We run a seperate management network. I put the on-board ethernet interface on this network. We have a highly secured management server sitting on this network, which is the only one that's allowed rsh/telnet access to the filer.
The goal of this was to give our database servers the ability to trigger snapmirror resyncs, without giving them the ability to do everything else.
The fact that rsh relies on the source IP address for authentication, coupled with the fact that rsh runs over UDP -- means that even if you grant a single host access to your filer, other hosts on that same network can enjoy the same level of access without much effort.
No code is running on the filer. I just wrote a very basic client/server type that runs over ssh using no-password dsa keys. The client, running on the DB servers, connect to the server process running on the management server, to communicate the request.
It's part of a bigger system I wrote to facilitate automated inter-host command execution / data trasnfer without requiring full account equivilency (all too common).
This complicates the process, which somewhat reduces reliability -- but we had spent considerable time hardening our internal production environment. I couldn't just extend a trust relationship to all our DB servers that would allow an attacker who compromised one of them the ability to take control of our filers, which in our case is one of the most critical systems we employ.
It's written in python, and somewhat specific to our environment.
The playbook most attackers follow is very simple: (1) Gain access to a system, (2) leverage that access and any trust relationships discovered to penetrate deeper into the network. Minimizing trust relationships is critical in designing secure, distrubuted systems.
On Thu, 28 Oct 2004, Brian Parent wrote:
I too am disappointed that NetApp doesn't include ssh as part of the core offering, especially in today's security conscious environment.
I'd like to understand more about your client/server app. I've often been frustrated by the inability to write/compile/run my own code on a NetApp.
Where is your server running, on your NetApp? What language is it in? How did you compile it? How do you run it?
If it's not running on your NetApp, how does your server make the connection to the NetApp without using rsh, and without using SecureAdmin?
Re:
Date: Thu, 28 Oct 2004 11:28:33 -0700 (PDT) From: avarni@cj.com To: Brian Parent bparent@calvin.ucsd.edu Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
We didn't purchase Secure Admin, but I got around that by writing a little client/server app that's bound to a no-password DSA keypair. The server portion limits what actions can be requested by the clients. This way our DB servers can still initiate snapmirror requests, etc -- without using insecure rsh.
I guess this is as good as a time as any to express my dissapointment with NetApp's policy of charging extra money to be able to use ssh. I think that providing a secure remote management capability (ssh) by default should be part of the core offering.
On Wed, 27 Oct 2004, Brian Parent wrote:
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.