SolidFire and HCI

HCI hardening

chinchillaking

Hi All,

 

I can found OnTap and Santricity hardening guide, anyone know how could obtain HCI hardening guide? Thanks.

 

 

Best regards,

 

Chung

1 ACCEPTED SOLUTION

elementx

https://www.netapp.com/media/21791-tr-4860.pdf < = this TR

 

You can also see PCI DSS (https://www.coalfire.com/insights/resources/white-papers/netapp-hci-verified-architecture-for-pci-dss) and https://www.netapp.com/media/17065-nva1143.pdf

 

Generally speaking, you can apply ESXi hardening from VMware, and for NetApp HCI there are 2 components:

a) Management Node (mNode and HCC that runs on it) - VM (which should be exposed to only vCenter).

b) NetApp HCI Storage (Management Interfaces) - Management IP of every storrage node, and one Management Virtual IP. These need to be exposed to vCenter (for management purposes) and possibly other hosts that live on Management Network (e.g. backup management system, if it needs to use SolidFire snapshots, for which it needs to talk to Management Virtual IP of storage).

Assuming mNode, HCC and vCenter can connect to ADS/LDAP, you could use AD/LDAP based account aliases or group aliases, to eliminate the use of local NetApp HCI cluster admin account, and manage password expiration and complexity via AD/LDAP.  There's also MFA if you want/need that. You can also use KMIP to entrust encryption keys to external Key Manager (by default NetApp HCI cluster manages encryption keys used to encrypt SED disks).

 

I would definitively recommend to generate and upload own CA-generated TLS certificates to MVIP and mNode.

 

If you want to harden iSCSI (Storage Network) security, you can introduce more complex access (CHAP + VLAN + Access Groups), but that may require reconfiguration of your existing networks (which may be impossible without downtime, but this depends on your details and number of compute nodes - if you have just 2-3 and want to introduce new VLANs, you may need to schedule downtime to make significant changes to vSphere networking).

View solution in original post

2 REPLIES 2

elementx

https://www.netapp.com/media/21791-tr-4860.pdf < = this TR

 

You can also see PCI DSS (https://www.coalfire.com/insights/resources/white-papers/netapp-hci-verified-architecture-for-pci-dss) and https://www.netapp.com/media/17065-nva1143.pdf

 

Generally speaking, you can apply ESXi hardening from VMware, and for NetApp HCI there are 2 components:

a) Management Node (mNode and HCC that runs on it) - VM (which should be exposed to only vCenter).

b) NetApp HCI Storage (Management Interfaces) - Management IP of every storrage node, and one Management Virtual IP. These need to be exposed to vCenter (for management purposes) and possibly other hosts that live on Management Network (e.g. backup management system, if it needs to use SolidFire snapshots, for which it needs to talk to Management Virtual IP of storage).

Assuming mNode, HCC and vCenter can connect to ADS/LDAP, you could use AD/LDAP based account aliases or group aliases, to eliminate the use of local NetApp HCI cluster admin account, and manage password expiration and complexity via AD/LDAP.  There's also MFA if you want/need that. You can also use KMIP to entrust encryption keys to external Key Manager (by default NetApp HCI cluster manages encryption keys used to encrypt SED disks).

 

I would definitively recommend to generate and upload own CA-generated TLS certificates to MVIP and mNode.

 

If you want to harden iSCSI (Storage Network) security, you can introduce more complex access (CHAP + VLAN + Access Groups), but that may require reconfiguration of your existing networks (which may be impossible without downtime, but this depends on your details and number of compute nodes - if you have just 2-3 and want to introduce new VLANs, you may need to schedule downtime to make significant changes to vSphere networking).

View solution in original post

ddansf

I created a KB based on this thread with and added a few additional links/resources:

Where is the HCI hardening guide located? 

Lots of overlap between HCI and AFA deployments here -- the API-driven topics apply to both, for instance. 

Announcements
Register for Insight 2021 Digital

INSIGHT 2021 Digital: Meet the Specialists 2

On October 20-22, gear up for a fully digital, totally immersive virtual experience with a downright legendary lineup of world-renowned specialists. Tune in for visionary conversations, solution deep dives, technical sessions and more.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public