Isilon OneFS 8.2.x Security Configuration Guide Security ...

1 Isilon OneFS Security ConfigurationGuideVersion Configuration GuideJanuary 2020 Copyright 2013-2020 Dell Inc. All rights believes the information in this publication is accurate as of its publication date. The information is subject to change without INFORMATION IN THIS PUBLICATION IS PROVIDED AS-IS. DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KINDWITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBEDIN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc.

2 Or its subsidiaries. Other trademarks may be the propertyof their respective owners. Published in the EMCH opkinton, Massachusetts 01748-91031-508-435-1000 In North America OneFS Security Configuration Guide Security Configuration GuideIntroduction to this guide5 About this 6 Reporting Security 6 Dell Security positive Security 6 Related 6 Where to go for 7 Security overview11 Security deployment business Security deployment Security deployment 12 Security Technical Implementation Guide (STIG) deployment model(Federal accounts only).

3 13 Security control 14 Cryptography15 Cryptography 16 Cryptographic inventory for 16 Cryptographic inventory for HTTPS in hardening inventory for inventory for 18 Cryptographic inventory for 19 Cryptographic inventory for 22 Kerberos 22 Network security23 Network port 24 OneFS 29 Mixed data-access protocol 31 FTP 31 HDFS and HTTPS 32 NFS 32 SMB 32 SMB Security 32 Configuring security35 Physical Security 36 Security of the data 36 Physical ports on Isilon 36 Disable USB ports on Isilon 36 Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 CONTENTSI silon OneFS Security Configuration Guide Security Configuration Guide3 Statements of 37 Security best 40 Persistence of Security settings.

4 40 PCI the cluster to meet PCI cluster Security best 42 Create a login message .. 42 Manifest check to confirm install authenticity and 42 Set a timeout for idle CLI sessions (CLI).. 45 Set a timeout for idle SSH sessions (CLI).. 47 Forward audited events to remote 48 Firewall 49 Disable OneFS services that are not in 49 Configure WORM directories using up cluster 50 Use NTP 50 Login, authentication, and privileges best 51 Restrict root logins to the 51 Use RBAC accounts instead of elevation: Assign select root-level privileges to non-root 52 Restrict authentication by external 55 SNMP Security best 56 Use SNMPv3 for cluster 56 Disable 57 SSH Security best 57 Restrict SSH access to specific users and root SSH access to the 58 Data-access protocols best 58 Use a trusted network to protect files and authentication credentialsthat are sent in 58 Use compensating controls to protect authentication credentials thatare sent in 59 Use compensating controls to protect files that are sent in 59

5 Disable FTP 60 Limit or disable HDFS 60 Limit or disable HTTP 61 NFS best 61 SMB best 63 Disable Swift 65 Web interface Security best 65 Replace the TLS 65 Secure the web interface 66 Accept up-to-date versions of TLS in the OneFS web 67 Chapter 7 Contents4 Isilon OneFS Security Configuration Guide Security Configuration GuideCHAPTER 1 Introduction to this guideThis section contains the following topics:lAbout this 6lReporting Security 6lDell Security 6lFalse positive Security 6lRelated 6lWhere to go for OneFS Security Configuration Guide Security Configuration Guide5 About this guideThis Guide provides an overview of the Security Configuration controls and settings available inIsilon OneFS .

6 This Guide is intended to help facilitate secure deployment, usage, and maintenanceof the software and hardware used in Isilon suggestions help us to improve the accuracy, organization, and overall quality of thedocumentation. Send your feedback to If you cannot providefeedback through the URL, send an email message to Security vulnerabilitiesDell EMC takes reports of potential Security vulnerabilities in our products very seriously. If youdiscover a Security vulnerability, you are encouraged to report it to Dell EMC information on how to report a Security issue to Dell EMC, see the Dell EMC VulnerabilityResponse Policy at Security advisoriesDell Security Advisories (DSAs) notify customers about potential Security vulnerabilities and theirremedies for Dell EMC products.

7 The advisories include specific details about an issue andinstructions to help prevent or alleviate that Security Vulnerabilities and Exposures (CVEs) identify publicly known Security concerns. A DSAcan address one or more Isilon DSAs, together with the CVEs that they address, are listed at positive Security vulnerabilitiesIt is possible for a Security scan to incorrectly identify a CVE as affecting a Dell EMC in this category are termed false positives for OneFS and Insight IQ are listed at documentsThe complete documentation set for OneFS is available can find information that is related to the features and functionality described in thisdocument in the following documents available from the Dell EMC Online Support Secure Remote Services Installation and Operations GuidelEMC Secure

8 Remote Services Policy Manager Operations GuidelEMC Secure Remote Services Site Planning GuidelEMC Secure Remote Services Technical DescriptionlEMC Isilon Multiprotocol Data Access with a Unified Security Model (white paper)Introduction to this guide6 Isilon OneFS Security Configuration Guide Security Configuration GuidelIsilon Swift Technical NotelManaging identities with the Isilon OneFS user mapping service (white paper)lOneFS Backup and Recovery GuidelOneFS CLI Administration GuidelOneFS Event ReferencelOneFS HDFS Reference GuidelOneFS Release NoteslOneFS Web Administration GuidelOneFS Upgrade Planning and Process GuideWhere to go for supportThis topic contains resources for getting answers to questions about Isilon supportlLive ChatlCreate a Service RequestFor questions about accessing online support, send an email to States: 1-800-SVC-4 EMC (1-800-782-4362)lCanada: 1-800-543-4782lWorldwide.

9 1-508-497-7901lLocal phone numbers for a specific country are available at Dell EMCC ustomer Support CommunityNetworkThe Isilon Community Network connects you to a central hub of informationand experts to help you maximize your current storage solution. From this site,you can demonstrate Isilon products, ask questions, view technical videos, andget the latest Isilon product Info HubsFor the list of Isilon info hubs, see the Isilon Info Hubs page on the IsilonCommunity Network. Use these info hubs to find product documentation,troubleshooting guides, videos, blogs, and other information resources aboutthe Isilon products and features you're interested following terms and abbreviations describe some of the features and technology of the IsilonOneFS system and Isilon enumeration (ABE)In a Microsoft Windows environment, ABE filters the list of available files and folders to allowusers to see only those that they have permissions to access on a file control entry (ACE)

10 An element of an access control list (ACL) that defines access rights to an object (like a file ordirectory) for a user or to this guideIsilon OneFS Security Configuration Guide Security Configuration Guide7 Access control list (ACL)A list of access control entries (ACEs) that provide information about the users and groupsallowed access to an policyThe policy that defines which access control methods (NFS permissions and/or WindowsACLs) are enforced when a user accesses a file on the system in an environment that isconfigured to provide multiprotocol access to file systems.