Note: This post is
written with CDOT 8.2.1 in mind.
Introduction
Amongst the many new features in Clustered ONTAP over
Data ONTAP Operating in 7-Mode, is the presence of an inbuilt firewall, and it’s
presence leads on to previously unaskable questions about how to best use it
for security hardening in environments where this is of interest.
The firewall can block inbound (non-protocol - i.e. NFS,
CIFS …) traffic.
To check it is enabled (the default), run:
::>
system services firewall show
The firewall can be disabled with:
::>
system services firewall modify -node NODENAME -enabled false
Firewall logging is disabled by default, to enable:
::>
system services firewall modify -node NODENAME -logging true
Firewall Policy
Services
The services the firewall policy can block/allow (out of
the box) are:
::>
system services firewall policy create -service
dns http
https ndmp ntp
rsh snmp ssh
telnet
dns: Needs to
be allowed if you’re using CDOT On-Box DNS Load-Balancing and LIFs need
to be able to listen for DNS requests. Otherwise it can be denied. Note: For thoroughness, have tested with DNS
denied, and normal external DNS services work fine.
https: For
OFFtap products that leverage ONTAPI, and also to get to the logs via https://CLUSTERNAME/SPI!
http: Only if
https does not function!
ndmp: If
you’re using a backup/restore application that leverages NDMP (this includes
OnCommand Unified Manager 6.1 - something I hope to blog about at a later
date), then you need to allow ndmp.
ntp: Traditionally
- “in a NetApp HA pair there is a cluster
time daemon, where one filer is the master and the other slave, and the slave
will only directly communicate with the time server when the cluster
interconnect is down or clustering has been disabled.” One I’m not totally
sure about, I’d leave it allowed!
rsh: For
management over RSH (default is denied.)
snmp: This
should be allowed if using a management/monitoring solution that polls
the CDOT nodes with SNMP (OCUM 6.1 uses ONTAPI), otherwise it can be denied.
Note: In a switched Cluster, the Cluster
Nodes poll the switch for health information using SNMP - this is outbound
communication though.
ssh: For
management over SSH.
telnet: For
management over telnet (default is denied.)
Note: If you enter
diag privilege level, additional firewall services can be created:
::> set d
::*> system services firewall policy
service create ?
-service {text} *Service Name
-protocol {protocol} *Protocol
-port {integer},… *Ports
Firewall
Policies
To view the firewall polices:
::>
system services firewall policy show
There are four default firewall policies:
::>
system services firewall policy show -policy ?
cluster
{used by default for cluster LIFs}
data
{used by default for data LIFs }
intercluster
{used by default for intercluster LIFs}
mgmt
{used by default for node-mgmt and cluster-mgmt LIFs}
And the purpose of all 5 LIF roles:
::>
network interface create -role ?
cluster Used for communication using the
private cluster network
data Used for communicating with file
service clients
node-mgmt Used by administrators to configure the
node
intercluster Used for communication with a different
cluster
cluster-mgmt Used by administrators to configure the
cluster
What Is Allowed
By Default
If we ignore the cluster firewall policy (since it is for the private cluster
interconnect and cluster LIFs only, and it is highly recommended not to mess
with this private CDOT network) and just look at the allowed services, we
have:
::>
system services firewall policy show -policy !cluster -action allow
Policy Service Action IP-List
------------
------- ------ ---------
data
dns allow
0.0.0.0/0
ndmp allow
0.0.0.0/0
intercluster
ndmp allow
0.0.0.0/0
mgmt
dns allow
0.0.0.0/0
http allow
0.0.0.0/0
https allow
0.0.0.0/0
ndmp allow
0.0.0.0/0
ntp allow
0.0.0.0/0
snmp allow
0.0.0.0/0
ssh allow
0.0.0.0/0
What Actually
Needs to be Allowed (example using a Specific Scenario)
Note: The default
configuration of allowed services is totally fine for all scenarios (especially
since this discussion would not have been possible with 7-Mode), except where
further security hardening is of interest…
My scenario is an SVM configured for CIFS (needs to get
to external DNS for Active Directory to work.) And we’re using OnCommand
Unified Manager 6.1 for GUI driven restores, hence ndmp is required (remember
OCUM 6.1 is a free management tool.) We’re not using CDOT On-Box DNS
Load-Balancing, so don’t need inbound DNS. All the devices that could possibly
communicate over https, ndmp, ntp, or ssh are on the subnet 192.168.0.0/16. So,
our firewall polices will be to allow:
::>
system services firewall policy show -policy !cluster -action allow
Policy Service Action IP-List
------------
------- ------ ---------
data-modified
ndmp allow
192.168.0.0/16
intercluster-modified
ndmp allow
192.168.0.0/16
mgmt-modified
https allow
192.168.0.0/16
ndmp allow
192.168.0.0/16
ntp allow
192.160.0.0/16
ssh allow
192.168.0.0/16
Commands to
Create the Firewall Policies
Note: You cannot
edit the default firewall policies, hence we clone them below.
The following lines below are all applied from the
ClusterShell ::>
system
services firewall policy clone -policy data -new-policy-name data-modified
system
services firewall policy clone -policy intercluster -new-policy-name
intercluster-modified
system
services firewall policy clone -policy mgmt -new-policy-name mgmt-modified
system
services firewall policy show -policy *modified -action allow
system
services firewall policy delete -policy data-modified -service dns -action
allow
system
services firewall policy create -policy data-modified -service dns -action deny
-ip-list 0.0.0.0/0
system
services firewall policy modify -policy data-modified -service ndmp -action
allow -ip-list 192.168.0.0/16
system
services firewall policy modify -policy intercluster-modified -service ndmp
-action allow -ip-list 192.168.0.0/16
system
services firewall policy delete -policy mgmt-modified -service dns -action
allow
system
services firewall policy create -policy mgmt-modified -service dns -action deny
-ip-list 0.0.0.0/0
system
services firewall policy delete -policy mgmt-modified -service http -action
allow
system
services firewall policy create -policy mgmt-modified -service http -action
deny -ip-list 0.0.0.0/0
system
services firewall policy delete -policy mgmt-modified -service snmp -action
allow
system
services firewall policy create -policy mgmt-modified -service snmp -action
deny -ip-list 0.0.0.0/0
system
services firewall policy modify -policy mgmt-modified -service https -action
allow -ip-list 192.168.0.0/16
system
services firewall policy modify -policy mgmt-modified -service ndmp -action
allow -ip-list 192.168.0.0/16
system
services firewall policy modify -policy mgmt-modified -service ntp -action
allow -ip-list 192.168.0.0/16
system
services firewall policy modify -policy mgmt-modified -service ssh -action
allow -ip-list 192.168.0.0/16
And the result:
::>
system services firewall policy show -policy *modified -action allow
Policy Service Action IP-List
----------------
------- ------ --------------
data-modified
ndmp allow
192.168.0.0/16
intercluster-modified
ndmp allow 192.168.0.0/16
mgmt-modified
https allow
192.168.0.0/16
ndmp allow
192.168.0.0/16
ntp allow
192.168.0.0/16
ssh allow
192.168.0.0/16
Commands to
Apply Firewall Policies to the Cluster
network
interface modify -vserver CLU1 -lif cluster_mgmt -firewall-policy mgmt-modified
network
interface modify -vserver CLU1N1 -lif mgmt1 -firewall-policy mgmt-modified
network
interface modify -vserver CLU1N1 -lif rep1 -firewall-policy
intercluster-modified
network
interface modify -vserver SVM1 -lif data1 -firewall-policy data-modified
THE END
Comments
Post a Comment