M09 NASManagement

NAS Management
Module 9 Data ONTAP 8.0 7-Mode Administration
Module Objectives
By the end of this module, you should be able to: List security methods for protecting data Explain and configure a security style setting for a volume and a qtree Describe methods of tracking and restricting storage usage Explain, create, and manage quotas Explain and configure FPolicy
2009 NetApp. All rights reserved.
NAS Management
After configuring NAS protocols, additional steps are needed to ensure you get the full use of NAS technologies This module examines:
Securing data Tracking and restricting storage usage
Future modules discuss related topics including:

Module 13 - Resiliency through high availability Module 14 - Security divisions with virtualization Module 16 - Data protection schemes
Securing Data
Data Security Techniques

NetApp provides several security methods to protect data on your storage system
Data ONTAP
Limit protocol access by interface Specify and manage the security style
NetApp DataFort products Integration with third-party products

Virus scanning File screening / Hierarchical Storage Management (HSM)
Data ONTAP Securing NAS Data

By default, protocols are accessible by all configured interfaces To restrict access through a particular interface:
system> options interface.blocked.cifs e0a system> options interface.blocked.nfs e0a,e0b
To allow a protocol access through all interfaces:

system> options interface.blocked.cifs
Multiprotocol
Volumes and qtrees can have either:
NTFS-style ACL permissions UNIX-style permissions
Having UNIX-style permissions does not prevent Windows (CIFS) users from accessing a volume or qtree if Multiprotocol is correctly configured Having NTFS-style ACL permissions does not prevent UNIX (NFS) users from accessing a volume or qtree if Multiprotocol is correctly configured
Security Style Interaction

For a Windows user to access: An NTFS style volume or qtree Windows user is tested against NTFSstyle ACLs A UNIX-style volume or qtree Windows user must be mapped to a UNIX UID (and associated UNIX group - GID)
Windows Host Windows User ID UNIX User
NTFS
UNIX
Windows-to-UNIX User Resolution

Windows authenticated Unauthenticated
Domain Authenticated
Windows Domain Controller
Authentication
Authenticate by /etc/regist ry
Windows authenticated Unauthenticated
Storage System
Windows-to-UNIX User Resolution (Cont.)

If not verified Windows authenticated Check wafl.default_unix_user
Check mapping /etc/usermap.cfg Domain\user => UNIX name
If mapping exists, try mapped user
Verify UNIX user by /etc/passwd, NIS or LDAP
If no mapping, try Windows user

If mapped to
Invalid user
User accepted
Windows-to-UNIX User Resolution (Cont.)
Unauthenticated or invalid user
Guest account configured options cifs.guest_account
Try guest Yes user
Verify UNIX user by /etc/passwd, NIS or LDAP
Guest user accepted
No
Unauthenticated or Invalid user rejected
Guest user rejected
UNIX User Access to Files

For a UNIX user to access:
A UNIX-security style volume or qtree
The UNIX user is tested against the UNIX files permissions
UNIX Host
An NTFS-security style volume or qtree:

The UNIX user and group must be mapped to a Windows user (and associated Windows groups)
UNIX User
Windows User ID
UNIX
NTFS
UNIX-to-Windows User Resolution

UID to UNIX user name successful
UID and GID

SUN1> cd /mnt/home SUN1> ls
Resolves UID to UNIX user name by /etc/passwd, NIS, or LDAP
Storage System
UID to UNIX user name failed
NOTE: Unix UID (and GID) were assigned at user login when user name and password were authenticated
UNIX-to-Windows User Resolution (Cont.)

If not verified UID to UNIX user name successful Check wafl.default_nt_user
Look for mapped Windows user in /etc/usermap.cfg Domain\user <= UNIX name
If mapping exists, try mapped user If no mapping, try UNIX user
Verify Windows user by local storage system or domain
If mapped to
Invalid user
User accepted
UNIX to Windows User Resolution (Cont.)
UID to UNIX user name failed or Invalid user
Invalid user rejected
Security Styles
Security Styles Security Style Hosts that can change Security/ Permissions CIFS Client Access Determined by UNIX permissions (Windows user names mapped to UNIX account) NFS Client Access Determined by
unix
NFS clients
UNIX permissions
mixed
NFS and CIFS clients
Depends on the last client to set security settings (permissions) Windows NTFS ACLs (UNIX user names mapped to Windows account)
ntfs
CIFS clients
Windows NTFS ACLs
Setting Security Styles

To set a security style for a volume:
system> qtree security /vol/vol0 ntfs
To set a security style for a qtree:

system> qtree security /vol/vol0/q1 ntfs
Changing a security resets all security permissions within a volume or qtree to default
NTFS: Everyone has read-write access UNIX: Has user/group/world having rwx
drwxrwxrwx 2 root root 4096 cifs_tree1
DataFort Products Securing NAS Data

The NetApp DataFort product line provides:
Data-At-Rest Encryption
Data stored on storage system is encrypted in containers called Cryptainers Data remains encrypted until accessed and decrypted After initial encryption, data can be moved, copied, replicated, or archived in its secure form
Data-In-Flight Encryption
Data is encrypted at some point before it traverses a communications link Data decrypted at the other end of the link
NetApp DataFort NAS Virtualization

NetApp DataFort exposes CIFS shares and NFS exports by way of virtual servers VLAN 1
VLAN 2 Client Hosts Vserver1 -share1 -share3 Vserver2 -export5 -export7 NAS Storage
Host1
Storage System 1 -share1 -share3
Host2
Storage System 2 -export5 -export7
Third-Party Tools Securing NAS Data

Data ONTAP can integrate with third-party data to secure NAS data Virus protection:
Provides on-access virus scanning of files on a storage system Requires a virus-scanning Windows server running compliant antivirus applications May require a file to be scanned before a CIFS client can open it
See the CIFS Administration course for more details

Tracking and Restricting Storage Usage
Tracking and Restricting NAS Usage

Administrator may wish to track NAS usage to:
Monitor trends Charge-back department usage Effectively management of storage Restrict user usage
Data ONTAP provides the mechanism to track and restrict NAS usage:
1. Quotas 2. Qtree statistics 3. FPolicy
1. Quotas
Quotas are necessary to:
Limit the amount of disk space that can be used Track disk space usage Warn of excessive usage
Quota targets
Users Groups Qtrees
System Manager: Quotas

To manage quotas in System Manager
Create a quota
System Manager: Quota Creation
System Manager: Quota Creation (Cont.)
System Manager: Quota Creation (Cont.)
System Manager: Quotas

Quota status and resize
To enable or disable quota per volume
Resize quotas if quota definitions has changed or system> quota resize
Quota Errors
Disk quota exceededResults from requests that cause a user or group to exceed an applicable quota Out of disk space Results from requests that cause the number of blocks or files in a qtree to exceed the qtree limit Root or Windows administrator account
Group quotas do not apply Tree quotas do apply
System Manager: Editing Quota Rules

To edit quota rules using System Manager:
Dont forgot to resize the volumes quotas
Quota Rules
New users or groups created after the default quota is in effect will have the default value Users or groups that do not have a specific quota defined will have the default value Configurable rules (/etc/quotas fields) are:
# Target Type Disk Files Thold Sdisk Sfiles
* /vol/home/usr/x1 21 /vol/eng/proj Writers acme\cheng tonyp@acme.com Rtaylor s-1-5-32-544
user@/vol/vol2 user Group tree group@/vol/techpub user@/vol/vol2 user user@/vol/vol2 user@/vol/vol2
50M 50M 750M 100M 75M 200M 200M 200M
15K 10K 75K 75K 75K -
45M 45M 700M 90M 70M 150M 150M 150M
10K 9000 -
NOTE: Columns are separated by white spaces

Quota Report
Quota report
system> quota report Type ID Volume Tree... ----- ---- -------- -----tree 1 NASvol nas_tree1...
K-Bytes Files ...Used Limit Used Limit Quota Specifier --------- ------- ----- ------ --------------... 14612 12288 24 2 /vol/NASvol/nas_tree1
Quota Information
Beginning with Data ONTAP 7.3, AutoSupport (ASUP) contains the following quota information:
A collection of quota statistics, including a set of new counters that collect quota statistics The quota configuration file (/etc/quotas) The user mapping file (/etc/usermap.cfg)
Quota information is included in ASUP as attachments
2. Qtree Statistics
To display the number of NFS and CIFS operations resulting from user access to files in a qtree:
system> qtree stats ... Volume -------NASvol
Tree -------nas_tree1
NFS ops ------0
CIFS ops ----802
3. File Scanning through FPolicy

File Policies (FPolicy)
Allows administrators to create file policies associated with file operation executed with CIFS and NFS v4 Example: Restrict .jpg and .mpg files from being stored on a storage system
FPolicy is enabled two ways:

Using third-party file screening software
Can be located at www.netapp.com/partners
Using native file blocking
Triggering Operations
Operations that can trigger a file policy:

create open write rename delete close create_dir getattr link lookup read rename_dir setattr symlink
Third-Party File-Screening Process

1. Client requests a file 2. Storage system consults the screen server 3. Screen server responds as follows:
If file is OK, storage system allows access If a file is denied, storage system denies access File Screen Server Storage System
Possible operations controlled by policy are: Creation of a new file Opening an existing file Renaming a file
Ethernet
Client
Hierarchical Storage Management (HSM)

FPolicy may integrate with HSM servers to manage data more efficiently
Policy: Migrate files more than six months old to secondary HSM Server (FPolicy Server)
my.docx
my.docx
Stub or sparse file
Complete file Clients Primary Storage System Secondary Storage System
Hierarchical Storage Management (Cont.)

When clients request a file, Data ONTAP 7.3 and later will redirected the request
HSM Server (FPolicy Server)
Read Request: my.docx

my.docx
Clients
Primary Storage System
Secondary Storage System
Configuring Native-Blocking FPolicy

Turn the feature on:
options fpolicy.enable on
Create a file policy:

fpolicy create <PolicyName> screen
Screen is the only supported policy type
Add or remove extensions and options to the file policy Set up a file policy monitor Enable the file policy:
fpolicy enable <PolicyName>
Blocking MP3s Example

To block MP3s on a storage system: Create the blocking policy:
system> fpolicy create mp3blocker screen
Add the extension mp3 to the FPolicy:

system> fpolicy ext inc set mp3blocker mp3
Require FPolicy to be implemented:

system> fpolicy options mp3blocker required on
Assign FPolicy to create and rename operation over CIFS and NFS traffic:
system> fpolicy monitor set mp3blocker -p cifs,nfs create,rename
Enables the new policy:

system> fpolicy enable mp3blocker -f
Module Summary
In this module, you should have learned to: List security methods for protecting data Explain and configure a security style setting for a volume and a qtree Describe methods of tracking and restricting storage usage Explain, create, and manage quotas Explain and configure FPolicy
Exercise
Module 9: NAS Management Estimated Time: 60 minutes
Check Your Understanding

What are security styles?
Security methods used for volumes and qtrees
Does a security style prevent protocols from accessing the volume or qtree?
No, they only define which rules to apply
Check Your Understanding (Cont.)

What are the functions of a quota?
Limit amount of disk space that can be used Track disk space usage Warn of excessive usage
Name three quota targets.

Users, groups, and qtrees

M09 NASManagement

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

M09 NASManagement

Uploaded by

Copyright:

Available Formats

NAS Management

Module 9 Data ONTAP 8.0 7-Mode Administration

2009 NetApp. All rights reserved.

Future modules discuss related topics including:

2009 NetApp. All rights reserved.

Data Security Techniques

NetApp DataFort products Integration with third-party products

2009 NetApp. All rights reserved.

Data ONTAP Securing NAS Data

To allow a protocol access through all interfaces:

2009 NetApp. All rights reserved.

Security Style Interaction

Windows Host Windows User ID UNIX User

Windows-to-UNIX User Resolution

Windows Domain Controller

Windows authenticated Unauthenticated

2009 NetApp. All rights reserved.

Windows-to-UNIX User Resolution (Cont.)

Check mapping /etc/usermap.cfg Domain\user => UNIX name

If mapping exists, try mapped user

Verify UNIX user by /etc/passwd, NIS or LDAP

If no mapping, try Windows user

2009 NetApp. All rights reserved.

Windows-to-UNIX User Resolution (Cont.)

Unauthenticated or invalid user

Guest account configured options cifs.guest_account

Try guest Yes user

Verify UNIX user by /etc/passwd, NIS or LDAP

Guest user accepted

Guest user rejected

2009 NetApp. All rights reserved.

UNIX User Access to Files

An NTFS-security style volume or qtree:

2009 NetApp. All rights reserved.

UNIX-to-Windows User Resolution

UID and GID

Resolves UID to UNIX user name by /etc/passwd, NIS, or LDAP

UID to UNIX user name failed

UNIX-to-Windows User Resolution (Cont.)

If mapping exists, try mapped user If no mapping, try UNIX user

Verify Windows user by local storage system or domain

2009 NetApp. All rights reserved.

UNIX to Windows User Resolution (Cont.)

UID to UNIX user name failed or Invalid user

Invalid user rejected

2009 NetApp. All rights reserved.

NFS and CIFS clients

Windows NTFS ACLs

2009 NetApp. All rights reserved.

Setting Security Styles

To set a security style for a qtree:

2009 NetApp. All rights reserved.

DataFort Products Securing NAS Data

2009 NetApp. All rights reserved.

NetApp DataFort NAS Virtualization

Storage System 1 -share1 -share3

Storage System 2 -export5 -export7

Third-Party Tools Securing NAS Data

See the CIFS Administration course for more details

Tracking and Restricting Storage Usage

2009 NetApp. All rights reserved.

Tracking and Restricting NAS Usage

2009 NetApp. All rights reserved.