English

Security

Contributors ciarm dmp-netapp Download PDF of this page

Protecting a customer’s environment from unauthorized access and actions is of paramount importance. Since Keystone is an on-premises solution that is remotely monitored, and optionally managed, Keystone security architecture provides the following elements to ensure the Keystone storage environment and the customer’s environment are protected:

  • Device hardening:

    • All devices (switches, firewalls, servers, K8, CentOS, ONTAP) are hardened per NetApp best practices, including per NetApp Technical Report TR-4569.

    • All unused switch ports are disabled.

    • All device management ports are user/password protected.

  • Password management:

    • NetApp stores and manages passwords used by Keystone Operations personnel in a secure and encrypted password management system.

    • Only select operations personnel have read/write access to password management system.

    • All activities on password management system are logged and monitored.

    • Passwords used to remotely monitor and manage systems cannot be viewed by operations personnel.

    • Unique passwords are used for each physical or logical entity/device (including cluster admin).

  • Management network:

    • Consists of firewalls, management switches, management compute servers, management storage, and console switches.

    • All management network traffic is through HTTPS.

    • All internet connections are established outbound from the management network only.

    • This network is separate from the data network.

    • No Keystone service device within the Keystone management network can get beyond the firewall to the customer management network.

    • Only SSH and HTTPS (no HTTP) can be used on the management network.

  • Keystone firewalls:

    • Keystone firewalls reside on the Keystone management network.

    • Provide northbound connection to the internet proxy server and the customer management network.

    • Provide southbound management switches.

    • Allow segregation/isolation of KS management network from customer’s management network.

    • Disallow customer access and activities to/on the Keystone management network.

    • Establish outbound tunnel through the customer’s HTTPS proxy to internet (no inbound connections).

    • The only inbound connection to the management network is through HTTPS port 443 for the Keystone GUI and API access to the GUI/API interface host.

  • Data network:

    • Consists of data switches and storage controllers

    • Northbound to customer data switches

    • Southbound to storage controllers

    • Separate from the control plane

    • Only VLANs associated with SVMs can access the customer’s data network

    • Storage controller ports only respond to iSCSI, CIFS, or NFS protocols only

    • IP address associated with SVMs on storage controllers use IPSpaces:

      • SVMs are associated with the VLANs

    • SVMs have secure virtual routing table

      • SVMs do not route any customer traffic from customers data network

      • No inter- SVM traffic or routing path possible

      • No connectivity between management network or ports to SVMs or their associated VLANs.

      • No SSH sessions to storage controller data ports possible

  • APIs:

    • NetApp ONTAP 9 has two types of API access:

      • ZAPI, legacy SOAP/XML based API interface is used by Active IQ Unified Manager and by OpsRamp.

      • The newer REST API is used by NetApp Service Engine components for accessing controller metrics and configuration.

    • Neither API can access stored data, but both can manipulate the systems if given the permissions required to do so.

    • Certain hosts in NetApp management network have API access (REST/ZAPI) to e0M ports on storage controllers over HTTPS/443.

    • After the initial Active IQ Unified Manager discovery is complete (~15 minutes), NetApp requests that Active IQ Unified Manager, OpsRamp, and NetApp Service Engine are provided with services accounts with read-only permissions.

  • Role-based access control (RBAC):

    • RBAC can be used to provide fine-grained (per-API call) and coarse (for example, to make particular users completely read-only) access control.

    • Service accounts on controllers have RBAC restrictions to enforce read-only access through API.

  • Active IQ Unified Manager:

    • Active IQ Unified Manager requires full administrator credentials for the initial discovery (~15 min) of the ONTAP controllers through NetApp Manageability SDK.

    • After initial Active IQ Unified Manager discovery is complete (~15 minutes), NetApp requests that Active IQ Unified Manager, OpsRamp and NetApp Service Engine are provided with services accounts with read-only permissions.