430 likes | 754 Vues
Configuring SafeNet StorageSecure in a CIFS Domain. Module 2: Lesson 2 SafeNet StorageSecure Storage Security Course. Lesson Objectives. By the end of this lesson, you should be able to: Add CIFS domain, server, and shares Secure CIFS data using encryption
E N D
Configuring SafeNet StorageSecure in a CIFS Domain Module 2: Lesson 2 SafeNet StorageSecure Storage Security Course
Lesson Objectives • By the end of this lesson, you should be able to: • Add CIFS domain, server, and shares • Secure CIFS data using encryption • Use StorageSecure Access Control Lists (ACLs) • Configure SafeNet StorageSecure Security Settings
Typical NAS Deployment Virtual Host StorageSecure appliances are deployed in a NAS environment between the hosts and the storage appliance. StorageSecure has two interfaces: one client interface where all clients connect, and a Storage interface where the actual Storage connect. Clients are required to send their I/O requests to the StorageSecure client interface. The actual shares accessible from the file-server interface are virtualized on the client interface.
Adding Domain, Server & Share & Securing Data • To add SafeNet StorageSecure to a CIFS Environment: • Create a “Domain Access User” on the domain. • Add a CIFS domain • Add a CIFS file server • Add a virtual server (VIP) • Add a share • Virtualize the share to the VIP • Create a Storage Vault
Domain Access User • The Domain Access User is a special user account in the SafeNet StorageSecure Management Console for accessing Windows or LDAP domains • In a Windows domain: • Discovers servers and shares • Syncs users and groups with domain controller • In an LDAP domain: • Syncs users and groups with LDAP server • Domain Access User cannot access data through the SafeNet StorageSecure Management Console • Can be any user in a Windows domain
Adding a CIFS Domain – Access User Enter a Domain Access user credentials. The account will need full access control for all shares to be encrypted.
Virtualizing Shares Virtual server – Vhost1
Adding a Storage Vault Cross Mapping of share1
Storage Vault Access through CIFS Real Share Virtual Share – accessed via StorageSecure
Additional Notes and the Storage Vault • StorageSecure can have up to 1500 Storage Vaults. • Nested Storage Vaults are not supported. • On Storage Vault creation a hidden system “.decru” file is written to the Storage Vault. • .decru file contains metadata relating to the key used for encryption. • Lost or deleted .decru file will leave data accessible until StorageSecure is rebooted. • Re-creation of .decru file is possible. • Each Storage Vault has an associated Storage Vault Key • Files within the Storage Vault have: • 512 bytes of metadata added to the file header. • Are associated with a unique R-Key. • R-Key processes the file before and after encryption to ensure that cipher text is different across files sharing the same content. • Storage Vaults can be multi-protocol - CIFS and NFS.
Storage Vault Menu Options • Access Control • IP Restriction • Rekey • Export Trustee Keys • Delete
SafeNet StorageSecure and User or Group Memberships • When adding a Storage vault, the share’s ACL is synchronized with StorageSecure • If there is a conflict between the SafeNet StorageSecure ACL and the Windows ACL, the more restrictive ACL applies.
User or Group Import • SafeNet StorageSecure automatically imports user and group information from the Windows domain for: • Users who have initial access to shares • Users who are added to the ACL of a Storage Vault • Users who are members of a group added to the ACL of Storage Vault • Users who access a Storage Vault with the Everyone group in its ACL • Users who register with SafeNet StorageSecure • StorageSecure queries the domain controller every 30 minutes to check for changes
ACL Import • ACLs should be set on the share before creating a Storage Vault • SafeNet StorageSecure syncs the ACL with the file server when the Storage Vault is created • The ACL is then modified at the file server or SafeNet StorageSecure • Security settings affect the behavior of ACL • If the Local ACL option is disabled, only the storage server’s ACL is honored • If the Local ACL option is enabled, then the most restrictive permissions are used
Local ACLs and SafeNet StorageSecure • CIFS ACLs are synchronized when a Storage Vault is created • Changes to an ACL at the direct share must be manually synchronized • ACLs at the StorageSecure appliance are always in effect for NFS exports
Authentication Process • Authentication process when using CIFS and AD as the user repository • Client connects to a Storage Vault. • If Local ACL is enabled, the StorageSecure checks if the user has access to the StorageVault in its local ACL. • The StorageSecure will prompt the user for credentials or check if the user has a valid Kerberos ticket given by the Active Directory. • The StorageSecure checks if the user has permissions on the file server by using the users credentials / Kerberos ticket. If so, it will provide the user access to the Storage Vault.
StorageSecure User Registration for Storage Vault Owners • Use the WebUI to register: https://<StorageSecure-hostname>/register.htm • Storage Vault owners must set up a SafeNet StorageSecure account.
Management Security Settings Security Management Security
Group Review • Allows the SafeNet StorageSecure administrator to review new group members • New members of Windows or UNIX® groups can be accepted or rejected • Users cannot be accepted or rejected individually • The Local ACL feature protects against attacks on the file server • The Group Review feature protects against attacks on the domain controller
User Registration • If User Registration is enabled • Storage vault owners can use the WebUI to manage their Storage vaults • End users must register once at the WebUI Login page before they can access a Storage vault • If StorageSecure Password is enabled • Users need a SafeNet StorageSecure-specific password (separate from Windows password) to register • When the Windows password is changed, the user must also change the StorageSecure password • Users can change their StorageSecure password at any time
WebUI Storage Vault Management • End users can log in to the SafeNet StorageSecure WebUI to view and manage the Storage Vaults they own.
Configure IP Restrictions • Storage Vault access can be restricted to clients within a specified range of IP addresses • For example set IP Range of “10.10.20.100-10.10.20.200”
End-User Access • Mounted as an ordinary share • ACL authentication allows immediate access • Use real server name for virtual server for invisible client-side mounting HTTP Access • SafeNet StorageSecure supports storing and accessing data through the WebUI (HTTP), this includes WebDAV extensions (Future Version) • Web access and WebDAV are automatically enabled on all VIP addresses with virtual shares (Future Version) • Users can access only data for which their CIFS or NFS credentials are valid • Access data using a Web browser • Internet Explorer® 6.0 or later • Mozilla 1.4 or later • Secure Web Access to Storage Vaults is enabled (HTTPS://) (Future Version); WebDAV and FTP - (Future Version)
Lesson Summary • In this lesson, you should have learned to: • Add CIFS domain, server, and shares • Secure CIFS data using encryption • Use SafeNet StorageSecure ACLs • Configure SafeNet StorageSecure security settings
Hands on Exercise:Complete:04 Configuring SafeNetStorageSecure in a CIFS Domain