Monday, June 1, 2015

CDOT Tip #7

Security is always a top priority, so here are some things to consider as CDOT gets rolled out at TR.
1.       Full disk encryption (aka NetApp Storage Encryption)
2.       Non-returnable disk (NRD) entitlement
3.       SafeNet: the replacement for the DataFort data encryption devices is SafeNet StorageSecure.  SafeNet can do file encryption, key management, logging and auditing, and DB/APP encryption.
4.       RBAC – CDOT implements a command specific control, meaning you can give a group or user access to a single command or command tree.  For example, you can give someone access to just “network interface” or even more restricted “network interface show.”
5.       Firewall!  You can set system level, vserver level, and per interface firewall policies. 
6.       Use SSH (disable telnet and rsh)
7.       Alter ssh encryption algorithms per SVM
a.       Aes256-ctr, Aes192-ctr, Aes128-ctr
b.      Diffie-Hellman group exchange sha256
c.       Command: Security ssh show/security ssh modify -vserver -key-exchange-algorithms  - ciphers
6.       Reduce the default Config cli session time-out
a.       Command: System timeout modify 10
7.       SSL/TLS
a.       FIPS mode federal information processing standards 
b.      TLS only!  Command:  System services web modify -sslv3-enabled false
8.       Lock down export/share policies
a.       According to subnet
b.      NFS/CIFS ACL's
9.       Implement Off-box Antivirus
10.   Fpolicy: file based event notification.
a.       Based on file type, share/export, volume. 
b.      Allows you to monitor blocked access attempts.

11.   Log events to external syslog server (event command set)

No comments:

Post a Comment