest encryption features....................................................... 52

SmartLock overview...................................................................................... 52SmartLock features.......................................................................... 52

System security alerts 55

Events and notifications................................................................................56Event notification methods.............................................................. 56

SNMP monitoring.......................................................................................... 56

Other security 59

Antivirus overview......................................................................................... 60Anitvirus threat responses............................................................... 60

Remote support using ESRS Gateway............................................................ 61

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

CONTENTS


CHAPTER 1

Introduction to this guide

This section contains the following topics:

u About this guide......................................................................................................6u Isilon scale-out NAS overview..................................................................................6u Where to go for support...........................................................................................6

Introduction to this guide 5

About this guideThis guide explains why and how to use the security features that are available for yourIsilon OneFS cluster. This guide is intended for administrators who are responsible for theoverall configuration and operation of the Isilon OneFS cluster.

Isilon scale-out NAS overviewThe EMC Isilon scale-out NAS storage platform combines modular hardware with unifiedsoftware to harness unstructured data. Powered by the distributed OneFS operatingsystem, an EMC Isilon cluster delivers a scalable pool of storage with a globalnamespace.

The platform's unified software provides centralized web-based and command-lineadministration to manage the following features:

u A symmetrical cluster that runs a distributed file system

u Scale-out nodes that add capacity and performance

u Storage options that manage files, block data, and tiering

u Flexible data protection and high availability

u Software modules that control costs and optimize resources

Where to go for supportYou can contact EMC Isilon Technical Support for any questions about EMC Isilonproducts.

Online Support Live Chat

Create a Service Request

Telephone Support United States: 800-782-4362 (1-800-SVC-4EMC)

Canada: 800-543-4782

Worldwide: +1-508-497-7901

For local phone numbers in your country, see EMC CustomerSupport Centers.

Help with onlinesupport

For questions specific to EMC Online Support registration oraccess, email [email protected].

Introduction to this guide


https://support.emc.com/servicecenter/liveChat/

https://support.emc.com/servicecenter/createSR/

http://www.emc.com/collateral/contact-us/h4165-csc-phonelist-ho.pdf

http://www.emc.com/collateral/contact-us/h4165-csc-phonelist-ho.pdf

mailto:[email protected]

CHAPTER 2

OneFS security configuration

This publication includes the following topics:

u Security configuration overview...............................................................................8u System requirements.............................................................................................. 8u System security features......................................................................................... 8u User interfaces........................................................................................................ 9u Cautions and warnings..........................................................................................10u Terminology.......................................................................................................... 10u Related documents............................................................................................... 12

OneFS security configuration 7

Security configuration overviewIsilon OneFS implements a variety of security features to control user and network accessand monitor system access and use.

Strong system security features are increasingly necessary to comply with newregulations and ensure greater protection against system attacks. A basic understandingof these features is important to implementing Isilon OneFS security features.

Note

To perform most configuration tasks, you must log on as a user who is a member of theSystemAdmin or SecurityAdmin role. To update some cluster settings, you must log on asthe root user. For more information about roles, privileges, and root-only commands, seeRoles and privileges.

For configuration-task procedures and additional information, see the OneFS WebAdministration Guide or the OneFS CLI Reference Guide. The Related documents sectionlists other OneFS-related publications that are part of the OneFS documentation suite.

System requirementsThe following table describes the EMC Isilon software, hardware, network, and storage-configuration requirements.

Table 1 System requirements

Software Isilon OneFS 7.1.1

Hardware Compatible Isilon nodes

Network 1GigE or 10GigE front end

Storage No specific storage requirements

System security featuresThe EMC Isilon OneFS system implements a variety of features to control access andprotect data.

Security support Description

Data To secure data access, EMC Isilon provides data-at-rest encryption onclusters of self-encrypting nodes.

Data access To protect system resources against unauthorized access, OneFS supportsstrict user identification and authentication, role-based access, andadministrator-defined complex password policies.

Data transmission To support the transmission of encrypted data, OneFS supports the SSLsecurity protocol.

Ports and services To ensure that unnecessary services and dynamic ports are not used byOneFS, services can be enabled or disabled as needed from the command-line interface.



Security support Description

Cluster monitoring To monitor the health and status of the cluster, OneFS provides configurablesettings to automate EMC Isilon cluster event notifications.

Although many of these features require explicit configuration and management, othersare included as basic components of software operation and therefore the default.

Note

EMC Isilon OneFS system features are described more fully elsewhere in thedocumentation library. See Related documents for a list of other publications.

User interfacesDepending on your preference, location, or task, OneFS provides several interfaces formanaging the EMC Isilon cluster.

Interface Description Comment

OneFS webadministrationinterface

The browser-based OneFS webadministration interface providessecure access with OneFS-supportedbrowsers. You can use this interface toview robust graphical monitoringdisplays and to perform cluster-management tasks.

The OneFS web administrationinterface uses port 8080 as itsdefault port.

OneFS command-line interface

You can run OneFS isi commands in

the command-line interface toconfigure, monitor, and manage thecluster. Access to the command-lineinterface is through a secure shell(SSH) connection to any node in thecluster.

The OneFS command-line interfaceprovides an extended standardUNIX command set for managingthe cluster.

OneFS Platform API The OneFS Platform API providesaccess to cluster configuration,management, and monitoringfunctionality through an HTTP-basedinterface.

You should have a solidunderstanding of HTTP/1.1 andexperience writing HTTP-basedclient software before youimplement client-based softwarethrough the Platform API.

OneFS RESTfulAccess to theNamespace API

You can create, delete, and modify dataon the OneFS file system through theRESTful Access to the Namespace(RAN) application programing interface(API).

You should have a solidunderstanding of HTTP/1.1 andexperience writing HTTP-basedclient software before youimplement client-based softwarethrough the RAN API.

Node front panel The front panel of each node containsan LCD screen with five buttons, whichyou can use to monitor node andcluster details.

Node status, events, clusterdetails, capacity, IP and MACaddresses, throughput, and drivestatus are available through thenode front panel.


User interfaces 9

Interface Description Comment

Note

Accelerator nodes do not havefront panels.

Cautions and warningsYou should not proceed with security configuration if you have questions about any of theinformation in this document.

If any of the information in this document is unclear, contact your EMC Isilon CustomerSupport Representative for assistance.

TerminologyThe following terms and abbreviations describe some of the features and technology ofthe EMC Isilon OneFS system and Isilon cluster.

Access-based enumeration (ABE)In a Microsoft Windows environment, ABE filters the list of available files and foldersto allow users to see only those that they have permissions to access on a fileserver.

Access control entry (ACE)In a Microsoft Windows environment, and access control entry is an element of anaccess control list (ACL). This element defines access rights to a file for a user orgroup.

Access control list (ACL)A list of access control entries (ACEs) that provide information about the users andgroups allowed access to an object.

ACL policyThe policy that defines which access control methods (NFS permissions and/orWindows ACLs) are enforced when a user accesses a file on the system in anenvironment that is configured to provide multiprotocol access to file systems. TheACL policy is set through the web administration interface.

AuthenticationThe process for verifying the identity of a user trying to access a resource or object,such as a file or a directory.

Certificate Authority (CA)A trusted third party that digitally signs public key certificates.

Certificate Authority CertificateA digitally signed association between an identity (a Certificate Authority) and apublic key to be used by the host to verify digital signatures on public keycertificates.

Command-line interface (CLI)An interface for entering commands through a shell window to perform clusteradministration tasks.



Digital certificateAn electronic ID issued by a certificate authority that establishes user credentials. Itcontains the user identity (a hostname), a serial number, expiration dates, a copy ofthe public key of the certificate holder (used for encrypting messages and digitalsignatures), and a digital signature from the certificate-issuing authority so thatrecipients can verify that the certificate is valid.

Directory serverA server that stores and organizes information about a computer network's usersand network resources, and that allows network administrators to manage useraccess to the resources. X.500 is the best-known open directory service. Proprietarydirectory services include Microsoft Active Directory.

EMC Support Remote Services GatewayEMC Secure Remote Support (ESRS) enables 24x7 proactive, secure, high-speedremote monitoring and repair for many EMC products.

Hypertext Transfer Protocol (HTTP)The communications protocol used to connect to servers on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS)HTTP over SSL. All network traffic between the client and server system is encrypted.In addition, HTTPS provides the option to verify server and client identities. Typically,server identities are verified and client identities are not.

KerberosAn authentication, data integrity, and data-privacy encryption mechanism that isused to encode authentication information. Kerberos coexists with NTLM (Netlogonservices) and provides authentication for client/server applications using secret-keycryptography.

LDAP-based directoryA directory server that provides access through LDAP. Examples of LDAP-baseddirectory servers include OpenLDAP and SUN Directory Server.

Lightweight Directory Access Protocol (LDAP)An information-access protocol that runs directly over TCP/IP. LDAP is the primaryaccess protocol for Active Directory and LDAP-based directory servers. LDAP Version3 is defined by a set of Proposed Standard documents in Internet Engineering TaskForce (IETF) RFC 2251.

Network File System (NFS)A distributed file system that provides transparent access to remote file systems.NFS allows all network systems to share a single copy of a directory.

Network Information Service (NIS)A service that provides authentication and identity uniformity across local areanetworks and allows you to integrate the cluster with your NIS infrastructure.Designed by Sun Microsystems, NIS can be used to authenticate users and groupswhen they access the cluster.

OpenLDAPThe open source implementation of an LDAP-based directory service.

Platform APIA RESTful HTTP-based interface, through which the cluster can be managed andmonitored automatically.

Public Key Infrastructure (PKI)A means of managing private keys and associated public key certificates for use inPublic Key Cryptography.


Terminology 11

RESTful access to namespace (RAN) APIA OneFS protocol for accessing files and directories, including their OneFS specificmetadata. The RAN API allows clients to set and get access control lists (ACLs)through HTTP with the RAN API.

Simple Network Management Protocol (SNMP)A protocol that can be used to communicate management information between thenetwork management stations and the agents in the network elements.

Secure Socket Layer (SSL)A security protocol that provides encryption and authentication. SSL encrypts dataand provides message and server authentication. SSL also supports clientauthentication if required by the server.

Transport Layer Security (TLS)The successor protocol to SSL for general communication authentication andencryption over TCP/IP networks. TLS version 1 is nearly identical with SSL version 3.

X.509:A widely used standard for defining digital certificates.

Related documentsThe complete documentation set for EMC Isilon OneFS is available online.

You can find information that is related to the features and functionality described in thisdocument in the following documents. These documents are available from EMC OnlineSupport (https://support.emc.com).

u OneFS Web Administration Guide

u OneFS CLI Administration Guide

u OneFS Event Reference

u OneFS Site Preparation and Planning Guide

u OneFS Upgrade Planning and Process Guide

u OneFS Backup and Recovery Guide

u OneFS Platform API Reference

u OneFS RESTful Access to the Namespace API Reference

u OneFS Release Notes

u Isilon Third-Party Software and Hardware Compatibility Guide

u EMC Isilon Multiprotocol Data Access with a Unified Security Model (white paper)

u Managing identities with the Isilon OneFS user mapping service (white paper)



CHAPTER 3

Authentication and access

This section contains the following topics:

u Authentication and access control overview.......................................................... 14u Authentication...................................................................................................... 15u Access zones........................................................................................................ 17u Identity management overview..............................................................................18u Roles.....................................................................................................................19u Authorization........................................................................................................ 29

Authentication and access 13

Authentication and access control overviewOneFS supports several methods for ensuring that your cluster remains secure, includingUNIX- and Windows-style permissions for data-level access control. Access zones androle-based administration control access to system configuration settings.

OneFS is designed for a mixed environment that allows you to configure both WindowsAccess Control Lists (ACLs) and standard UNIX permissions on the cluster file system.

Note

In most situations, the default settings are sufficient. You can configure additional accesszones, custom roles, and permissions policies as necessary for your particularenvironment.

Authentication and access control featuresYou can configure settings for the following features for authentication and accesscontrol.

Feature Description Comment

Access zones OneFS includes a built-in access zonenamed System.

OneFS includes a built-in access zonenamed System. You can add otheraccess zones as needed. You candirect incoming connections to anaccess zone by associating them withan IP address pool.

Note

Authentication providers and SMBshares are configured on a zone-by-zone basis, but NFS exports are addedto only the System zone.

Authentication Authentication is available throughunique user accounts, such as localuser accounts, or user accounts froman Active Directory, LDAP, or NISserver.

You can configure access to each useraccount type.

Roles With roles, you can assign privilegesto users and groups. By default, onlythe root and admin users can log in tothe command-line interface (CLI)through SSH or the webadministration interface through HTTP.The root or admin user can add otherusers to built-in or custom roles thatcontain the privileges that arerequired to log in and performadministrative functions.

It is good practice to assign users toroles that contain the minimum set ofprivileges that are necessary. Tocreate or assign roles, you must belogged in as a member of the SecurityAdministrator role.

Identitymanagement

Identity management enables user-identity integration to provide

You can combine and manage useridentities from different directory




identical permissions to systemresources for Unix and Windowsusers.

services to control access through thesupported protocols to directories andfiles across the cluster.

Mixed-environmentaccess control

OneFS is designed for a mixedenvironment, so you can configureboth Windows Access Control Lists(ACLs) and standard UNIX permissionson the cluster file system.

Although Windows and UNIXpermissions cannot coexist on asingle file or directory, OneFStranslates between Windows andUNIX permissions as needed.

AuthenticationOneFS supports local and remote authentication providers to verify that users attemptingto access an EMC Isilon cluster are who they claim to be. Anonymous access, which doesnot require authentication, is supported for protocols that allow it.

OneFS supports concurrent multiple authentication provider types, which are analogousto directory services. For example, OneFS is often configured to authenticate Windowsclients with Active Directory and to authenticate UNIX clients with LDAP. You can alsoconfigure NIS, designed by Sun Microsystems, to authenticate users and groups whenthey access a cluster.

Note

OneFS is RFC 2307-compliant.

Kerberos authentication protocolYou can enable Kerberos for stronger authentication.

If you configure an Active Directory provider, Kerberos authentication is providedautomatically. Both Active Directory and MIT Kerberos are supported on the EMC Isiloncluster.

Authentication provider security featuresYou can configure one or multiple concurrent authentication provider types for yoursecurity purposes.

Note

To use an authentication provider, it must be added to an access zone.

OneFS is RFC 2307-compliant.

Description Security feature Comment

LDAP l Simple bindauthentication (with andwithout SSL).

l Kerberos support.

l Encrypted passwords.

OneFS supports SSL encryptionand authentication on theLDAP connection between theEMC Isilon cluster and anLDAP-based directory server.


Authentication 15

Description Security feature Comment

You can create multiple LDAPinstances for accessing serverswith different user data.

Active Directory User and groupauthentication.

Whenever possible, a singleActive Directory instanceshould be used when alldomains have a trustrelationship. Multipleinstances should be used onlyto grant access to multiple setsof mutually-untrusteddomains.

NIS Authentication and identityuniformity across local areanetworks.

Multiple servers can bespecified for redundancy andload balancing.

Note

NIS is different from NIS+,which OneFS does not support.

File provider Authoritative third-partysource of user and groupinformation to the cluster. Athird-party source is useful inUNIX and Linux environmentsthat synchronize /etc/passwd, /etc/group, and

etc/netgroup files across

multiple servers

The built-in System fileprovider includes services tolist, manage, and authenticateagainst system accounts suchas root, admin, and nobody.

Note

It is recommended that you donot modify the System fileprovider.

Local provider Authentication and lookupfacilities for user accountsthat were added by anadministrator. Local groupscan include built-in groupsand Active Directory groups asmembers.

Local users contain attributesof both Window and Unixusers. You configure a localpassword policy for each nodein the cluster to enforcepassword complexity.You must be logged in as amember of the SecurityAdministrator role to define thepassword quality policy.

Default authentication providersWhen you first install OneFS, two default providers are created on the EMC Isilon cluster.

By default, OneFS creates one file provider and one local provider when you install theOneFS system. The default file provider is also known as the System provider and iscreated with two default accounts: root and admin. The default local provider includesvarious Windows built-in groups.



Note

You can configure multiple instances of each provider type, but it is good practice toinclude only a single instance of a provider type in an access zone. When you configurean authentication provider, it is added to the built-in System zone, which alreadyincludes the default local and file provider.

Access zonesAccess zones provide a way to partition cluster configuration into self-contained units,which enable administrators to configure a subset of parameters as a virtual cluster.Access zones contain all of the necessary configuration settings to supportauthentication and identity management services in OneFS.

OneFS includes a built-in access zone named System that contains all configuredauthentication providers, all available SMB shares, and all available NFS exports.

Note

By default, all cluster IP addresses connect to the System zone.

Access zone featuresYou can configure multiple access zones on the EMC Isilon cluster.

You can create access zones to simplify cluster management in your environment. Accesszones support the features that are described in the following table.

Feature Description Comments

Multiple accesszone support

You can create additional accesszones and configure each zonedifferently; you can configure eachaccess zone with its own set ofauthentication providers, usermapping rules, and SMB shares.

Multiple access zones are particularlyuseful for server consolidation; forexample when merging multipleWindows file servers that arepotentially joined to differentuntrusted forests.

Note

NFS users are authenticated againstonly the System zone.

Duplicate SMBshare names

SMB shares are configured andused on a per-zone basis, andconfiguring an SMB share in oneaccess zone does not affect sharesin other access zones.

For example, you can assign thename home as the name for a share

in zone A and a different share inzone B.

SMB-protocolaccess auditing onindividual accesszones

You can audit SMB-protocol accesson individual access zones.

For audited zones, you can modify thedefault list of successful and failedprotocol events that are audited.

HDFS access perzone

You can configure HDFS support forindividual access zones.

Access zones allow HDFS to exposemultiple different directory trees.


Access zones 17

Feature Description Comments

Multiple untrustedActive Directorydomains

You can join the cluster to differentActive Directory domains.

You can consolidate multipleWindows file servers on a single Isiloncluster.

Base directorydefinition andseparation ofaccess zones

Base directories define the file-system view of access zones.

The file system is partitioned intodirectory trees that are accessible inonly that access zone.

Association of IPaddress pools withaccess zones

You can associate any IP addresspool with an access zone. Clientsconnecting to the IP addresses inthese pools connect in the contextof that access zone.

Connectivity to access zones isdetermined by the IP address that aclient connects to, similar toconnectivity to different physicalmachines.

Identity management overviewIn environments with several different types of directory services, OneFS maps the usersand groups from the separate services to provide a single unified identity on an EMCIsilon cluster and uniform access control to files and directories, regardless of theincoming protocol. This process is called identity mapping.

Isilon clusters are frequently deployed in multiprotocol environments with multiple typesof directory services, such as Active Directory and LDAP. When a user with accounts inmultiple directory services logs in to a cluster, OneFS combines the user’s identities andprivileges from all the directory services into a native access token.

You can configure OneFS settings to include a list of rules for access token manipulationto control user identity and privileges. For example, you can set a user mapping rule tomerge an Active Directory identity and an LDAP identity into a single token that works foraccess to files stored over both SMB and NFS. The token can include groups from ActiveDirectory and LDAP. The mapping rules that you create can solve identity problems bymanipulating access tokens in many ways, including the following examples:

u Authenticate a user with Active Directory but give the user a UNIX identity.

u Select a primary group from competing choices in Active Directory or LDAP.

u Disallow login of users that do not exist in both Active Directory and LDAP.

For more information about identity management, see the white paper Managing identitieswith the Isilon OneFS user mapping service at EMC Online Support.

Access tokensAn access token is created when the user first makes a request for access.

Access tokens represent who a user is when performing actions on the cluster and supplythe primary owner and group identities during file creation. Access tokens are alsocompared against the ACL or mode bits during authorization checks.

During user authorization, OneFS compares the access token, which is generated duringthe initial connection, with the authorization data on the file. All user and identitymapping occurs during token generation; no mapping takes place during permissionsevaluation.

An access token includes all UIDs, GIDs, and SIDs for an identity, in addition to all OneFSprivileges. OneFS reads the information in the token to determine whether a user has



access to a resource. It is important that the token contains the correct list of UIDs, GIDs,and SIDs. An access token is created from one of the following sources:

Source Authentication

Username l SMB impersonate user

l Kerberized NFSv3

l Kerberized NFSv4

l mountd root mapping

l HTTP

l FTP

Privilege Attribute Certificate (PAC) l SMB NTLM

l Active Directory Kerberos

User identifier (UID) NFS AUTH_SYS mapping

RolesYou can permit and limit access to administrative areas of your EMC Isilon cluster on aper-user basis through roles.

OneFS includes built-in administrator roles with predefined sets of privileges that cannotbe modified. The following list describes what you can and cannot do through roles:

u You can assign privileges through role membership.

u You can add any user to a role as long as the user can authenticate to the cluster.

u You can create custom roles and assign privileges to those roles.

u You can add users singly or as groups, including well-known groups.

u You can assign a user as a member of more than one role.

u You can add a group to a role, which grants to all users who are members of thatgroup all of the privileges associated with the role.

u You cannot assign privileges directly to users or groups.

Note

When OneFS is first installed, only users with root- or admin-level can log in and assignusers to roles.

Built-in rolesBuilt-in roles include privileges to perform a set of administrative functions.

The following tables describe each of the built-in roles from most powerful to leastpowerful. The tables include the privileges and read/write access levels, if applicable,that are assigned to each role. You can assign users and groups to built-in roles and toroles that you create.


Roles 19

Table 2 SecurityAdmin role

Description Privileges Read/writeaccess

Administer security configuration on the cluster,including authentication providers, local users andgroups, and role membership.

ISI_PRIV_LOGIN_CONSOLE N/A

ISI_PRIV_LOGIN_PAPI N/A

ISI_PRIV_LOGIN_SSH N/A

ISI_PRIV_AUTH Read/write

ISI_PRIV_ROLE Read/write

Table 3 SystemAdmin role


Administer all aspects of cluster configuration thatare not specifically handled by the SecurityAdminrole.

ISI_PRIV_LOGIN_CONSOLE N/A



ISI_PRIV_SYS_SHUTDOWN N/A

ISI_PRIV_SYS_SUPPORT N/A

ISI_PRIV_SYS_TIME N/A

ISI_PRIV_ANTIVIRUS Read/write

ISI_PRIV_AUDIT Read/write

ISI_PRIV_CLUSTER Read/write

ISI_PRIV_DEVICES Read/write

ISI_PRIV_EVENT Read/write

ISI_PRIV_FTP Read/write

ISI_PRIV_HDFS Read/write

ISI_PRIV_HTTP Read/write

ISI_PRIV_ISCSI Read/write

ISI_PRIV_JOB_ENGINE Read/write

ISI_PRIV_LICENSE Read/write

ISI_PRIV_NDMP Read/write

ISI_PRIV_NETWORK Read/write

ISI_PRIV_NFS Read/write

ISI_PRIV_NTP Read/write

ISI_PRIV_QUOTA Read/write

ISI_PRIV_REMOTE_SUPPORT Read/write

ISI_PRIV_SMARTPOOLS Read/write



Table 3 SystemAdmin role (continued)


ISI_PRIV_SMB Read/write

ISI_PRIV_SNAPSHOT Read/write

ISI_PRIV_STATISTICS Read/write

ISI_PRIV_SYNCIQ Read/write

ISI_PRIV_VCENTER Read/write

ISI_PRIV_WORM Read/write

ISI_PRIV_NS_TRAVERSE N/A

ISI_PRIV_NS_IFS_ACCESS N/A

Table 4 AuditAdmin role

Description Privileges Read/write access

View all system configuration settings. ISI_PRIV_LOGIN_CONSOLE N/A



ISI_PRIV_ANTIVIRUS Read-only

ISI_PRIV_AUDIT Read-only

ISI_PRIV_CLUSTER Read-only

ISI_PRIV_DEVICES Read-only

ISI_PRIV_EVENT Read-only

ISI_PRIV_FTP Read-only

ISI_PRIV_HDFS Read-only

ISI_PRIV_HTTP Read-only

ISI_PRIV_ISCSI Read-only

ISI_PRIV_JOB_ENGINE Read-only

ISI_PRIV_LICENSE Read-only

SI_PRIV_NDMP Read-only

ISI_PRIV_NETWORK Read-only

ISI_PRIV_NFS Read-only

ISI_PRIV_NTP Read-only

ISI_PRIV_QUOTA Read-only

ISI_PRIV_REMOTE_SUPPORT Read-only

ISI_PRIV_SMARTPOOLS Read-only


Built-in roles 21

Table 4 AuditAdmin role (continued)


ISI_PRIV_SMB Read-only

ISI_PRIV_SNAPSHOT Read-only

ISI_PRIV_STATISTICS Read-only

ISI_PRIV_SYNCIQ Read-only

ISI_PRIV_VCENTER Read-only

ISI_PRIV_WORM Read-only

Table 5 VMwareAdmin role


Administers remotely all aspects of storageneeded by VMware vCenter.


ISI_PRIV_ISCSI Read/write

ISI_PRIV_NETWORK Read/write

ISI_PRIV_SMARTPOOLS Read/write

ISI_PRIV_SNAPSHOT Read/write

ISI_PRIV_SYNCIQ Read/write

ISI_PRIV_VCENTER Read/write

ISI_PRIV_NS_TRAVERSE N/A

ISI_PRIV_NS_IFS_ACCESS N/A

Table 6 BackupAdmin role


Allows backup and restore of files from /ifs ISI_PRIV_IFS_BACKUP Read-only

ISI_PRIV_IFS_RESTORE Read-only

OneFS privilegesPrivileges in OneFS are assigned through role membership; privileges cannot be assigneddirectly to users and groups.

Table 7 Login privileges

OneFS privilege User right Privilege type

ISI_PRIV_LOGIN_CONSOLE Log in from the console Action



Table 7 Login privileges (continued)


ISI_PRIV_LOGIN_PAPI Log in to the Platform APIand the webadministration interface

Action

ISI_PRIV_LOGIN_SSH Log in through SSH Action

Table 8 System privileges


ISI_PRIV_SYS_SHUTDOWN Shut down the system Action

ISI_PRIV_SYS_SUPPORT Run cluster diagnostictools

Action

ISI_PRIV_SYS_TIME Change the system time Action

Table 9 Security privileges


ISI_PRIV_AUTH Configure externalauthentication providers

Read/write

ISI_PRIV_ROLE Create new roles andassign privileges

Read/write

Table 10 Configuration privileges


ISI_PRIV_ANTIVIRUS Configure antivirusscanning

Read/write

IS_PRIV_AUDIT Configure auditcapabilities

Read/write

ISI_PRIV_CLUSTER Configure cluster identityand general settings

Read/write

ISI_PRIV_DEVICES Create new roles andassign privileges

Read/write

ISI_PRIV_EVENT View and modify systemevents

Read/write

ISI_PRIV_FTP Configure FTP server Read/write

ISI_PRIV_HDFS Configure HDFS server Read/write

ISI_PRIV_HTTP Configure HTTP server Read/write

ISI_PRIV_ISCSI Configure iSCSI server Read/write


OneFS privileges 23

Table 10 Configuration privileges (continued)


ISI_PRIV_JOB_ENGINE Schedule cluster-widejobs

Read/write

ISI_PRIV_LICENSE Activate OneFS softwarelicenses

Read/write

ISI_PRIV_NDMP Configure NDMP server Read/write

ISI_PRIV_NETWORK Configure networkinterfaces

Read/write

ISI_PRIV_NFS Configure the NFS server Read/write

ISI_PRIV_NTP Configure NTP Read/write

ISI_PRIV_QUOTA Configure file systemquotas

Read/write

ISI_PRIV_REMOTE_SUPPORT

Configure remote support Read/write

ISI_PRIV_SMARTPOOLS Configure storage pools Read/write

ISI_PRIV_SMB Configure the SMB server Read/write

ISI_PRIV_SNAPSHOT Schedule, take, and viewsnapshots

Read/write

ISI_PRIV_SNMP Configure SNMP server Read/write

ISI_PRIV_STATISTICS View file systemperformance statistics

Read/write

ISI_PRIV_SYNCIQ Configure SyncIQ Read/write

ISI_PRIV_VCENTER Configure VMware forvCenter

Read/write

ISI_PRIV_WORM Configure SmartLockdirectories

Read/write

Table 11 Platform API-only privileges


ISI_PRIV_EVENT View and modify systemevents

Read/write

ISI_PRIV_LICENSE Activate OneFS softwarelicenses

Read/write

ISI_PRIV_STATISTICS View file systemperformance statistics

Read/write



Table 12 File access privileges


ISI_PRIV_IFS_BACKUP Back up files from /ifs.

Note

This privilege circumventstraditional file accesschecks, such as mode bitsor NTFS ACLs.

Action

ISI_PRIV_IFS_RESTORE Restore files from /ifs.

Note

This privilege circumventstraditional file accesschecks, such as mode bitsor NTFS ACLs.

Action

Command-line interface privilegesYou can perform most tasks granted by a privilege through the command-line interface.

Some OneFS commands require root access; however, if you do not have root access,most of the commands associated with a privilege can be performed through the sudoprogram. The system automatically generates a sudoers file of users based on existingroles.

Prefixing a command with sudo allows you to run commands that require root access.For example, if you do not have root access, the following command fails:

isi sync policy list

However, if you are on the sudoers list, the following command succeeds:

sudo isi sync policy list

The following tables list all One FS commands available, the associated privilege or root-access requirement, and whether sudo is required to run the command.

Note

If you are running in compliance mode, additional sudo commands are available.

Table 13 Privileges sorted by CLI command

isi command Privilege Requires sudo

isi alert ISI_PRIV_EVENT x

isi audit ISI_PRIV_AUDIT

isi auth - excluding isiauth role

ISI_PRIV_AUTH

isi auth role ISI_PRIV_ROLE


Command-line interface privileges 25

Table 13 Privileges sorted by CLI command (continued)


isi avscan ISI_PRIV_ANTIVIRUS x

isi batterystatus ISI_PRIV_STATISTICS x

isi config root

isi dedupe - excludingisi dedupe stats

ISI_PRIV_JOB_ENGINE

isi dedupe stats ISI_PRIV_STATISTICS

isi devices ISI_PRIV_DEVICES x

isi domain root

isi email ISI_PRIV_CLUSTER x

isi events ISI_PRIV_EVENT x

isi exttools root

isi fc root

isi filepool ISI_PRIV_SMARTPOOLS

isi firmware root

isi ftp ISI_PRIV_FTP x

isi get root

isi hdfs root

isi iscsi ISI_PRIV_ISCSI x

isi job ISI_PRIV_JOB_ENGINE

isi license ISI_PRIV_LICENSE x

isi lun ISI_PRIV_ISCSI x

isi ndmp ISI_PRIV_NDMP x

isi networks ISI_PRIV_NETWORK x

isi nfs ISI_PRIV_NFS

isi perfstat ISI_PRIV_STATISTICS x

isi pkg root

isi quota ISI_PRIV_QUOTA

isi readonly root

isi remotesupport ISI_PRIV_REMOTE_SUPPORT

isi servicelight ISI_PRIV_DEVICES x

isi services root

isi set root

isi smartlock root



Table 13 Privileges sorted by CLI command (continued)


isi smb ISI_PRIV_SMB

isi snapshot ISI_PRIV_SNAPSHOT

isi snmp ISI_PRIV_SNMP x

isi stat ISI_PRIV_STATISTICS x

isi statistics ISI_PRIV_STATISTICS x

isi status ISI_PRIV_STATISTICS x

isi storagepool ISI_PRIV_SMARTPOOLS

isi sync ISI_PRIV_SYNCIQ

isi tape ISI_PRIV_NDMP x

isi target ISI_PRIV_ISCSI x

isi update root

isi version ISI_PRIV_CLUSTER x

isi worm root

isi zone ISI_PRIV_AUTH

Table 14 CLI commands sorted by privilege

Privilege isi commands Requires sudo

ISI_PRIV_ANTIVIRUS isi avscan x

ISI_PRIV_AUDIT isi audit

ISI_PRIV_AUTH l isi auth - excluding isiauth role

l isi zone

ISI_PRIV_CLUSTER l isi emaill isi version

x

ISI_PRIV_DEVICES l isi devicesl isi servicelight

x

ISI_PRIV_EVENT l isi alertl isi events

x

ISI_PRIV_FTP isi ftp x

ISI_PRIV_ISCSI l isi iscsil isi lunl isi target

x


Command-line interface privileges 27

Table 14 CLI commands sorted by privilege (continued)


ISI_PRIV_JOB_ENGINE l isi jobl isi dedupe - excluding

isi dedupe stats

ISI_PRIV_LICENSE isi license x

ISI_PRIV_NDMP l isi ndmpl isi tape

x

ISI_PRIV_NETWORK isi networks x

ISI_PRIV_NFS isi nfs

ISI_PRIV_QUOTA isi quota

ISI_PRIV_ROLE isi auth role

ISI_PRIV_REMOTE_SUPPORT isi remotesupport

ISI_PRIV_SMARTPOOLS l isi filepooll isi storagepool

ISI_PRIV_SMB isi smb

ISI_PRIV_SNAPSHOT isi snapshot

ISI_PRIV_SNMP isi snmp x

ISI_PRIV_STATISTICS l isi batterystatusl isi dedupe statsl isi perfstatl isi statl isi statisticsl isi status

x

ISI_PRIV_SYNCIQ isi sync

root l isi configl isi domainl isi exttoolsl isi fcl isi firmwarel isi getl isi hdfsl isi pkgl isi readonlyl isi servicesl isi set



Table 14 CLI commands sorted by privilege (continued)


l isi smartlockl isi updatel isi worm

AuthorizationOneFS supports two types of authorization data on a file: Windows-style access controllists (ACLs) and POSIX mode bits (UNIX permissions). Authorization type is based on theACL policies that are set and on the file-creation method.

Access to a file or directory is governed by either a Windows access control list (ACL) orUNIX mode bits. Regardless of the security model, OneFS enforces access rightsconsistently across access protocols. A user is granted or denied the same rights to a filewhen using SMB for Windows file sharing as when using NFS for UNIX file sharing.

An EMC Isilon cluster includes global policy settings that enable you to customize thedefault ACL and UNIX permissions to best support your environment. Generally, files thatare created over SMB or in a directory that has an ACL receive an ACL; otherwise, OneFSrelies on the POSIX mode bits that define UNIX permissions. In either case, the owner isrepresented by a UNIX identifier (UID or GID) or by its Windows identifier (SID). Theprimary group is represented by a GID or SID. Although mode bits are present when a filehas an ACL, the mode bits are provided for only protocol compatibility, not for accesschecks.

Note

Although you can configure ACL policies to optimize a cluster for UNIX or Windows, youshould do so only if you understand how ACL and UNIX permissions interact.

The OneFS file system installs with UNIX permissions as the default. By using WindowsExplorer or OneFS administrative tools, you can give a file or directory an ACL. In additionto Windows domain users and groups, ACLs in OneFS can include local, NIS, and LDAPusers and groups. After you give a file an ACL, OneFS stops enforcing the file's mode bits,which remain only as an estimate of the effective permissions.

Data access security featuresYou can configure policies to control permissions, although default OneFS settings areusually sufficient for most security purposes.

Description Security feature Comments

Access-control lists(ACLs)

You can configure ACL policies thatcontrol how permissions areprocessed and managed.

As an alternative, you can set theglobal EMC Isilon cluster permissionspolicy to balanced mode, which isdesigned to automate file sharingmanagement for a network that mixesUNIX and Windows systems.


Authorization 29

Description Security feature Comments

Windows-style (NT)credentials for Unixusers

OneFS creates a synthetic ACL thatapproximates the mode bits of aUNIX file.

Based on RFC 3530, the file’s internalrepresentation, which is an estimationof the mode bits, is used to generate asynthetic ACL.

SMB access ofUNIX-created filesNFS access ofWindows-createdfiles

OneFS integrates user identities toprovide identical permissions tosystem resources for Unix usersand Windows users. Users haveseamless multiprotocol dataaccess over SMB and NFS.

Although Windows and UNIXpermissions cannot coexist on a singlefile or directory, OneFS uses identitymapping to translate betweenWindows and UNIX permissions asneeded.

Home directorypermissions

When a home directory is createdduring a login through SSH or FTP,it is set up with mode bits; if ahome directory is created duringan SMB connection, it receiveseither mode bits or an ACL.

You can configure settings so thathome directories can be dynamicallycreated at login time for users whoauthenticate against external sources.

ACLsIn Windows environments, file and directory permissions, referred to as access rights, aredefined in access control lists (ACLs). Although ACLs are more complex than mode bits,ACLs can express much more granular sets of access rules. OneFS checks the ACLprocessing rules commonly associated with Windows ACLs.

A Windows ACL contains zero or more access control entries (ACEs), each of whichrepresents the security identifier (SID) of a user or a group as a trustee. In OneFS, an ACLcan contain ACEs with a UID, GID, or SID as the trustee. Each ACE contains a set of rightsthat allow or deny access to a file or folder. An ACE can optionally contain an inheritanceflag to specify whether the ACE should be inherited by child folders and files.

Note

Instead of the standard three permissions available for mode bits, ACLs have 32 bits offine-grained access rights. Of these, the upper 16 bits are general and apply to all objecttypes. The lower 16 bits vary between files and directories but are defined in a way thatallows most applications to apply the same bits for files and directories.

Rights grant or deny access for a given trustee. You can block user access explicitlythrough a deny ACE or implicitly by ensuring that a user does not directly, or indirectlythrough a group, appear in an ACE that grants the right.

UNIX permissionsIn a UNIX environment, file and directory access is controlled by POSIX mode bits, whichgrant read, write, or execute permissions to the owning user, the owning group, andeveryone else.

OneFS supports the standard UNIX tools for viewing and changing permissions, ls,chmod, and chown. For more information, run the man ls, man chmod, and manchown commands.

All files contain 16 permission bits, which provide information about the file or directorytype and the permissions. The lower 9 bits are grouped as three 3-bit sets, called triples,



which contain the read, write, and execute (rwx) permissions for each class of users—owner, group, and other. You can set permissions flags to grant permissions to each ofthese classes.

Unless the user is root, OneFS checks the class to determine whether to grant or denyaccess to the file. The classes are not cumulative: The first class matched is applied. It istherefore common to grant permissions in decreasing order.

Mixed-permission environmentsWhen a file operation requests an object’s authorization data, for example, with the ls -l command over NFS or with the Security tab of the Properties dialog box in WindowsExplorer over SMB, OneFS attempts to provide that data in the requested format. In anenvironment that mixes UNIX and Windows systems, some translation may be requiredwhen performing create file, set security, get security, or access operations.

NFS access of Windows-created filesIf a file contains an owning user or group that is a SID, the system attempts to map it to acorresponding UID or GID before returning it to the caller.

In UNIX, authorization data is retrieved by calling stat(2) on a file and examining theowner, group, and mode bits. Over NFSv3, the GETATTR command functions similarly. Thesystem approximates the mode bits and sets them on the file whenever its ACL changes.Mode bit approximations need to be retrieved only to service these calls.

Note

SID-to-UID and SID-to-GID mappings are cached in both the OneFS ID mapper and thestat cache. If a mapping has recently changed, the file might report inaccurateinformation until the file is updated or the cache is flushed.

SMB access of UNIX-created filesNo UID-to-SID or GID-to-SID mappings are performed when creating an ACL for a file; allUIDs and GIDs are converted to SIDs or principals when the ACL is returned.

OneFS initiates a two-step process for returning a security descriptor, which containsSIDs for the owner and primary group of an object:

1. The current security descriptor is retrieved from the file. If the file does not have adiscretionary access control list (DACL), a synthetic ACL is constructed from the file’slower 9 mode bits, which are separated into three sets of permission triples—oneeach for owner, group, and everyone. For details about mode bits, see the UNIXpermissions topic.

2. Two access control entries (ACEs) are created for each triple: the allow ACE containsthe corresponding rights that are granted according to the permissions; the deny ACEcontains the corresponding rights that are denied. In both cases, the trustee of theACE corresponds to the file owner, group, or everyone. After all of the ACEs aregenerated, any that are not needed are removed before the synthetic ACL is returned.


Mixed-permission environments 31

CHAPTER 4

Protocols

This section includes the following topics:

u Client-side protocols............................................................................................. 34u SMB...................................................................................................................... 34u NFS....................................................................................................................... 35u Hadoop overview.................................................................................................. 36u HTTP and HTTPS.................................................................................................... 37u FTP........................................................................................................................ 37u NDMP....................................................................................................................37

Protocols 33

Client-side protocolsYou can use some or all of the following client-side protocol features on your EMC Isiloncluster.

Note

All authentication providers can provide authentication and identification for allprotocols. That is, when you configure a provider, users for that provider can access allprotocols.

Authentication type Encryption type

Protocol Kerberos NTLM Plain text Session token Sign/Integrity Seal/Security

SMB x x x

NFS x x x

HDFS x

HTTP x x x x (SSL)

FTP x

RAN API x x x x x (SSL)

SMBYou can configure SMB shares to provide Windows clients network access to file systemresources on the cluster. You can grant permissions to users and groups to carry outoperations such as reading, writing, and setting access permissions on SMB shares.

SMB protocol security featuresYou can configure SMB protocol security features to restrict access to the cluster.

You must be logged in as a member of the SystemAdmin role to configure SMB protocolsettings.


Share permissions You can create special SMBshares that include expansionvariables in the share path toenable users to access theirhome directories byconnecting to the share. Youcan also enable dynamiccreation of home directoriesthat do not exist at SMBconnection time.

Share permissions are checkedwhen files are accessed,before the underlying filesystem permissions arechecked. Either of thesepermissions can preventaccess to that file or directory.

Host-based access-control lists(ACLs)

You can configure clients bymachine IP address to permit

Configuration of host-basedACLs can be by IP address orhostname.

Protocols



or deny access to OneFSsystem resources.

Access-based enumeration(ABE)

You can enable or disableconfiguration settings on filesto allow or prevent users fromseeing shared files that theydo not have permission toaccess.

Permissions are checked onevery file.

Share-based ABE You can enable or disableconfiguration settings on SMBshares to allow or preventusers from seeing shareresources that they do nothave permission to access.

Session timeout You can enforce a sessiontimeout for the SMB protocol.

Session timeout is enabled bydefault.

File auditing You can view file informationabout who accessed the file,the time of access, the IPaddress, and permissions.

File auditing is available for theSMB protocol only.

SMB share default permissionsYou should remove the default SMB share or configure explicit permissions for that shareon a newly installed EMC Isilon cluster.

When OneFS is first installed on the cluster, a single SMB share is created and enabledby default. The root file-system path for this share is /ifs. The default share permissionsgive Everyone full access to the default share directory. You should either remove thisshare or change the permissions to restrict access for Everyone.

NFSYou can configure NFS exports to provide UNIX clients network access to file systemresources on the cluster.

NFS protocol security featuresYou can configure NFS export security features to restrict access to the cluster.

You can make NFS more secure by configuring the following settings:

u Define read-only access for some (or all) files or directories.

u Limit root access.

u Hide export and mount information if a client does not have mount permissions forthe file system corresponding to that entry.

If strong authentication is required, you can configure Secure NFS, which uses Kerberos.For more information about configuring NFS with Kerberos, see Access tokens in theOneFS Web Administration Guide.

Protocols

SMB share default permissions 35

Note

You must be logged in as a member of the SystemAdmin role to configure NFS settings.


NFS exports By default, when OneFS is installed, oneNFS export is created. The file systempath for this export is /ifs.

User root-squashing

You can create a user root-squashingrule to limit permissions to theroot /ifs directory, so that a remote

root user is prevented from unauthorizedalteration of files.

Note

When OneFS is first installed, thedefault NFS export maps the rootuser to Nobody and allows allhosts to connect to the rootdirectory, /ifs. You should

perform the following actions:

l Remove the default export orchange access permissions ifyou retain it.

l Create a root-squashing rulefor Nobody.

File-based access You can enable or disable file-basedaccess to allow or prevent users fromseeing shared resources that they do nothave permission to access.

If no export permissions aregranted for a user, files in thatexport are not displayed.

Kerberosauthentication

You can configure Kerberosauthentication.

OneFS supports both ActiveDirectory and MIT Kerberos.

Kerberos integrityand securitymodes

You can configure Kerberosauthentication to verify that data has notbeen tampered with and to enforce astronger security mode.

NFS export default permissionsYou should remove the default NFS export or configure explicit permissions for thatexport on a newly installed EMC Isilon cluster.

When OneFS is first installed on the cluster, a single NFS export is created. The root file-system path for this export is /ifs, and the default export permissions map the rootuser to nobody. You should either remove this export or change the permissions torestrict access for nobody by creating a user root-squashing rule.

Hadoop overviewHadoop is an open-source platform that runs analytics on large sets of data acrossmultiple nodes.

In a Hadoop implementation on an EMC Isilon cluster, OneFS acts as the distributed filesystem and HDFS is supported as a native protocol. Clients from a Hadoop clusterconnect to the Isilon cluster through the HDFS protocol to manage and process data.

Protocols


Hadoop support on the cluster requires you to activate an HDFS license. To obtain alicense, contact your EMC Isilon sales representative.

HTTP and HTTPSOneFS includes a configurable HTTP service, which is used to request files that are storedon the cluster and to interact with the web administration interface.

OneFS supports both HTTP and its secure variant, HTTPS. Each node in the cluster runs aninstance of the Apache HTTP Server to provide HTTP access. You can configure the HTTPservice to run in different modes.

Both HTTP and HTTPS are supported for file transfer, but only HTTPS is supported forPlatform API calls. The HTTPS-only requirement includes the web administration interface.In addition, OneFS supports a form of the web-based DAV (WebDAV) protocol thatenables users to modify and manage files on remote web servers. OneFS performsdistributed authoring, but does not support versioning and does not perform securitychecks. You can enable DAV in the web administration interface.

CertificatesYou can renew the Secure Sockets Layer (SSL) certificate for the Isilon web administrationinterface or replace it with a third-party SSL certificate.

All Platform API communication, which includes communication through the webadministration interface, is over SSL. You can replace or renew the self-signed certificatewith a certificate that you generate. To replace or renew an SSL certificate, you must belogged in as root.

FTPThe FTP service is disabled by default. You can set the FTP service to allow any node inthe cluster to respond to FTP requests through a standard user account.

When configuring FTP access, make sure that the specified FTP root is the home directoryof the user who logs in. For example, the FTP root for local user jsmith should beifshome/jsmith. You can enable the transfer of files between remote FTP servers andenable anonymous FTP service on the root by creating a local user named anonymous orftp.

Note

OneFS includes a secure FTP service called vsftpd, which stands for Very Secure FTP

Daemon, that you can configure for standard FTP file transfers.

NDMPYou can configure NDMP authentication on your EMC Isilon cluster.

NDMP maintains its owner user and password database. These users cannot access thecluster through any other protocol.

Protocols

HTTP and HTTPS 37

Protocols


CHAPTER 5

Communication security settings


u Port usage.............................................................................................................40u Default OneFS services..........................................................................................44

Communication security settings 39

Port usageStandardized protocols allow other computers to exchange data with the OneFS system.

The TCP/IP protocol suite uses numbered ports to describe the communication channelwithin the protocol. Generally, the OneFS system uses a well-known port for receivingincoming data. That ephemeral port number is used by the client to send data. Portnumbers and IP addresses are included in a data packet, which allows other systems tomake determinations about the data stream. TCP and UDP protocols within the TCP/IPsuite use ports that range from 1 to 65535.

Note

IPV6 with IPsec is not supported.

Port numbers are assigned and maintained by the Internet Assigned Numbers Authority(IANA) and are divided into three ranges:

1. Well-known ports, ranging from 0 to 1023.

2. Registered ports, ranging from 1024 to 49151.

3. Dynamic or private ports, ranging from 49152 to 65535.

Port Servicename

Protocol Type/Connection

Usage anddescription

Effect if closed Enabled oninstallation

20 ftp-data TCP/IPv4/IPv6

External/Outbound

l FTP access(disabled bydefault)

l Data channelfor FTP service

FTP access isunavailable.

21 ftp TCP/IPv4/IPv6

External/Inbound

l FTP access

l Control channelfor FTP access

FTP access isunavailable.

22 ssh TCP/IPv4/IPv6

External/Inbound

l SSH logonservice

l ESRS consolemanagement

Note

ESRS is notIPV6-compliant.

SSH secure shellaccess isunavailable.

x

23 telnet TCP External/Inbound

Telnet: telnetd Telnet access toOneFS isunavailable.

25 smtp TCP/IPv4 External/Outbound

Email deliveries Email alertsoutbound fromOneFS areunavailable.



Port Servicename




53 domain TCP/UDP/IPv4

External/Outbound

Domain NameService requests

SmartConnect isunavailable.

53 domain UDP/IPv4

External/Inbound

Domain NameService cachingresolver running onlocalhost only

l SmartConnectis unavailable.

l All non-localidentityservices areaffected ordegraded.

80 http TCP/IPv4/IPv6

External/Inbound

HTTP for file access HTTP access tofiles isunavailable.

88 kerberos TCP/UDP/IPv4/IPv6

External/Outbound

Kerberosauthenticationservices used toauthenticate usersagainst MicrosoftActive Directorydomains

111 sunrpc TCP/UDP/IPv4/IPv6

External/Inbound

ONC/RPCportmapper used tolocate services suchas NFS and mountd

Cannot be closed;disrupts corefunctionality.

x

123 ntp UDP/IPv4/IPv6

External/Inbound

Network TimeProtocol used tosynchronize hostclocks within thecluster

Time is notsynchronizedamong arrays.

x

137 netbios-ns IPv4 External/Inbound

NetBIOS NameService used forWindows workgroupbrowsing

Disables servicesrelated to SMB.

138 netbios-gdm

IPv4 External/Inbound

NetBIOS DatagramService used forWindows workgroupbrowsing


139 netbios-ssn

TCP/IPv4 External/Inbound

NetBIOS SessionService used forlegacy SMB clientsupport


161 snmp UDP/IPv4

External/Inbound

Simple NetworkManagementProtocol support;typically, agentslisten on port 161

SNMPcommunicationsare not available.

x


Port usage 41

Port Servicename




162 snmptrap UDP/IPv4

External/Inbound

Simple NetworkManagementProtocol support;typically,asynchronous trapsare received on port162

SNMPcommunicationsare not available.

x

300 nfsmountd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 mountservices(nfsmountd,nfsstatd, andnfslockd areenabled by default)

x

302 nfsstatd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 notificationservices

x

304 nfslockd TCP/UDP/IPv4/IPv6

External/Inbound

NFSv3 lockingservices

x

307 isi-cbind_d

UDP/IPv4

External/Inbound

Cluster DNS cachedaemon

Disabling is notrecommended.

389 ldap TCP/IPv4/IPv6

External/Outbound

LDAP Directoryservice queries usedby OneFS Identityservices

Non-secure LDAPauthenticationqueries areunavailable;secure LDAP isconfigurable as analternative.

389 ldap UDP/IPv4

External/Outbound

Microsoft ActiveDirectory domainlocation requests

443 https TCP/IPv4/IPv6

External/Inbound

Access to the /ifsdirectory.

The /ifsdirectory is notavailable.

445 microsoft-ds

TCP/IPv4 External/Outbound

SMB/SMB2 Clientconnections to MSAD domaincontrollers


445 microsoft-ds

TCP/IPv4/IPv6

External/Inbound

SMB/SMB2 accessto OneFS

x

514 syslog UDP/IPv4

Internal/Inbound

Syslog services Syslog alerts toexternal serversare not sent.

x



Port Servicename




636 ldap TCP/IPv4/IPv6

External/Outbound

LDAP Directoryservice queries usedby OneFS Identityservices

Default port forLDAPS.

639 msdp UDP/IPv4

Internal

640 entrust-sps

UDP/IPv4

Internal

989 ftps-data(implicit)

TCP/IPv4/IPv6

External/Outbound

l Secure FTPaccess(disabled bydefault)

l Secure datachannel for FTPservice

Secure FTP accessis unavailable.

990 ftps(implicit)

TCP/IPv4/IPv6

External/Inbound

Secure FTP access;control channel forFTP access

Secure FTP accessis unavailable.

2049 nfs TCP/UDP/IPv4/IPv6

External/Inbound

NFS: nfsd NFS services areunavailable, whichis an importantcomponent of theOneFS interaction,even if no NFSexports are visibleexternally.

x

2098 n/a TCP/IPv4/IPv6

External/Inbound

SyncIQ:isi_repl_pworker

SyncIQ isunavailable.


External/Inbound

SyncIQ:isi_repl_bandwidth



External/Inbound

SyncIQ SyncIQ isunavailable.

3260 iscsi-target

TCP/IPv4/IP

External/Inbound

Disables iSCSIaccess. To accessthe cluster withiSCSI, you mustactivate an iSCSIlicense. For moreinformation,contact your EMCIsilon salesrepresentative.


Port usage 43

Port Servicename




3268 n/a TCP/IPv4 External/Outbound

MS AD globalcatalog searchrequests used whenjoined to an ADdomain


External/Inbound

SyncIQ:isi_migr_sworker


x (when aSyncIQlicense isactivated)

6116 isi_stats_d External/Inbound

7117 isi_stats_d External/Inbound

8020 hdfs TCP External/Inbound

HDFS(HadoopfFilesystem)

HDFS isunavailable.

8021 hdfs TCP/IPv4/IP

External/Inbound

HDFS (Hadoopfilesystem)

HDFS isunavailable.

8080 n/a TCP/IPv4/IP

External/Inbound

l Webadministrationinterface

l RAN (RESTfulAccess toNamespace) API

l PAPI (OneFSPlatform API)

l HTTPS

l HTTPS accessto the webadministrationinterface andthe RAN API isunavailable.

l PAPI isunavailable.

8081 VASA TCP External/Inbound

l VASA

l HTTPS

vCenter plug-in forVMwareintegrations isunavailable.

Default OneFS servicesSeveral services are enabled by default when you first install a EMC Isilon cluster.

To improve OneFS security, you should restrict access to the OneFS cluster by disablingnetwork services that are not used in your environment. You can enable or disablenetwork services by running the isi services command. For information aboutparameters and options available for this command, see the OneFS CLI AdministrationGuide.

The following services are enabled by default.

Name Service Default state

apache2 Apache2 web server Enabled



Name Service Default state

isi_cpool_d Isilon CloudPools interface Enabled

isi_cpool_io_d Isilon CloudPools IO service daemon Enabled

isi_hdfs_d Hadoop FS daemon Enabled

isi_iscsi_d iSCSI target daemon Enabled

isi_migrate SyncIQ service Enabled

isi_object_d Isilon object interface Enabled

isi_smartquotas SmartQuotas service Enabled

isi_webui Isilon web administration interface Enabled

nfs NFS server Enabled

rpcbind RPC bind service Enabled

smb SMB service Enabled

snmpd SNMP server Enabled

sshd Secure shell server Enabled


Default OneFS services 45

CHAPTER 6

Auditing


u File and system auditing........................................................................................48u Supported audit tools........................................................................................... 48u Supported event types.......................................................................................... 49

Auditing 47

File and system auditingYou can audit system configuration and SMB protocol activity on the Isilon cluster. Allaudit data is stored and protected in the cluster file system and organized in files calledaudit topics.

By default, audited access zones track only events that are used by VaronisDatAdvantage-including successful and failed attempts to access files or directories.


Systemconfigurationauditing

Enable or disable systemconfiguration auditing withoutadditional configuration settings.

All configuration events that are handledby the API are tracked and recorded.

SMB protocolauditing

Audit one or more access zones inthe Isilon cluster.

If you enable protocol auditing for anaccess zone, file-access events throughthe SMB protocol are recorded in theprotocol audit topic. The protocol audittopic is consumable by auditingapplications that support the EMCCommon Event Enabler (CEE), such asVaronis DatAdvantage for Windows.

sudo activitylogging

sudo activity is logged to a

specific sudo log file, which islocated in /var/log/messages.

N/A

Third-party toolsupport

Export SMB audit data to VaronisDatAdvantage or other third-partyvendors that support the EMCCommon Event Enabler (CEE)framework.View system configuration activityon each node through a command-line tool.

Although recent versions of VaronisDatAdvantage do not directly audit readand write attempts, the intention to reador write is captured by the access bits fora create event.

Supported audit toolsYou can configure OneFS to send protocol auditing logs to servers that support the EMCCommon Event Enabler (CEE).

CEE has been tested and verified to work with Varonis DatAdvantage for Windows andStealthAUDIT Management Platform v6.3. Supported features and audit events forVaronis DatAdvantage are displayed in the following table:

Application Supported features Audit events

Varonis DatAdvantage forWindows

l Usable Access Auditing

l Recommendations, Analytics, and Modeling

l Data Owner Identification and Involvement

l create

l close

l delete

l rename

Auditing


Application Supported features Audit events

l set_security

Note

It is recommended that you install and configure third-party auditing applications beforeyou enable the OneFS auditing feature. Otherwise, the backlog consumed by the tool maybe so large that results may be stale for a prolonged time.

For the most current list of supported auditing tools, see the Isilon Third-Party Software &Hardware Compatibility Guide.

Supported event typesYou can view or modify the event types that are audited in an access zone. By default,OneFS audits only the event types that are supported by Varonis DatAdvantage.

The following event types are configured by default on each audited access zone:

Event name Example protocol activity

create l Create a file or directory

l Open a file, directory, or share

l Mount a share

l Delete a file

close l Close a directory

l Close a modified or unmodified file

rename Rename a file or directory

delete Delete a file or directory

set_security Attempt to modify file or directory permissions

The following event types are available for forwarding through CEE but are unsupportedby Varonis DatAdvantage:


read The first read request on an open file handle

write The first write request on an open file handle

close The client is finished with an open file handle

get_security The client reads security information for an open file handle

The following protocol audit events are not exported through CEE and are unsupported byVaronis DatAdvantage:


logon SMB session create request by a client

Auditing

Supported event types 49


logoff SMB session logoff

tree_connect SMB first attempt to access a share

Auditing


CHAPTER 7

Data security settings


u Data-at-rest encryption overview........................................................................... 52u SmartLock overview.............................................................................................. 52

Data security settings 51

Data-at-rest encryption overviewYou can enhance data security with a EMC Isilon cluster that contains only self-encrypting-drive nodes, providing data-at-rest protection.

The OneFS system is available as a cluster that is composed of Isilon OneFS nodes thatcontain only self-encrypting drives (SEDs). The system requirements and management ofdata at rest on self-encrypting nodes are identical to that of nodes that do not containself-encrypting drives. Clusters of mixed node types are not supported.

Data-at-rest encryption featuresWhen you store data on an EMC Isilon cluster of self-encrypting drives, additional securityfeatures are available.

Feature Comment

Firmware implementationof the encryption algorithm

The encryption algorithm and key length are implemented withinthe self-encrypted drive and not configurable.

256-bit data AES encryptionkey

All data written to the storage device is encrypted when it is stored,and all data read from the storage device is decrypted when it isread.

Authentication Authentication is performed by encryption keys, which never leavethe drive. Successful authentication unlocks the drive for dataaccess.

Data access Data access is controlled by combining the drive authentication keywith on-disk data-encryption keys.

For more information about Isilon OneFS data-at-rest encrypted clusters, contact yourEMC Isilon representative.

SmartLock overviewYou can prevent users from modifying and deleting files on an EMC Isilon cluster with theSmartLock software module. You must activate a SmartLock license on a cluster toprotect data with SmartLock.

With the SmartLock software module, you can create SmartLock directories and commitfiles within those directories to a write once read many (WORM) state. You cannot eraseor re-write a file committed to a WORM state. After a file is removed from a WORM state,you can delete the file. However, you can never modify a file that has been committed toa WORM state, even after it is removed from a WORM state.

SmartLock featuresYou can configure SmartLock settings to meet regulatory compliance requirements.


Compliancemode

Enables data protection incompliance with theregulations defined by U.S.

You can upgrade a cluster to Smartlockcompliance mode during the initial clusterconfiguration process, before you activate theSmartLock license. To upgrade a cluster to




Securities and ExchangeCommission rule 17a-4.

SmartLock compliance mode after the initialcluster configuration process, contact IsilonTechnical Support.

SmartLockdirectories

Provides manual or automaticfile commits to a WORM state,and the ability to create twotypes of SmartLock directories:enterprise and compliance.

You can create compliance directories only ifthe cluster has been upgraded to SmartLockcompliance mode. Before you can createSmartLock directories, you must activate aSmartLock license on the cluster.

SmartLockcommands

Provides command-line file-retention control throughWORM commands.

WORM commands apply specifically to theSmartLock tool and are available only ifSmartLock license is activated on the cluster.


SmartLock features 53

CHAPTER 8

System security alerts


u Events and notifications........................................................................................56u SNMP monitoring.................................................................................................. 56

System security alerts 55

Events and notificationsYou can monitor the health and performance of your EMC Isilon cluster through OneFSevent notifications.

When OneFS identifies an occurrence on your cluster that may require additionalattention, an event is generated. OneFS records events related to file system integrity,network connections, hardware, and other vital components of your cluster.

You can select the events that you want to monitor, and you can cancel, quiet, or unquietevents.

In addition, you can configure event notification rules to determine who receives anotification when an event occurs.

Event notification methodsYou can configure event notification rules to generate and deliver event notificationswhen an event occurs.

You can notify users by email, SupportIQ, or SNMP trap.

EmailYou can designate recipients and specify SMTP, authorization, and security settings.You can specify batch email settings and the email notification template.

SupportIQYou can specify a protocol that you prefer to use for notifications: HTTPS, SMTP, orboth.

SNMP trapYou can send SNMP traps to one or more network monitoring stations or trapreceivers. Each event can generate one or more SNMP traps. You can downloadmanagement information base files (MIBs) from the cluster. The ISILON-TRAP-MIBdescribes the traps that the cluster can generate, and the ISILON-MIB describes theassociated varbinds that accompany the traps.

Note

You must configure an event notification rule to generate SNMP traps.

SNMP monitoringYou can enable SNMP monitoring on individual nodes on your EMC Isilon cluster, and youcan also monitor cluster information from any node.

The default Linux SNMP tools or a GUI-based SNMP tool of your choice can be used tomonitor the Isilon cluster, noting the following considerations:

u All SNMP access is read-only.

u SNMP v1 and v2c is the default, but you can configure settings for SNMP v3 alone orSNMP v1, v2c, and v3.



Note

When SNMP v3 is used, OneFS requires the SNMP-specific security level ofAuthNoPriv as the default when querying the cluster. The security level AuthPriv is notsupported.

Two OneFS-specific MIBs are stored in /usr/local/share/snmp/mibs/ on a OneFSnode. The OneFS ISILON-MIBs are OneFS-specific and augment information that isavailable in standard MIBS.


SNMP monitoring 57

CHAPTER 9

Other security


u Antivirus overview................................................................................................. 60u Remote support using ESRS Gateway.................................................................... 61

Other security 59

Antivirus overviewYou can scan the files you store on an Isilon cluster for computer viruses and othersecurity threats by integrating with third-party scanning services through the InternetContent Adaptation Protocol (ICAP). OneFS sends files through ICAP to a server runningthird-party antivirus scanning software. These servers are referred to as ICAP servers.ICAP servers scan files for viruses.

After an ICAP server scans a file, it informs OneFS of whether the file is a threat. If a threatis detected, OneFS informs system administrators by creating an event, displaying nearreal-time summary information, and documenting the threat in an antivirus scan report.You can configure OneFS to request that ICAP servers attempt to repair infected files. Youcan also configure OneFS to protect users against potentially dangerous files bytruncating or quarantining infected files.

Before OneFS sends a file to be scanned, it ensures that the scan is not redundant. If afile has already been scanned and has not been modified, OneFS will not send the file tobe scanned unless the virus database on the ICAP server has been updated since the lastscan.

Note

Antivirus scanning is available only if all nodes in the cluster are connected to theexternal network.

Anitvirus threat responsesYou can configure the system to repair, quarantine, or truncate any files that the ICAPserver detects viruses in.

OneFS and ICAP servers react in one or more of the following ways when threats aredetected:

AlertAll threats that are detected cause an event to be generated in OneFS at the warninglevel, regardless of the threat response configuration.

RepairThe ICAP server attempts to repair the infected file before returning the file to OneFS.

QuarantineOneFS quarantines the infected file. A quarantined file cannot be accessed by anyuser. However, a quarantined file can be removed from quarantine by the root user ifthe root user is connected to the cluster through secure shell (SSH).

If you backup your cluster through NDMP backup, quarantined files will remainquarantined when the files are restored. If you replicate quarantined files to anotherIsilon cluster, the quarantined files will continue to be quarantined on the targetcluster. Quarantines operate independently of access control lists (ACLs).

TruncateOneFS truncates the infected file. When a file is truncated, OneFS reduces the size ofthe file to zero bytes to render the file harmless.

You can configure OneFS and ICAP servers to react in one of the following ways whenthreats are detected:

Other security


Repair or quarantineAttempts to repair infected files. If an ICAP server fails to repair a file, OneFSquarantines the file. If the ICAP server repairs the file successfully, OneFS sends thefile to the user. Repair or quarantine can be useful if you want to protect users fromaccessing infected files while retaining all data on a cluster.

Repair or truncateAttempts to repair infected files. If an ICAP server fails to repair a file, OneFStruncates the file. If the ICAP server repairs the file successfully, OneFS sends the fileto the user. Repair or truncate can be useful if you do not care about retaining alldata on your cluster, and you want to free storage space. However, data in infectedfiles will be lost.

Alert onlyOnly generates an event for each infected file. It is recommended that you do notapply this setting.

Repair onlyAttempts to repair infected files. Afterwards, OneFS sends the files to the user,whether or not the ICAP server repaired the files successfully. It is recommended thatyou do not apply this setting. If you only attempt to repair files, users will still beable to access infected files that cannot be repaired.

QuarantineQuarantines all infected files. It is recommended that you do not apply this setting. Ifyou quarantine files without attempting to repair them, you might deny access toinfected files that could have been repaired.

TruncateTruncates all infected files. It is recommended that you do not apply this setting. Ifyou truncate files without attempting to repair them, you might delete dataunnecessarily.

Remote support using ESRS GatewayEMC Isilon clusters support enablement of the ESRS Gateway.

The EMC Secure Remote Support (ESRS) Gateway is a secure, IP-based customer servicesupport system. The EMC ESRS Gateway features include 24x7 remote monitoring andsecure authentication with AES 256-bit encryption and RSA digital certificates. You canselect monitoring on a node-by node basis, allow or deny remote support sessions, andreview remote customer service activities.

The ESRS Gateway is similar to SupportIQ and performs many of the same functions:

u Send alerts regarding the health of your devices.

u Enable support personnel to run the same scripts used by SupportIQ to gather datafrom your devices.

u Allow support personnel to establish remote access to troubleshoot your cluster.

An important difference between SupportIQ and the ESRS Gateway is that SupportIQmanagement is cluster-wide; SupportIQ manages all nodes. The ESRS Gateway managesnodes individually; you select which nodes should be managed.

You can only enable one remote support system on your Isilon cluster. The EMC productsyou use and your type of environment determine which system is most appropriate foryour Isilon cluster:

Other security

Remote support using ESRS Gateway 61

u If your environment comprises one or more EMC products that can be monitored, usethe ESRS Gateway.

u If ESRS is currently implemented in your environment, use the ESRS Gateway.

u If your use of ESRS requires the ESRS Client, use SupportIQ. Isilon nodes do notsupport ESRS Client connectivity.

u If you have a high-security environment, use the ESRS Gateway.

u If the only EMC products in your environment are Isilon nodes, use SupportIQ.

See the most recent version of the document titled EMC Secure Remote Support TechnicalDescription for a complete description of EMC Secure Remote Support features andfunctionality.

Additional documentation on ESRS can be found on the EMC Online Support site.

Other security


Isilon OneFS 7.1.1 Security Configuration Guide · The platform's unified software provides...

Documents

Transcript of Isilon OneFS 7.1.1 Security Configuration Guide · The platform's unified software provides...