SolidFire and HCI

HCI hardening

chinchillaking
2,339 Views

Hi All,

 

I can found OnTap and Santricity hardening guide, anyone know how could obtain HCI hardening guide? Thanks.

 

 

Best regards,

 

Chung

1 ACCEPTED SOLUTION

elementx
2,310 Views

https://www.netapp.com/media/21791-tr-4860.pdf < = this TR

 

You can also see PCI DSS (https://www.coalfire.com/insights/resources/white-papers/netapp-hci-verified-architecture-for-pci-dss) and https://www.netapp.com/media/17065-nva1143.pdf

 

Generally speaking, you can apply ESXi hardening from VMware, and for NetApp HCI there are 2 components:

a) Management Node (mNode and HCC that runs on it) - VM (which should be exposed to only vCenter).

b) NetApp HCI Storage (Management Interfaces) - Management IP of every storrage node, and one Management Virtual IP. These need to be exposed to vCenter (for management purposes) and possibly other hosts that live on Management Network (e.g. backup management system, if it needs to use SolidFire snapshots, for which it needs to talk to Management Virtual IP of storage).

Assuming mNode, HCC and vCenter can connect to ADS/LDAP, you could use AD/LDAP based account aliases or group aliases, to eliminate the use of local NetApp HCI cluster admin account, and manage password expiration and complexity via AD/LDAP.  There's also MFA if you want/need that. You can also use KMIP to entrust encryption keys to external Key Manager (by default NetApp HCI cluster manages encryption keys used to encrypt SED disks).

 

I would definitively recommend to generate and upload own CA-generated TLS certificates to MVIP and mNode.

 

If you want to harden iSCSI (Storage Network) security, you can introduce more complex access (CHAP + VLAN + Access Groups), but that may require reconfiguration of your existing networks (which may be impossible without downtime, but this depends on your details and number of compute nodes - if you have just 2-3 and want to introduce new VLANs, you may need to schedule downtime to make significant changes to vSphere networking).

View solution in original post

2 REPLIES 2

elementx
2,311 Views

https://www.netapp.com/media/21791-tr-4860.pdf < = this TR

 

You can also see PCI DSS (https://www.coalfire.com/insights/resources/white-papers/netapp-hci-verified-architecture-for-pci-dss) and https://www.netapp.com/media/17065-nva1143.pdf

 

Generally speaking, you can apply ESXi hardening from VMware, and for NetApp HCI there are 2 components:

a) Management Node (mNode and HCC that runs on it) - VM (which should be exposed to only vCenter).

b) NetApp HCI Storage (Management Interfaces) - Management IP of every storrage node, and one Management Virtual IP. These need to be exposed to vCenter (for management purposes) and possibly other hosts that live on Management Network (e.g. backup management system, if it needs to use SolidFire snapshots, for which it needs to talk to Management Virtual IP of storage).

Assuming mNode, HCC and vCenter can connect to ADS/LDAP, you could use AD/LDAP based account aliases or group aliases, to eliminate the use of local NetApp HCI cluster admin account, and manage password expiration and complexity via AD/LDAP.  There's also MFA if you want/need that. You can also use KMIP to entrust encryption keys to external Key Manager (by default NetApp HCI cluster manages encryption keys used to encrypt SED disks).

 

I would definitively recommend to generate and upload own CA-generated TLS certificates to MVIP and mNode.

 

If you want to harden iSCSI (Storage Network) security, you can introduce more complex access (CHAP + VLAN + Access Groups), but that may require reconfiguration of your existing networks (which may be impossible without downtime, but this depends on your details and number of compute nodes - if you have just 2-3 and want to introduce new VLANs, you may need to schedule downtime to make significant changes to vSphere networking).

ddansf
2,091 Views

I created a KB based on this thread with and added a few additional links/resources:

Where is the HCI hardening guide located? 

Lots of overlap between HCI and AFA deployments here -- the API-driven topics apply to both, for instance. 

Public