I had a question for this group. My company just started to install Filers on our network and I was wandering if there are any products that you use to connect to the Filer to replace the standard telnet command. I know Network Appliance sells SecureAdmin but I was wandering if there are any others out there.
Our security group is concerned about using telnet since any passwords that is send is send in clear text.
Any suggestions are welcome also if SecureAdmin is being used any input on it would be appreciated.
Tony Villa Sr. Network Specialist ISTS/ITUSS/DC System Server Support Pacific Gas and Electric Company 925-779-7771 AEV1@PGE.COM
IMHO On the assumption you very rarely telnet to the filer anyhow and that you have an allowed hosts lists set up, also on the assumption its perhaps one hop from your admin hosts to your filer and that you are using switches that are nice and secure I'd say the risk of a password being picked up was almost non existent.
I looked at secureadmin but havent actually used it, i think we pay enough already for the license cost without buying extra plugins that ought to be incldued foc! :)
Steve
-- Stephen J. Wilcox Internet Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Wed, 29 Nov 2000, Villa, Tony wrote:
I had a question for this group. My company just started to install Filers on our network and I was wandering if there are any products that you use to connect to the Filer to replace the standard telnet command. I know Network Appliance sells SecureAdmin but I was wandering if there are any others out there.
Our security group is concerned about using telnet since any passwords that is send is send in clear text.
Any suggestions are welcome also if SecureAdmin is being used any input on it would be appreciated.
Tony Villa Sr. Network Specialist ISTS/ITUSS/DC System Server Support Pacific Gas and Electric Company 925-779-7771 AEV1@PGE.COM
The only other means of avoiding clear text passwords that I know of is by trusting rsh access from other admin host(s). Although this poses another security concern if your admin host(s) are compromised.
Also, the FilerView web admin program will allow password-less access from any machine(s) listed in the "telnet.hosts" option. This poses the same security concern if the machine(s) in "telnet.hosts" are compromised. I've heard that ONTAP may eventually support SSL for this - anyone from NTAP want to officially comment?
Both of these password-less schemes also have the disadvantage of sending the body of the session in the clear. If the data in your administrative session(s) are considered sensitive as well, neither may work for you.
SecureAdmin actually works quite well with a standard ssh client, hiding both the password and the body of the session. My guess is that an SSL-enabled FilerView, if ever created, would be packaged with ssh in the SecureAdmin license.
You can use "useradmin" to create multiple administrative accounts, but unfortunately they are all root equivalents. It would be really handy if parts of the OS were ACL'd off so that each administrative account could have custom defined access to the OS. This would allow some users to be able to create CIFS shares and modify quotas, but not bounce the machine. *HINT* to dl-toasters@netapp.com *HINT* =)
-- Jeff
-- ---------------------------------------------------------------------------- Jeff Krueger E-Mail: jeff@qualcomm.com Senior Engineer Phone: 858-651-6709 NetApp Filers / UNIX Infrastructure Fax: 858-651-6627 QUALCOMM, Inc. IT Engineering Web: www.qualcomm.com
On Wed, Nov 29, 2000 at 08:06:27PM -0800, Villa, Tony wrote:
I had a question for this group. My company just started to install Filers on our network and I was wandering if there are any products that you use to connect to the Filer to replace the standard telnet command. I know Network Appliance sells SecureAdmin but I was wandering if there are any others out there.
Our security group is concerned about using telnet since any passwords that is send is send in clear text.
Any suggestions are welcome also if SecureAdmin is being used any input on it would be appreciated.
Tony Villa Sr. Network Specialist ISTS/ITUSS/DC System Server Support Pacific Gas and Electric Company 925-779-7771 AEV1@PGE.COM
At 01:36 AM 11/30/00 -0800, Jeffrey Krueger wrote:
... My guess is that an SSL-enabled FilerView, if ever created, would be packaged with ssh in the SecureAdmin license.
Correct. And it happened in Data ONTAP 6.0 and SecureAdmin 2.1.1. Here's what NOW says about SecureAdmin 2.1.1:
Supports Secure Sockets Layer (SSL) protocol
- Used instead of http for secure exchanges between filer and client
- Uses certificate-authority (CA) signed certificates to authenticate
the filer
- Provides secure exchange using Secure FilerView (Secure FilerView
introduced in Data ONTAP 6.0)
Jeffrey Krueger wrote:
You can use "useradmin" to create multiple administrative accounts, but unfortunately they are all root equivalents. It would be really handy if parts of the OS were ACL'd off so that each administrative account could have custom defined access to the OS. This would allow some users to be able to create CIFS shares and modify quotas, but not bounce the machine. *HINT* to dl-toasters@netapp.com *HINT* =)
Just wanted to say "hear hear" on that last comment. I understand that part of the "appliance" model is to get away from things like user accounts but having all users be root isn't an (in my opinion) usable setup.
I'm using netsaint to monitor our network and would love to rsh off commands like quota so that I can have netsaint monitor quota levels. Unfortunately, to do this means creating a second root level account (the user we use for netsaint) and setting it up for password-less rsh. If the netsaint user is ever compromised, our filers are now at risk. Blech!
Its good to know that other customers feel the same about this. Not to over-spin the issue, but Alan brought up a good point - "ApplianceThink".
That is, we don't need a complicated user management system with password aging and dictionary lookups. In fact, I don't expect to create more than a handful (less that 10) administrative accounts on filers.
Even though these boxes are "appliances", they serve mission and business critical roles in mostly enterprise computing environments. These roles and type of environments necessitate different groups of people with different levels of basic access. Backup operators need to dump and restore, monitoring robots need read-only access to allocation and usage information, 1st and 2nd tier support need to create/delete/modify quotas, qtrees, exports, and shares, and 3rd tier engineering support needs full access.
All to often I hear appliance vendors say "we can't implement that small subset of functionality because it implies complexity which invalidates our appliance concept." It is ApplianceThink and is a bit narrow minded. It would be great for NetApp to stand up and say "We're not afraid of throwing some small manage-ability features in - our product is still easier than our competitors".
Besides, I can't imagine any feature that could be added to ONTAP that would make it harder to use than, oh, say an Auspex? =)
-- Jeff
-- ---------------------------------------------------------------------------- Jeff Krueger, NetApp CA E-Mail: jeff@qualcomm.com Senior Engineer Phone: 858-651-6709 NetApp Filers / UNIX Infrastructure Fax: 858-651-6627 QUALCOMM, Inc. IT Engineering Web: www.qualcomm.com
On Thu, Nov 30, 2000 at 10:37:42AM -0700, Alan Fleming wrote:
Jeffrey Krueger wrote:
You can use "useradmin" to create multiple administrative accounts, but unfortunately they are all root equivalents. It would be really handy if parts of the OS were ACL'd off so that each administrative account could have custom defined access to the OS. This would allow some users to be able to create CIFS shares and modify quotas, but not bounce the machine. *HINT* to dl-toasters@netapp.com *HINT* =)
Just wanted to say "hear hear" on that last comment. I understand that part of the "appliance" model is to get away from things like user accounts but having all users be root isn't an (in my opinion) usable setup.
I'm using netsaint to monitor our network and would love to rsh off commands like quota so that I can have netsaint monitor quota levels. Unfortunately, to do this means creating a second root level account (the user we use for netsaint) and setting it up for password-less rsh. If the netsaint user is ever compromised, our filers are now at risk. Blech!
-- Think Peace.
- Alan (alanf@mancala.com) http://www.dorje.com/~alanf/
KotBBBB (1988 GSXR1100J) RaceBike (FT500) DOD# 4210 PGP key available
-
Alan Fleming -
Jamey Maze -
Jeffrey Krueger -
Stephen J. Wilcox -
Villa, Tony