Security Hardening with Clustered Data ONTAP's Firewall

Note: This post is written with CDOT 8.2.1 in mind.

Introduction

Amongst the many new features in Clustered ONTAP over Data ONTAP Operating in 7-Mode, is the presence of an inbuilt firewall, and it’s presence leads on to previously unaskable questions about how to best use it for security hardening in environments where this is of interest.

The firewall can block inbound (non-protocol - i.e. NFS, CIFS …) traffic.

To check it is enabled (the default), run:

::> system services firewall show

The firewall can be disabled with:

::> system services firewall modify -node NODENAME -enabled false

Firewall logging is disabled by default, to enable:

::> system services firewall modify -node NODENAME -logging true

Firewall Policy Services

The services the firewall policy can block/allow (out of the box) are:

::> system services firewall policy create -service

dns  http  https  ndmp  ntp  rsh  snmp  ssh  telnet

dns: Needs to be allowed if you’re using CDOT On-Box DNS Load-Balancing and LIFs need to be able to listen for DNS requests. Otherwise it can be denied. Note: For thoroughness, have tested with DNS denied, and normal external DNS services work fine.

https: For OFFtap products that leverage ONTAPI, and also to get to the logs via https://CLUSTERNAME/SPI!

http: Only if https does not function!

ndmp: If you’re using a backup/restore application that leverages NDMP (this includes OnCommand Unified Manager 6.1 - something I hope to blog about at a later date), then you need to allow ndmp.

ntp: Traditionally - “in a NetApp HA pair there is a cluster time daemon, where one filer is the master and the other slave, and the slave will only directly communicate with the time server when the cluster interconnect is down or clustering has been disabled.” One I’m not totally sure about, I’d leave it allowed!

rsh: For management over RSH (default is denied.)

snmp: This should be allowed if using a management/monitoring solution that polls the CDOT nodes with SNMP (OCUM 6.1 uses ONTAPI), otherwise it can be denied. Note: In a switched Cluster, the Cluster Nodes poll the switch for health information using SNMP - this is outbound communication though.

ssh: For management over SSH.

telnet: For management over telnet (default is denied.)

Note: If you enter diag privilege level, additional firewall services can be created:

::> set d
::*> system services firewall policy service create ?
-service {text}      *Service Name
-protocol {protocol} *Protocol
-port {integer},…    *Ports

Firewall Policies

To view the firewall polices:

::> system services firewall policy show

There are four default firewall policies:

::> system services firewall policy show -policy ?

cluster {used by default for cluster LIFs}
data {used by default for data LIFs }
intercluster {used by default for intercluster LIFs}
mgmt {used by default for node-mgmt and cluster-mgmt LIFs}

And the purpose of all 5 LIF roles:

::> network interface create -role ?

cluster        Used for communication using the private cluster network
data           Used for communicating with file service clients
node-mgmt      Used by administrators to configure the node
intercluster   Used for communication with a different cluster
cluster-mgmt   Used by administrators to configure the cluster

What Is Allowed By Default

If we ignore the cluster firewall policy (since it is for the private cluster interconnect and cluster LIFs only, and it is highly recommended not to mess with this private CDOT network) and just look at the allowed services, we have:

::> system services firewall policy show -policy !cluster -action allow

Policy       Service Action IP-List
------------ ------- ------ ---------

data
             dns     allow  0.0.0.0/0
             ndmp    allow  0.0.0.0/0

intercluster
             ndmp    allow  0.0.0.0/0

mgmt
             dns     allow  0.0.0.0/0
             http    allow  0.0.0.0/0
             https   allow  0.0.0.0/0
             ndmp    allow  0.0.0.0/0
             ntp     allow  0.0.0.0/0
             snmp    allow  0.0.0.0/0
             ssh     allow  0.0.0.0/0

What Actually Needs to be Allowed (example using a Specific Scenario)

Note: The default configuration of allowed services is totally fine for all scenarios (especially since this discussion would not have been possible with 7-Mode), except where further security hardening is of interest…

My scenario is an SVM configured for CIFS (needs to get to external DNS for Active Directory to work.) And we’re using OnCommand Unified Manager 6.1 for GUI driven restores, hence ndmp is required (remember OCUM 6.1 is a free management tool.) We’re not using CDOT On-Box DNS Load-Balancing, so don’t need inbound DNS. All the devices that could possibly communicate over https, ndmp, ntp, or ssh are on the subnet 192.168.0.0/16. So, our firewall polices will be to allow:

::> system services firewall policy show -policy !cluster -action allow

Policy       Service Action IP-List
------------ ------- ------ ---------

data-modified
             ndmp    allow  192.168.0.0/16

intercluster-modified
             ndmp    allow  192.168.0.0/16

mgmt-modified
             https   allow  192.168.0.0/16
             ndmp    allow  192.168.0.0/16
             ntp     allow  192.160.0.0/16
             ssh     allow  192.168.0.0/16

Commands to Create the Firewall Policies

Note: You cannot edit the default firewall policies, hence we clone them below.

The following lines below are all applied from the ClusterShell ::>

system services firewall policy clone -policy data -new-policy-name data-modified
system services firewall policy clone -policy intercluster -new-policy-name intercluster-modified
system services firewall policy clone -policy mgmt -new-policy-name mgmt-modified

system services firewall policy show -policy *modified -action allow

system services firewall policy delete -policy data-modified -service dns -action allow
system services firewall policy create -policy data-modified -service dns -action deny -ip-list 0.0.0.0/0
system services firewall policy modify -policy data-modified -service ndmp -action allow -ip-list 192.168.0.0/16

system services firewall policy modify -policy intercluster-modified -service ndmp -action allow -ip-list 192.168.0.0/16

system services firewall policy delete -policy mgmt-modified -service dns -action allow
system services firewall policy create -policy mgmt-modified -service dns -action deny -ip-list 0.0.0.0/0
system services firewall policy delete -policy mgmt-modified -service http -action allow
system services firewall policy create -policy mgmt-modified -service http -action deny -ip-list 0.0.0.0/0
system services firewall policy delete -policy mgmt-modified -service snmp -action allow
system services firewall policy create -policy mgmt-modified -service snmp -action deny -ip-list 0.0.0.0/0

system services firewall policy modify -policy mgmt-modified -service https -action allow -ip-list 192.168.0.0/16
system services firewall policy modify -policy mgmt-modified -service ndmp -action allow -ip-list 192.168.0.0/16
system services firewall policy modify -policy mgmt-modified -service ntp -action allow -ip-list 192.168.0.0/16
system services firewall policy modify -policy mgmt-modified -service ssh -action allow -ip-list 192.168.0.0/16

And the result:

::> system services firewall policy show -policy *modified -action allow

Policy           Service Action IP-List
---------------- ------- ------ --------------
data-modified
                 ndmp    allow  192.168.0.0/16
intercluster-modified
                 ndmp    allow  192.168.0.0/16
mgmt-modified
                 https   allow  192.168.0.0/16
                 ndmp    allow  192.168.0.0/16
                 ntp     allow  192.168.0.0/16
                 ssh     allow  192.168.0.0/16

Commands to Apply Firewall Policies to the Cluster

network interface modify -vserver CLU1 -lif cluster_mgmt -firewall-policy mgmt-modified
network interface modify -vserver CLU1N1 -lif mgmt1 -firewall-policy mgmt-modified
network interface modify -vserver CLU1N1 -lif rep1 -firewall-policy intercluster-modified
network interface modify -vserver SVM1 -lif data1 -firewall-policy data-modified

THE END

Comments