Sounds like a solid plan. Plus since ONTAP-NFS sees the clone as a separate volume you only need to export the clone to the less secure network.
If you really want to split it security-wise, you could implement multistore and assign the clone to a vfiler which is managed administratively like a separate box and gives you an even bigger firewall. I think that may be overkill, but it's there if you want it.
-- Adam Fox ------------------------ Typed with my thumbs on a very small keyboard.
----- Original Message ----- From: Stephen C. Losen scl@sasha.acc.virginia.edu To: toasters@mathworks.com toasters@mathworks.com Sent: Fri Mar 27 10:04:56 2009 Subject: Security best practice question
Hello toasters,
Our Oracle admins are replacing their old FC SAN storage and are considering going with NetApp and NFS. But they are concerned about security.
They are really attracted to flex clone because they would like to instantly replicate a database on a secure, firewalled Oracle server, run a job to sanitize the clone and then serve the sanitized DB from a less secure Oracle server in a DMZ. They are concerned that if the DMZ server were hacked, could it be leveraged to gain unauthorized NFS access, perhaps by hijacking an IP address?
I have suggested that they set up two separate private data Ethernets, one for the secure servers and one for the DMZ servers. Use two different address blocks (subnets) and plug the netapp into both networks with two different ethernet ports. That way the netapp would never send data exported to the secure servers out the interface for the DMZ servers.
Am I on the right track here? Is this "secure enough"? Is there an easier way? We don't have any Kerberos infrastructure and we can't sacrifice performance, so I think NFSv4 is out.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
We had the same issue when moving our pre-production Oracle DB environments from FC SAN to NFS on NetApp.
Here's how we handled it: Traffic isoloation *dedicated network and interfaces using private IPs with IP network prevented from leaving using IP ACLs
Traffic separation *separate vlan for each logical grouping of Oracle systems (dev/test/uat/prd) *separate vfiler (using Multistore) for logical grouping *separate ipspace (using Multistore) for each logical grouping
Conformance to PCI DSS security standards *Development data is stored on a separate storage system from UAT and PRD.
Many folks I talk to considier this overkill, I tend to agree but it does make it easier to manage. Multistore results in a separate nfsd for each subnet and separate /etc/exports files.
We also use flexclone and delagate clone creation to the DBAs. However we needed to give them cli-vol* RBAC which has the unfortunate effect of enabling vol delete in addition to vol clone. We're fixing this by using ontapi to create a intermediede provisioning layer to disallow sub-commands.
-=--=- gerald villabroza <geraldv at stanford.edu> technical lead, its storage, stanford university
On Mar 27, 2009, at 8:26 AM, Fox, Adam wrote:
Sounds like a solid plan. Plus since ONTAP-NFS sees the clone as a separate volume you only need to export the clone to the less secure network.
If you really want to split it security-wise, you could implement multistore and assign the clone to a vfiler which is managed administratively like a separate box and gives you an even bigger firewall. I think that may be overkill, but it's there if you want it.
-- Adam Fox
Typed with my thumbs on a very small keyboard.
----- Original Message ----- From: Stephen C. Losen scl@sasha.acc.virginia.edu To: toasters@mathworks.com toasters@mathworks.com Sent: Fri Mar 27 10:04:56 2009 Subject: Security best practice question
Hello toasters,
Our Oracle admins are replacing their old FC SAN storage and are considering going with NetApp and NFS. But they are concerned about security.
They are really attracted to flex clone because they would like to instantly replicate a database on a secure, firewalled Oracle server, run a job to sanitize the clone and then serve the sanitized DB from a less secure Oracle server in a DMZ. They are concerned that if the DMZ server were hacked, could it be leveraged to gain unauthorized NFS access, perhaps by hijacking an IP address?
I have suggested that they set up two separate private data Ethernets, one for the secure servers and one for the DMZ servers. Use two different address blocks (subnets) and plug the netapp into both networks with two different ethernet ports. That way the netapp would never send data exported to the secure servers out the interface for the DMZ servers.
Am I on the right track here? Is this "secure enough"? Is there an easier way? We don't have any Kerberos infrastructure and we can't sacrifice performance, so I think NFSv4 is out.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Fox, Adam -
Gerald Villabroza