Dell Isilon OneFS 8.2.x User Manual

Isilon OneFS 8.2.x Security Configuration
Guide

Version 8.2.x

Security Configuration Guide

January 2020

Copyright © 2013-2020 Dell Inc. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property

of their respective owners. Published in the USA.

Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com

2 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

CONTENTS

Chapter 1

Chapter 2

Chapter 3

Introduction to this guide 5

About this guide..................................................................................................6

Reporting security vulnerabilities........................................................................ 6

Dell security advisories........................................................................................6

False positive security vulnerabilities.................................................................. 6

Related documents............................................................................................. 6

Where to go for support......................................................................................7

Terminology........................................................................................................ 7

Security overview 11

Security deployment models..............................................................................12

General business security deployment model........................................12

SmartLock security deployment model................................................. 12

Security Technical Implementation Guide (STIG) deployment model

(Federal accounts only)........................................................................ 13

Security control map......................................................................................... 14

Cryptography 15

Cryptography overview..................................................................................... 16

Cryptographic inventory for HTTPS.................................................................. 16

Cryptographic inventory for HTTPS in hardening mode........................17

Cryptographic inventory for NFS.......................................................................17

Cryptographic inventory for OpenSSH.............................................................. 18

Cryptographic inventory for SNMPv3............................................................... 19

Cryptographic inventory for SMB......................................................................19

Chapter 4

Chapter 5

Chapter 6

Authentication 21

Authentication overview................................................................................... 22

Kerberos authentication....................................................................................22

Network security 23

Network port usage.......................................................................................... 24

OneFS services.................................................................................................29

Mixed data-access protocol environments........................................................ 31

FTP security...................................................................................................... 31

HDFS security...................................................................................................32

HTTP and HTTPS security................................................................................32

NFS security..................................................................................................... 32

SMB security.................................................................................................... 32

SMB security settings..........................................................................32

Configuring SMB..................................................................................33

Physical security 35

Physical security overview................................................................................36

Security of the data center............................................................................... 36

Physical ports on Isilon nodes........................................................................... 36

Disable USB ports on Isilon nodes........................................................ 36

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 3

Contents

Statements of Volatility.................................................................................... 37

Chapter 7

Security best practices 39

Overview.......................................................................................................... 40

Persistence of security settings .......................................................... 40

PCI compliance..................................................................................................41

Configure the cluster to meet PCI compliance......................................41

General cluster security best practices............................................................. 42

Create a login message ....................................................................... 42

Manifest check to confirm install authenticity and integrity.................42

Set a timeout for idle CLI sessions (CLI).............................................. 45

Set a timeout for idle SSH sessions (CLI)............................................ 47

Forward audited events to remote server............................................ 48

Firewall security................................................................................... 49

Disable OneFS services that are not in use.......................................... 49

Configure WORM directories using SmartLock....................................49

Back up cluster data............................................................................ 50

Use NTP time...................................................................................... 50

Login, authentication, and privileges best practices.......................................... 51

Restrict root logins to the cluster......................................................... 51

Use RBAC accounts instead of root......................................................51

Privilege elevation: Assign select root-level privileges to non-root users

............................................................................................................ 52

Restrict authentication by external providers...................................... 55

SNMP security best practices.......................................................................... 56

Use SNMPv3 for cluster monitoring.................................................... 56

Disable SNMP...................................................................................... 57

SSH security best practices..............................................................................57

Restrict SSH access to specific users and groups................................57

Disable root SSH access to the cluster................................................ 58

Data-access protocols best practices............................................................... 58

Use a trusted network to protect files and authentication credentials

that are sent in cleartext......................................................................58

Use compensating controls to protect authentication credentials that

are sent in cleartext............................................................................. 59

Use compensating controls to protect files that are sent in cleartext.. 59

Disable FTP access.............................................................................. 60

Limit or disable HDFS access............................................................... 60

Limit or disable HTTP access................................................................61

NFS best practices............................................................................... 61

SMB best practices..............................................................................62

SMB signing.........................................................................................63

Disable Swift access............................................................................ 65

Web interface security best practices.............................................................. 65

Replace the TLS certificate................................................................. 65

Secure the web interface headers....................................................... 66

Accept up-to-date versions of TLS in the OneFS web interface.......... 67

4 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

CHAPTER 1

Introduction to this guide

This section contains the following topics:

l

About this guide...................................................................................................................... 6

l

Reporting security vulnerabilities............................................................................................ 6

l

Dell security advisories............................................................................................................ 6

l

False positive security vulnerabilities.......................................................................................6

l

Related documents................................................................................................................. 6

l

Where to go for support.......................................................................................................... 7

l

Terminology.............................................................................................................................7

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 5

Introduction to this guide

About this guide

This guide provides an overview of the security configuration controls and settings available in
Isilon OneFS. This guide is intended to help facilitate secure deployment, usage, and maintenance
of the software and hardware used in Isilon clusters.

Your suggestions help us to improve the accuracy, organization, and overall quality of the
documentation. Send your feedback to http://bit.ly/isilon-docfeedback. If you cannot provide
feedback through the URL, send an email message to docfeedback@isilon.com.

Reporting security vulnerabilities

Dell EMC takes reports of potential security vulnerabilities in our products very seriously. If you
discover a security vulnerability, you are encouraged to report it to Dell EMC immediately.

For information on how to report a security issue to Dell EMC, see the Dell EMC Vulnerability
Response Policy at http://www.emc.com/products/security/product-security-response-

center.htm.

Dell security advisories

Dell Security Advisories (DSAs) notify customers about potential security vulnerabilities and their
remedies for Dell EMC products. The advisories include specific details about an issue and
instructions to help prevent or alleviate that security exposure.

Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. A DSA
can address one or more CVEs.

All Isilon DSAs, together with the CVEs that they address, are listed at https://

community.emc.com/docs/DOC-45144.

False positive security vulnerabilities

It is possible for a security scan to incorrectly identify a CVE as affecting a Dell EMC product.
CVEs in this category are termed false positives.

False positives for OneFS and Insight IQ are listed at https://community.emc.com/docs/

DOC-45144.

Related documents

The complete documentation set for OneFS is available online.

You can find information that is related to the features and functionality described in this
document in the following documents available from the Dell EMC Online Support site.

l

EMC Secure Remote Services Installation and Operations Guide

l

EMC Secure Remote Services Policy Manager Operations Guide

l

EMC Secure Remote Services Site Planning Guide

l

EMC Secure Remote Services Technical Description

l

EMC Isilon Multiprotocol Data Access with a Unified Security Model

(white paper)

6 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

l

Isilon Swift Technical Note

l

Managing identities with the Isilon OneFS user mapping service

l

OneFS Backup and Recovery Guide

l

OneFS CLI Administration Guide

l

OneFS Event Reference

l

OneFS HDFS Reference Guide

l

OneFS Release Notes

l

OneFS Web Administration Guide

l

OneFS Upgrade Planning and Process Guide

Where to go for support

This topic contains resources for getting answers to questions about Isilon products.

Introduction to this guide

(white paper)

Online support

l

Live Chat

l

Create a Service Request

For questions about accessing online support, send an email to

support@emc.com.

Telephone
support

l

United States: 1-800-SVC-4EMC (1-800-782-4362)

l

Canada: 1-800-543-4782

l

Worldwide: 1-508-497-7901

l

Local phone numbers for a specific country are available at Dell EMC

Customer Support Centers.

Isilon Community
Network

The Isilon Community Network connects you to a central hub of information
and experts to help you maximize your current storage solution. From this site,
you can demonstrate Isilon products, ask questions, view technical videos, and
get the latest Isilon product documentation.

Isilon Info Hubs For the list of Isilon info hubs, see the Isilon Info Hubs page on the Isilon

Community Network. Use these info hubs to find product documentation,

troubleshooting guides, videos, blogs, and other information resources about
the Isilon products and features you're interested in.

Terminology

The following terms and abbreviations describe some of the features and technology of the Isilon
OneFS system and Isilon cluster.

Access-based enumeration (ABE)

Access control entry (ACE)

In a Microsoft Windows environment, ABE filters the list of available files and folders to allow
users to see only those that they have permissions to access on a file server.

An element of an access control list (ACL) that defines access rights to an object (like a file or
directory) for a user or group.

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 7

Introduction to this guide

Access control list (ACL)

A list of access control entries (ACEs) that provide information about the users and groups
allowed access to an object.

ACL policy

The policy that defines which access control methods (NFS permissions and/or Windows
ACLs) are enforced when a user accesses a file on the system in an environment that is
configured to provide multiprotocol access to file systems. The ACL policy is set through the
web administration interface.

Authentication

The process for verifying the identity of a user trying to access a resource or object, such as a
file or a directory.

Certificate Authority (CA)

A trusted third party that digitally signs public key certificates.

Certificate Authority Certificate

A digitally signed association between an identity (a Certificate Authority) and a public key to
be used by the host to verify digital signatures on public key certificates.

Command-line interface (CLI)

An interface for entering commands through a shell window to perform cluster administration
tasks.

Digital certificate

An electronic ID issued by a certificate authority that establishes user credentials. It contains
the user identity (a hostname), a serial number, expiration dates, a copy of the public key of
the certificate holder (used for encrypting messages and digital signatures), and a digital
signature from the certificate-issuing authority so that recipients can verify that the
certificate is valid.

Directory server

A server that stores and organizes information about a computer network's users and network
resources, and that allows network administrators to manage user access to the resources.
X.500 is the best-known open directory service. Proprietary directory services include
Microsoft Active Directory.

Group Identifier (GID)

Numeric value used to represent a group account in a UNIX system.

Hypertext Transfer Protocol (HTTP)

The communications protocol used to connect to servers on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS)

HTTP over TLS. All network traffic between the client and server system is encrypted. In
addition, HTTPS provides the option to verify server and client identities. Typically, server
identities are verified and client identities are not.

Kerberos

An authentication, data integrity, and data-privacy encryption mechanism that is used to
encode authentication information. Kerberos coexists with NTLM and provides authentication
for client/server applications using secret-key cryptography.

8 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

Introduction to this guide

Lightweight Directory Access Protocol (LDAP)

An information-access protocol that runs directly over TCP/IP. LDAP is the primary access
protocol for Active Directory and LDAP-based directory servers. LDAP Version 3 is defined by
a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251.

LDAP-based directory

A directory server that provides access through LDAP. Examples of LDAP-based directory
servers include OpenLDAP and SUN Directory Server.

Network File System (NFS)

A distributed file system that provides transparent access to remote file systems. NFS allows
all network systems to share a single copy of a directory.

Network Information Service (NIS)

A service that provides authentication and identity uniformity across local area networks and
allows you to integrate the cluster with your NIS infrastructure. Designed by Sun
Microsystems, NIS can be used to authenticate users and groups when they access the
cluster.

OneFS API

A RESTful HTTP-based interface that enables cluster configuration, management, and
monitoring functionality, and enables operations on files and directories.

OpenLDAP

The open source implementation of an LDAP-based directory service.

Public Key Infrastructure (PKI)

A means of managing private keys and associated public key certificates for use in Public Key
Cryptography.

Secure Sockets Layer (SSL)

A security protocol that provides encryption and authentication. SSL encrypts data and
provides message and server authentication. SSL also supports client authentication if
required by the server.

Security Identifier (SID)

A unique, fixed identifier used to represent a user account, user group, or other secure
identity component in a Windows system.

Server Message Block (SMB)

A network protocol used by Windows-based computers that allows systems within the same
network to share files.

Simple Network Management Protocol (SNMP)

A protocol that can be used to communicate management information between the network
management stations and the agents in the network elements.

Support Remote Services Gateway

Secure Remote Support (SRS) enables 24x7 proactive, secure, high-speed remote monitoring
and repair for many Dell EMC products.

Transport Layer Security (TLS)

The successor protocol to SSL for general communication authentication and encryption over
TCP/IP networks. TLS version 1 is nearly identical with SSL version 3.

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 9

Introduction to this guide

User Identifier (UID)

Alphanumeric value used to represent a user account in a UNIX system.

X.509

A widely used standard for defining digital certificates.

10 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

CHAPTER 2

Security overview

This section contains the following topics:

l

Security deployment models.................................................................................................. 12

l

Security control map..............................................................................................................14

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 11

Security overview

Security deployment models

An Isilon cluster is only one piece of a complex installation and coexists with the surrounding
physical and electronic environment. You must develop and maintain comprehensive security
policies for the entire environment.

It is assumed that you have implemented the following security controls prior to the Isilon security
deployment:

l

Physical security of computer room facilities

l

Comprehensive network security

l

Monitoring of computer-related controls, including:

n

Access to data and programs

n

Secure organizational structure to manage login and access rights

n

Change control to prevent unauthorized modifications to programs

l

Service continuity to ensure that critical services and processes remain operational in the
event of a disaster or data breach.

With these security controls in place, Isilon offers the following deployment models:

l

General business

l

SmartLock

l

Security Technical Implementation Guide (STIG)

General business security deployment model

An Isilon cluster is designed to meet the storage needs of diverse users across the spectrum of big
data and enterprise IT. The general business security deployment model comprises a set of best
practices that can be implemented in any environment.

See the

Security Best Practices

chapter of this guide for recommended steps to increase the

security of an Isilon cluster.

SmartLock security deployment model

Smartlock is a data retention solution which protects files from accidental or deliberate
modification or deletion during a specified retention period. SmartLock employs Write Once Read
Many (WORM) data storage technology. WORM technology allows information to be written to a
drive once, after which it is non-erasable and non-rewritable.

There are two options for SmartLock implementation:

l

Compliance mode. This mode is designed for use only by those organizations which are legally
required to comply with the United States Securities and Exchange Commission’s (SEC) rule
17-a4(f).

l

Enterprise mode. This mode can be used by organizations that have no legal requirement but
want to use WORM technology to protect their data.

SmartLock compliance mode commits files to a WORM state in a compliance directory where the
files cannot be modified or deleted until the specified retention period has expired. If a cluster is
installed in compliance mode, the entire cluster is defined as a SmartLock compliance cluster.

SmartLock enterprise mode commits files to a WORM state in an enterprise directory where the
files cannot be modified or deleted until the retention period has expired. The only exception is
through a privileged delete feature that exists for the root account.

12 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

Security overview

For more information about SmartLock, see the

Smartlock overview

section of this document.

Security Technical Implementation Guide (STIG) deployment model (Federal accounts only)

To meet Federal Approved Products List (APL) requirements, the configuration of OneFS must
comply with Security Technical Implementation Guides (STIGs) that define hardening
configuration requirements.

STIGs are maintained by the Defense Information Systems Agency (DISA), which produces STIGs
for several computing technologies, referred to as assessment areas. STIG hardening is designed
for Isilon clusters that support Federal Government accounts. Clusters that do not support Federal
Government accounts are generally not candidates for STIG hardening.

Note: STIG hardening assumes that the entire environment has been hardened to STIG

standards. Securing only the Isilon cluster, without the surrounding components also meeting
STIG requirements, can create problems due to different expectations between the
components.

For more information about STIG deployment, see the OneFS 8.2.0 Web Administration Guide and
the OneFS 8.2.0 CLI Command Reference.

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 13

Security overview

Security control map

The following diagram provides an overview of the various security controls that are available on
Isilon clusters.

Figure 1 Security control map

14 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

CHAPTER 3

Cryptography

This section contains the following topics:

l

Cryptography overview..........................................................................................................16

l

Cryptographic inventory for HTTPS...................................................................................... 16

l

Cryptographic inventory for NFS........................................................................................... 17

l

Cryptographic inventory for OpenSSH.................................................................................. 18

l

Cryptographic inventory for SNMPv3....................................................................................19

l

Cryptographic inventory for SMB.......................................................................................... 19

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 15

Cryptography

Cryptography overview

OneFS uses up-to-date, globally recognized cryptographic algorithms and protocols, including:

l

FTP

l

HDFS

l

HTTPS

l

Kerberos

l

NDMP

l

NFS

l

Secure Socket Shell (SSH)

l

SMB

l

Swift

l

Transport Layer Security (TLS)

l

TLS to Active Directory

l

TLS to Lightweight Directory Access Protocol (LDAP)

This chapter provides details on cryptographic use within OneFS, including the current
cryptographic releases, which algorithms are used, and where in the product the algorithms are
used.

Note:

Different releases of OneFS may support different cryptographic inventories. If you have
questions about the cryptographic inventory for different versions of OneFS, contact Isilon
Technical Support.

Cryptographic inventory for HTTPS

The HTTPS cryptography applies to REST clients and to the OneFS web administration interface.
This section lists the cipher suites that are supported by HTTPS in OneFS.

TLSv1.1 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)

TLSv1.2 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)

16 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)

Cryptographic inventory for HTTPS in hardening mode

The security hardening cryptography applies to REST clients and to the OneFS web administration
interface. This section lists the cipher suites that are supported by security hardening mode in
OneFS.

TLSv1.1 cipher suites supported by HTTPS in hardening mode

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1)

TLSv1.2 cipher suites supported by HTTPS in hardening mode

Cryptography

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)

Cryptographic inventory for NFS

This section lists the NFS cryptographic algorithms that are available in OneFS.

Usage of these algorithms depends on your configuration and workflow. For configuration
information, refer to the OneFS CLI Administration Guide Info Hub.

Note:

When kerberos is used, it is important that a time sync for NTP be set up in common
with the KDC.

NFS default settings

Setting

Enabled/disabled

NFS service Enabled

NFSv3 Enabled

NFSv4 Disabled

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 17

Cryptography

NFSv3 algorithms

Algorithm Description

Key Exchange Algorithms RPCSEC_GSS, KerberosV5

Authentication Algorithms *see NFS authentication algorithms table

Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5

DES-CBC-CRC

Message Authentication Code
Algorithms (integrity)

NFSv4 algorithms

Algorithm Description

Key Exchange Algorithms RPCSEC_GSS, KerberosV5

Authentication Algorithms *see NFS authentication algorithms table

Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5

Message Authentication Code
Algorithms (integrity)

NFS authentication algorithms

Authentication depends on the security approach but can be overridden if the device is blocked in
a netgroup, or there is a rule mapping a uid to something else.

Security approach

AUTH_UNIX AUTH_UNIX, trust the remote device for authentication, no integrity check,

Description

no encryption

RPCSEC_GSS, enforces TCP protocol at transport layer

DES-CBC-CRC

RPCSEC_GSS, enforces TCP protocol at transport layer

krb5 Trust the kdc, no integrity check, no encryption

krb5i Trust as krb5, integrity check using (RPCSEC_GSS) RPC headers are signed

and headers and data are hashed, no encryption

krb5p Trust as krb5, integrity as krb5i, encryption in (AES256-CTS AES128-CTS

RC4-HMAC DES-CBC-MD5 DES-CBC-CRC)

Cryptographic inventory for OpenSSH

This section lists the OpenSSH cryptographic algorithms as used in OneFS.

Algorithm

Encryption Algorithms aes128-ctr,aes192-ctr,aes256-ctr,aes128-

Key Exchange Algorithms curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-

18 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

Description

gcm@openssh.com,aes256-gcm@openssh.com,chacha20­poly1305@openssh.com

nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie­hellman-group-exchange-sha256 diffie-hellman-group16-sha512

Cryptography

Algorithm Description

diffie-hellman-group18-sha512 diffie-hellman-group14-sha256
diffie-hellman-group14-sha1

Host Key Algorithms rsa-sha2-512 rsa-sha2-256 ssh-rsa ecdsa-sha2-nistp256 ssh-

ed25519

Authentication Algorithms Depends on cluster configuration

Message Authentication Code
Algorithms(integrity)

OpenSSH cryptographic algorithms used in hardening mode only:

Algorithm Description

Encryption Algorithms aes128-ctr aes192-ctr aes256-ctr

Key Exchange Algorithms ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Host Key Algorithm rsa-sha2-512 rsa-sha2-256 ssh-rsa ecdsa-sha2-nistp256 ssh-

Authentication Algorithms Depends on cluster configuration

Message Authentication Code
Algorithms (integrity)

hmac-sha1

diffie-hellman-group-exchange-sha256 diffie-hellman-group­exchange-sha1 diffie-hellman-group14-sha1

ed25519

hmac-sha1

Cryptographic inventory for SNMPv3

This section lists the SNMPv3 cryptographic algorithms as used in OneFS.

Algorithm

Authentication Algorithms HMAC-SHA-96, MD5

Privacy 3DES, AES-128-CFB

Note: The SNMPv3 authentication algorithm defaults to MD5 and to privacy AES.

Cryptographic inventory for SMB

This section lists the SMB cryptographic algorithms that are available in OneFS.

Note:

It is recommended that you use encryption, and not signing, for ultimate security.

Usage of these algorithms depends on your configuration and workflow. For configuration
information, refer to the OneFS CLI Administration Guide Info Hub.

For a secure OneFSenvironment, it is recommended that you use encryption rather than signing.

The SMB service is enabled by default in OneFS, and it supports SMBv1, SMBv2, and SMBv3.

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 19

Description

Cryptography

SMB algorithms

Algorithm Description

Authentication Algorithm

SMBv3 Encryption
Algorithm

l

krb5

l

NTLM (GSS-SPNEGO)

l

AES-128-CCM

l

AES-128-GCM (faster)

SMB signing algorithms

Note: For signing information, see the SMB Signing section of the Design and Considerations

for SMB Environments whitepaper.

SMB protocol version SMB signing algorithm description

SMB 1 MD5

SMB 2.0.2, 2.1 HMAC-SHA256

GSS-API SessionKey (key derivation)

SMB 3.0, 3.0.2, 3.11 AES-128-CMAC (signing)

GSS-API SessionKey and KDF (key derivation)

Used via GSS-API, NTLM mechanism:

l

RC4 (schannel encryption)

l

MD5-HMAC (signing)

Used via GSS-API, KRB5 mechanism (all encryption types
provide signing and encryption):

l

AES256-CTS

l

AES128-CTS

l

RC4-HMAC

l

DES-CBC-MD5

l

DES-CBC-CRC

20 Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide

CHAPTER 4

Authentication

This section contains the following topics:

l

Authentication overview........................................................................................................22

l

Kerberos authentication........................................................................................................ 22

Isilon OneFS 8.2.x Security Configuration Guide Security Configuration Guide 21