Security is always a top priority, so here are some things
to consider as CDOT gets rolled out at TR.
1.
Full disk encryption
(aka NetApp Storage Encryption)
2.
Non-returnable disk
(NRD) entitlement
3.
SafeNet: the
replacement for the DataFort data encryption devices is SafeNet
StorageSecure. SafeNet can do file encryption, key management, logging
and auditing, and DB/APP encryption.
4.
RBAC – CDOT implements
a command specific control, meaning you can give a group or user access to a
single command or command tree. For example, you can give someone access
to just “network interface” or even more restricted “network interface show.”
5.
Firewall! You
can set system level, vserver level, and per interface firewall policies.
6.
Use SSH (disable
telnet and rsh)
7.
Alter ssh encryption
algorithms per SVM
a.
Aes256-ctr,
Aes192-ctr, Aes128-ctr
b.
Diffie-Hellman group
exchange sha256
c.
Command: Security ssh
show/security ssh modify -vserver
-key-exchange-algorithms - ciphers
6.
Reduce the default
Config cli session time-out
a.
Command: System
timeout modify 10
7.
SSL/TLS
a.
FIPS mode federal
information processing standards
b.
TLS only!
Command: System services web modify -sslv3-enabled false
8.
Lock down export/share
policies
a.
According to subnet
b.
NFS/CIFS ACL's
9.
Implement Off-box
Antivirus
10.
Fpolicy: file based
event notification.
a.
Based on file type,
share/export, volume.
b.
Allows you to monitor
blocked access attempts.
11.
Log events to external
syslog server (event command set)
No comments:
Post a Comment