Sun ZFS Appliance Monitor Security Guide, Version 1.0 Part No.: E35143-01 Mfg No.: July 2012
Copyright 2012, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related software documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. Copyright 2012, Oracle et/ou ses affiliés. Tous droits réservés. Ce logiciel et la documentation qui l accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d utilisation et de divulgation. Sauf disposition de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, breveter, transmettre, distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à toute ingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d interopérabilité avec des logiciels tiers ou tel que prescrit par la loi. Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu elles soient exemptes d erreurs et vous invite, le cas échéant, à lui en faire part par écrit. Si ce logiciel, ou la documentation qui l accompagne, est concédé sous licence au Gouvernement des Etats-Unis, ou à toute entité qui délivre la licence de ce logiciel ou l utilise pour le compte du Gouvernement des Etats-Unis, la notice suivante s applique : U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. Ce logiciel ou matériel a été développé pour un usage général dans le cadre d applications de gestion des informations. Ce logiciel ou matériel n est pas conçu ni n est destiné à être utilisé dans des applications à risque, notamment dans des applications pouvant causer des dommages corporels. Si vous utilisez ce logiciel ou matériel dans le cadre d applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dans des conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l utilisation de ce logiciel ou matériel pour ce type d applications. Oracle et Java sont des marques déposées d Oracle Corporation et/ou de ses affiliés.tout autre nom mentionné peut correspondre à des marques appartenant à d autres propriétaires qu Oracle. Intel et Intel Xeon sont des marques ou des marques déposées d Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marques déposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d Advanced Micro Devices. UNIX est une marque déposée d The Open Group. Ce logiciel ou matériel et la documentation qui l accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant de tiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou des dommages causés par l accès à des contenus, produits ou services tiers, ou à leur utilisation. Please Recycle
Contents Using This Documentation v 1. Overview 1 Product Overview 1 Basic Security Principles 2 Keep Software Up To Date 2 Restrict Network Access to Critical Services 2 Follow the Principle of Least Privilege 2 Monitor System Activity 3 Monitor System Components 3 Audit and Review 3 Keep Up To Date on Latest Security Information 3 Mobile Device Security Features 3 Architecture Overview 4 2. Secure Installation and Configuration 5 Installation Overview 5 Password Protection 5 3. Security Features 7 Security Model 7 iii
Configuring and Using Authentication 7 Configuring and Using Access Control 8 Granting Privileges 8 Secure Deployment Checklist 8 Create a Separate User Account 9 Use a Secure Password for the User Account 9 Use a Strong Passcode on the ios Device 9 VPN Access to Appliances 9 iv Sun ZFS Appliance Monitor Security Guide July 2012
Using This Documentation This guide describes important information related to security of the Sun ZFS Appliance Monitor. It is written for technicians, system administrators, authorized service providers, and users who administer Sun ZFS Storage Appliances. Product Notes on page v Related Documentation on page vi Feedback on page vi Support and Accessibility on page vi Product Notes For late-breaking information and known issues about this product, refer to the product notes at: http://docs.oracle.com/cd/e35147_01/html/e35145/ v
Related Documentation Documentation Sun ZFS Appliance Monitor Configuration Guide Sun ZFS Storage Appliance documentation library All Oracle products Oracle Solaris OS and systems software library Apple ios Security iphone in Business ipad in Business Links http://docs.oracle.com/cd/e35147_01/html/e35144/index.html http://docs.oracle.com/cd/e26765_01/index.html http://www.oracle.com/documentation http://www.oracle.com/technetwork/indexes/documentation/ index.html#sys_sw http://images.apple.com/iphone/business/docs/ios_security_in troduction_mar12.pdf http://www.apple.com/iphone/business/integration/ http://www.apple.com/ipad/business/integration/ Feedback Provide feedback about this documentation at: http://www.oracle.com/goto/docfeedback Support and Accessibility No technical support is offered with the Sun ZFS Appliance Monitor app. Oracle s technical support organization will not provide technical support, phone support, or updates for this app. Please use the feedback email link provided in the app s information page, or send feedback via email to: oracle_appliance_monitor_app_ww_grp@oracle.com. A best effort will be made to address known issues in future app updates. vi Sun ZFS Appliance Monitor Security Guide July 2012
Description Access electronic support through My Oracle Support Links http://support.oracle.com For hearing impaired: http://www.oracle.com/accessibility/support.html Learn about Oracle s commitment to accessibility http://www.oracle.com/us/corporate/accessibility/index.html Using This Documentation vii
viii Sun ZFS Appliance Monitor Security Guide July 2012
CHAPTER 1 Overview This chapter provides an overview of Oracle s Sun ZFS Appliance Monitor and explains the general principles of application security. Product Overview Oracle s Sun ZFS Appliance Monitor (appliance monitor) is a read-only extension of the Sun ZFS Storage Appliance (appliance) browser user interface (BUI). Leveraging the existing XML-RPC framework on the appliance, it can query user-configured appliances and present the same information as the BUI in a rich, convenient, and scalable interface. This information includes: Dashboard with service status Shares with capacity and current consumption Resource utilization Logs (Alerts, System, Fault, Audit, Phone Home) Active system problems Analytics worksheets High-level group status (storage usage, problems, overall hardware status) The appliance monitor runs on Apple ios 5 and is designed for the iphone, which provides for the greatest mobility. Management of the appliance, such as creating shares and pools, enabling/disabling services, are not features of the appliance monitor. With such a small form-factor, we want to avoid any accidental destruction of important information, or loss of service. All mobile devices have a feature to enable a passcode on the mobile device, preventing unwanted users from accessing the application. All communication that takes places between the appliance monitor and a server is done through the use of Secure Socket Layer (SSL). 1
Basic Security Principles The following principles are fundamental to using any application securely. Keep Software Up To Date One of the principles of good security practice is to keep all software versions and patches up to date. You will be notified when updates are available for download from the Apple App Store. You configure the latest version of the appliance monitor using the information in this guide and the Sun ZFS Appliance Monitor Configuration Guide. Restrict Network Access to Critical Services You can use the appliance monitor anywhere there is Internet connectivity. In most cases, the appliance will be behind a firewall within a corporate network, restricting access from outside sources. You will need to download a VPN client for corporate network access. The appliance monitor is capable of network communication within a secure VPN session. Follow the Principle of Least Privilege The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, and so forth, especially early in an organization s life cycle when people are few and work needs to be done quickly, often leaves a system wide open for abuse. Because the appliance monitor is only a monitoring tool, you cannot perform tasks that alter the state of the appliance. Limit privileges as much as possible. Give users only the access necessary to perform their work. Review user privileges periodically to determine relevance to current work requirements. Rights and privileges for the user account are dictated to the appliance monitor by the appliance. In doing so, the appliance monitor inherits the rules and policies enforced by the appliance. 2 Sun ZFS Appliance Monitor Security Guide July 2012
Monitor System Activity The appliance monitor places a strong emphasis on being able to view the health and status of a single appliance. It also scales to provide the status for an entire data center, giving you the option to drill down on a potentially problematic situation. You must regularly check for status and notifications returned by the appliance monitor to stay abreast of any potential problems that could arise in a data center. System security relies on good security protocols, proper system configuration, and system monitoring. Auditing and reviewing audit records address system monitoring. Each component within a system has some degree of monitoring capability. Follow audit advice in this document and regularly monitor audit records. Monitor System Components Establish which users have access, and frequency of access, to specific system components. Monitor these components regularly. Audit and Review An audit log, which contains records of login and system configuration activity, is maintained by the appliance. You can view the audit log using the appliance monitor. You should plan to regularly check the audit log for unusual or unauthorized activity. Keep Up To Date on Latest Security Information The appliance monitor is available for download from the Apple App Store. You will be notified when a new version of the app is available and it is recommended that you apply updates when notified. Product updates, that include security-related patch updates and security alerts, will be released regularly. You must install all product updates and security patches as soon as possible. Mobile Device Security Features Your Apple mobile device offers these security features: Password protection Apple Remote Wipe. If your mobile device is lost or stolen, all settings and data can and should be deleted. Chapter 1 Overview 3
Network traffic generated by the appliance monitor will go through SSL (Secure Sockets Layer) encrypting data sent to the appliance. Architecture Overview The following diagram illustrates the various states of the appliance monitor application. 4 Sun ZFS Appliance Monitor Security Guide July 2012
CHAPTER 2 Secure Installation and Configuration This chapter outlines the planning process for a secure installation and describes the recommended deployment process. Installation Overview The latest version of the Sun ZFS Appliance Monitor (appliance monitor) is available for download from the Apple App Store. After you install the app on your iphone, configure the appliance monitor in one of two ways: User Accounts Create a separate user account specifically for the appliance monitor. Administrative privileges are not required for this account. Encrypted Configuration File Create a configuration file on a temporary, nonencrypted disk. The file is then encrypted using AES-128 CBC and stored on a RAM disk on a server that is behind a firewall, which has restricted access. Establish an HTTPS connection before downloading the encrypted configuration file to your mobile device. Password Protection All appliance monitor passwords are encrypted and stored using keychain data. The keychain data is stored outside of the application s sandbox, which prevents access to the data by users and other applications. The keychain data ia backed up when you back up your mobile device using itunes. When you download the host configuration file, do the following: 5
Create the configuration file on a temporary RAM disk (non-encrypted) Move the encrypted file to stable storage Choose passwords that: consist of more than 6 characters do not contain an account name, or common first and last (surname) names; are not common dictionary words, or words with pre-fixed and/or post-fixed with numbers contain a mixture of letters and numbers contain at least one special character (for example, $,@,&) Be sure the server maintaining the host configuration file is behind a firewall with restricted access. Establish a secure connection (HTTPS) between the appliance monitor and the host containing the configuration file before downloading. 6 Sun ZFS Appliance Monitor Security Guide July 2012
CHAPTER 3 Security Features This chapter provides a high-level overview of the threats that the system is designed to counter and how the individual security features combine to prevent the attacks. Security Model The critical security features that provide protection are: Authentication The appliance monitor relies on current mechanisms used by the Sun ZFS Storage Appliance. Authorization The appliance monitor requires an account on the appliance to gain authorization. All user privileges and policies for the account are enforced by the appliance. Confidentiality All application data generated by the appliance monitor is stored in a secure sandbox directory on the mobile device. The data is automatically encrypted, but is more secure if the device password is set. Configuring and Using Authentication All authentication configuration is done through the configuration view on the appliance monitor which includes both the manual option and the remote configuration file option (see Installation Overview on page 5). All authentication is user name and password based. Without credentials, the appliance monitor is unable to access the appliance. 7
Configuring and Using Access Control Authorization includes primarily two processes: Permitting only certain users to access, process, or alter data Applying varying limitations on user access or actions. The limitations placed on (or removed from) users can apply to objects, such as schemas, tables, or rows; or to resources, such as time (CPU, connect, or idle times). The basic concepts and mechanisms for placing or removing such limitations on users, individually or in groups, are described in the next section. Granting Privileges A privilege is a right to execute a particular type of XML-RPC command on the appliance. Some examples of privileges include the right to: Log in to the appliance View system status View analytical data Receive problem notifications Mark issues as repaired Flash LEDs on the appliance These types of privileges should only be granted to a user who requires this kind of functionality in their job responsibilities. Ultimately the appliance monitor logs into a user account on the appliance, and Solaris enforces the appropriate user policies, based on administrator settings. Secure Deployment Checklist Following is a recommended set of criteria that should be met to safely and securely deploy the appliance monitor. It is strongly recommended that these requirements are met. 8 Sun ZFS Appliance Monitor Security Guide July 2012
Create a Separate User Account In the appliance BUI, create a separate user account specifically for use with the appliance monitor. Like any other user, the appliance monitor requires a user account to gain access to the appliance. The account is created on the appliance itself. Likewise, all permissions (promotions/demotions) and privileges are administered on the appliance. Use the guidelines for least privileges discussed in the Configuring and Using Access Control when creating and delegating privileges to users. Use a Secure Password for the User Account When choosing a password for the user account accessed by the appliance monitor, pick a string of at least eight characters. Longer passwords introduce a greater number of possibilities, making it harder to guess with each additional character. Also of importance, is the complexity of the password. To introduce a higher level of complexity, the password should contain characters from each of the following categories: Lowercase alpha: a-z Uppercase alpha: A-Z Numeric: 0,1,2,3,4,5,6,7,8,9 Special characters (for example, * & ^ % $ # @!) Do not repeat any characters or use passwords that represent names of people, places, things, or events. Use a Strong Passcode on the ios Device Similar to the account password on the appliance, select a passcode for the mobile device that does not contain duplicate number or characters. Similarly, do not use a password that is representative of anything well known. VPN Access to Appliances Because the appliance is an enterprise class NAS appliance, it typically is deployed (although not always) in a private network environment. When accessing the appliance, under no circumstances is it recommended to enable port forwarding or introduce any additional mechanism that will allow external, unintended traffic into Chapter 3 Security Features 9
the private network. The appliance monitor should access an appliance directly on the same network, or remotely, by using a secure VPN client approved by the company maintaining the appliances and the networks on which they reside. 10 Sun ZFS Appliance Monitor Security Guide July 2012