Mailing List Archive

Tape backups would be simplest. Snaplock on the DR/back up filer could also
be used.

On Tue, Jan 29, 2019 at 7:24 AM Chris Hague <Chris_Hague@ajg.com> wrote:

> Hi All,
>
>
>
> The scenario is;
>
>
>
> An attacker has compromised security on your LAN and gained access to
> admin access on the NetApp filers.
>
> Subsequently they have wiped the primary and DR filers, including all
> SnapVault backups.
>
>
>
> How could this be protected against?
>
>
>
> KR,
> Chris.
>
> p.s. Apologies in advance for the insanely long signature!
>
> This email is being sent by a subsidiary of Arthur J. Gallagher Holdings
> (UK) Limited, part of the Arthur J. Gallagher & Co. global group of
> companies. For details of the registered office, company number and, where
> applicable, regulated status of our subsidiaries, please visit
> https://www.ajginternational.com/legal-regulatory-information/.
>
> We are the data controller of any personal information you provide to us
> or personal information that has been provided to us by a third party. We
> collect and process information about you in order to arrange insurance
> policies and to process claims. Your information is also used for business
> purposes such as fraud prevention and detection and financial management.
> This may involve sharing your information with third parties such as
> insurers, reinsurers, other brokers, claims handlers, loss adjusters,
> credit reference agencies, service providers, professional advisors, our
> regulators, police and government agencies or fraud prevention agencies.
>
> We may record telephone calls to help us monitor and improve the service
> we provide. For further information on how your information is used and
> your rights in relation to your information please see our privacy notice
> at https://www.ajginternational.com/Privacy-Policy/. If you are providing
> personal data of another individual to us, you must tell them you are
> providing their information to us and show them a copy of this notice.
>
> Where you are obtaining a non-consumer policy of (re)insurance, or cover
> for additional risks or renewal under an existing policy, you are required
> to make a fair presentation of the risk to a (re)insurer which discloses
> every material circumstance which you know or ought to know relating to the
> risk to be insured. A circumstance is material if it would influence the
> judgment of a prudent insurer in determining whether to provide insurance
> for the risk and, if so, on what terms. Disclosure must be reasonably clear
> and accessible to a prudent insurer and made in good faith. The
> aforementioned duty of disclosure is the applicable duty under the laws of
> England and Wales. If your policy is not subject to English law you are
> expected to disclose risk information in accordance with the requirements
> of the applicable law. In such circumstances we expect you will disclose
> risk information at least equal to the standard required under English law
> and where the applicable law requires you to disclose information over and
> above the level required under English law you will provide such
> information in accordance with that law.
>
> Where you are obtaining a consumer policy of insurance, you must read each
> question and answer honestly and fully and must take reasonable care to not
> make a misrepresentation.
>
> Failure to comply with the above disclosure requirements, as they apply to
> you, could mean that your policy of (re)insurance is void, its terms are
> materially altered or that (re)insurers are not liable to pay all or part
> of your claim(s). If you are in any doubt as to your obligations you should
> ask your usual contact.
>
> This e-mail and any attachments are CONFIDENTIAL and may contain legally
> privileged information. If you are not the intended recipient of this
> e-mail message, please telephone or e-mail us immediately, delete this
> message from your system and do not read, copy, distribute, disclose or
> otherwise use this e-mail message and any attachments. Although the above
> company has taken reasonable precautions to ensure this e-mail and any
> attachments are free of any virus or other defect that may affect your
> computer, it is the responsibility of the recipient to ensure that it is
> virus free and the above company does not accept any responsibility for any
> loss or damage arising in any way from its use.
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>

Use an IDa server, use MFA. (upgrade to ONTAP 9.4 or higher), use RBAC,
disable the admin login and deploy a new obscured local admin

--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*




On Tue, Jan 29, 2019 at 7:30 AM Basil <basilberntsen@gmail.com> wrote:

> Tape backups would be simplest. Snaplock on the DR/back up filer could
> also be used.
>
> On Tue, Jan 29, 2019 at 7:24 AM Chris Hague <Chris_Hague@ajg.com> wrote:
>
>> Hi All,
>>
>>
>>
>> The scenario is;
>>
>>
>>
>> An attacker has compromised security on your LAN and gained access to
>> admin access on the NetApp filers.
>>
>> Subsequently they have wiped the primary and DR filers, including all
>> SnapVault backups.
>>
>>
>>
>> How could this be protected against?
>>
>>
>>
>> KR,
>> Chris.
>>
>> p.s. Apologies in advance for the insanely long signature!
>>
>> This email is being sent by a subsidiary of Arthur J. Gallagher Holdings
>> (UK) Limited, part of the Arthur J. Gallagher & Co. global group of
>> companies. For details of the registered office, company number and, where
>> applicable, regulated status of our subsidiaries, please visit
>> https://www.ajginternational.com/legal-regulatory-information/.
>>
>> We are the data controller of any personal information you provide to us
>> or personal information that has been provided to us by a third party. We
>> collect and process information about you in order to arrange insurance
>> policies and to process claims. Your information is also used for business
>> purposes such as fraud prevention and detection and financial management.
>> This may involve sharing your information with third parties such as
>> insurers, reinsurers, other brokers, claims handlers, loss adjusters,
>> credit reference agencies, service providers, professional advisors, our
>> regulators, police and government agencies or fraud prevention agencies.
>>
>> We may record telephone calls to help us monitor and improve the service
>> we provide. For further information on how your information is used and
>> your rights in relation to your information please see our privacy notice
>> at https://www.ajginternational.com/Privacy-Policy/. If you are
>> providing personal data of another individual to us, you must tell them you
>> are providing their information to us and show them a copy of this notice.
>>
>> Where you are obtaining a non-consumer policy of (re)insurance, or cover
>> for additional risks or renewal under an existing policy, you are required
>> to make a fair presentation of the risk to a (re)insurer which discloses
>> every material circumstance which you know or ought to know relating to the
>> risk to be insured. A circumstance is material if it would influence the
>> judgment of a prudent insurer in determining whether to provide insurance
>> for the risk and, if so, on what terms. Disclosure must be reasonably clear
>> and accessible to a prudent insurer and made in good faith. The
>> aforementioned duty of disclosure is the applicable duty under the laws of
>> England and Wales. If your policy is not subject to English law you are
>> expected to disclose risk information in accordance with the requirements
>> of the applicable law. In such circumstances we expect you will disclose
>> risk information at least equal to the standard required under English law
>> and where the applicable law requires you to disclose information over and
>> above the level required under English law you will provide such
>> information in accordance with that law.
>>
>> Where you are obtaining a consumer policy of insurance, you must read
>> each question and answer honestly and fully and must take reasonable care
>> to not make a misrepresentation.
>>
>> Failure to comply with the above disclosure requirements, as they apply
>> to you, could mean that your policy of (re)insurance is void, its terms are
>> materially altered or that (re)insurers are not liable to pay all or part
>> of your claim(s). If you are in any doubt as to your obligations you should
>> ask your usual contact.
>>
>> This e-mail and any attachments are CONFIDENTIAL and may contain legally
>> privileged information. If you are not the intended recipient of this
>> e-mail message, please telephone or e-mail us immediately, delete this
>> message from your system and do not read, copy, distribute, disclose or
>> otherwise use this e-mail message and any attachments. Although the above
>> company has taken reasonable precautions to ensure this e-mail and any
>> attachments are free of any virus or other defect that may affect your
>> computer, it is the responsibility of the recipient to ensure that it is
>> virus free and the above company does not accept any responsibility for any
>> loss or damage arising in any way from its use.
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>

In addition to any hardening you would want to do, you should find ways to
protect against the potential damage that someone with full access after
hardening could do. There's no substitute for cold back ups.

On Tue, Jan 29, 2019 at 7:39 AM s.eno <s.eno@me.com> wrote:

> Hi Tim,
>
> Is there a TR for hardening, post-ONTAP 9.4?
>
> --
> Scott
> s.eno@me.com
>
> On Jan 29, 2019, at 7:32 AM, tmac <tmacmd@gmail.com> wrote:
>
> Use an IDa server, use MFA. (upgrade to ONTAP 9.4 or higher), use RBAC,
> disable the admin login and deploy a new obscured local admin
>
> --tmac
>
> *Tim McCarthy, **Principal Consultant*
>
> *Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*
>
>
>
>
> On Tue, Jan 29, 2019 at 7:30 AM Basil <basilberntsen@gmail.com> wrote:
>
>> Tape backups would be simplest. Snaplock on the DR/back up filer could
>> also be used.
>>
>> On Tue, Jan 29, 2019 at 7:24 AM Chris Hague <Chris_Hague@ajg.com> wrote:
>>
>>> Hi All,
>>>
>>>
>>>
>>> The scenario is;
>>>
>>>
>>>
>>> An attacker has compromised security on your LAN and gained access to
>>> admin access on the NetApp filers.
>>>
>>> Subsequently they have wiped the primary and DR filers, including all
>>> SnapVault backups.
>>>
>>>
>>>
>>> How could this be protected against?
>>>
>>>
>>>
>>> KR,
>>> Chris.
>>>
>>> p.s. Apologies in advance for the insanely long signature!
>>>
>>> This email is being sent by a subsidiary of Arthur J. Gallagher Holdings
>>> (UK) Limited, part of the Arthur J. Gallagher & Co. global group of
>>> companies. For details of the registered office, company number and, where
>>> applicable, regulated status of our subsidiaries, please visit
>>> https://www.ajginternational.com/legal-regulatory-information/.
>>>
>>> We are the data controller of any personal information you provide to us
>>> or personal information that has been provided to us by a third party. We
>>> collect and process information about you in order to arrange insurance
>>> policies and to process claims. Your information is also used for business
>>> purposes such as fraud prevention and detection and financial management.
>>> This may involve sharing your information with third parties such as
>>> insurers, reinsurers, other brokers, claims handlers, loss adjusters,
>>> credit reference agencies, service providers, professional advisors, our
>>> regulators, police and government agencies or fraud prevention agencies.
>>>
>>> We may record telephone calls to help us monitor and improve the service
>>> we provide. For further information on how your information is used and
>>> your rights in relation to your information please see our privacy notice
>>> at https://www.ajginternational.com/Privacy-Policy/. If you are
>>> providing personal data of another individual to us, you must tell them you
>>> are providing their information to us and show them a copy of this notice.
>>>
>>> Where you are obtaining a non-consumer policy of (re)insurance, or cover
>>> for additional risks or renewal under an existing policy, you are required
>>> to make a fair presentation of the risk to a (re)insurer which discloses
>>> every material circumstance which you know or ought to know relating to the
>>> risk to be insured. A circumstance is material if it would influence the
>>> judgment of a prudent insurer in determining whether to provide insurance
>>> for the risk and, if so, on what terms. Disclosure must be reasonably clear
>>> and accessible to a prudent insurer and made in good faith. The
>>> aforementioned duty of disclosure is the applicable duty under the laws of
>>> England and Wales. If your policy is not subject to English law you are
>>> expected to disclose risk information in accordance with the requirements
>>> of the applicable law. In such circumstances we expect you will disclose
>>> risk information at least equal to the standard required under English law
>>> and where the applicable law requires you to disclose information over and
>>> above the level required under English law you will provide such
>>> information in accordance with that law.
>>>
>>> Where you are obtaining a consumer policy of insurance, you must read
>>> each question and answer honestly and fully and must take reasonable care
>>> to not make a misrepresentation.
>>>
>>> Failure to comply with the above disclosure requirements, as they apply
>>> to you, could mean that your policy of (re)insurance is void, its terms are
>>> materially altered or that (re)insurers are not liable to pay all or part
>>> of your claim(s). If you are in any doubt as to your obligations you should
>>> ask your usual contact.
>>>
>>> This e-mail and any attachments are CONFIDENTIAL and may contain legally
>>> privileged information. If you are not the intended recipient of this
>>> e-mail message, please telephone or e-mail us immediately, delete this
>>> message from your system and do not read, copy, distribute, disclose or
>>> otherwise use this e-mail message and any attachments. Although the above
>>> company has taken reasonable precautions to ensure this e-mail and any
>>> attachments are free of any virus or other defect that may affect your
>>> computer, it is the responsibility of the recipient to ensure that it is
>>> virus free and the above company does not accept any responsibility for any
>>> loss or damage arising in any way from its use.
>>> _______________________________________________
>>> Toasters mailing list
>>> Toasters@teaparty.net
>>> http://www.teaparty.net/mailman/listinfo/toasters
>>>
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>

This is a nice recent one about securing the access protocols:
https://kb.netapp.com/app/answers/answer_view/a_id/1029776

There is the Hardening guide: https://www.netapp.com/us/media/tr-4569.pdf
-> although I think it could be better. I hope NetApp updates it soon.

--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*

*I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*



On Tue, Jan 29, 2019 at 7:39 AM s.eno <s.eno@me.com> wrote:

> Hi Tim,
>
> Is there a TR for hardening, post-ONTAP 9.4?
>
> --
> Scott
> s.eno@me.com
>
> On Jan 29, 2019, at 7:32 AM, tmac <tmacmd@gmail.com> wrote:
>
> Use an IDa server, use MFA. (upgrade to ONTAP 9.4 or higher), use RBAC,
> disable the admin login and deploy a new obscured local admin
>
> --tmac
>
> *Tim McCarthy, **Principal Consultant*
>
> *Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*
>
>
>
>
> On Tue, Jan 29, 2019 at 7:30 AM Basil <basilberntsen@gmail.com> wrote:
>
>> Tape backups would be simplest. Snaplock on the DR/back up filer could
>> also be used.
>>
>> On Tue, Jan 29, 2019 at 7:24 AM Chris Hague <Chris_Hague@ajg.com> wrote:
>>
>>> Hi All,
>>>
>>>
>>>
>>> The scenario is;
>>>
>>>
>>>
>>> An attacker has compromised security on your LAN and gained access to
>>> admin access on the NetApp filers.
>>>
>>> Subsequently they have wiped the primary and DR filers, including all
>>> SnapVault backups.
>>>
>>>
>>>
>>> How could this be protected against?
>>>
>>>
>>>
>>> KR,
>>> Chris.
>>>
>>> p.s. Apologies in advance for the insanely long signature!
>>>
>>> This email is being sent by a subsidiary of Arthur J. Gallagher Holdings
>>> (UK) Limited, part of the Arthur J. Gallagher & Co. global group of
>>> companies. For details of the registered office, company number and, where
>>> applicable, regulated status of our subsidiaries, please visit
>>> https://www.ajginternational.com/legal-regulatory-information/.
>>>
>>> We are the data controller of any personal information you provide to us
>>> or personal information that has been provided to us by a third party. We
>>> collect and process information about you in order to arrange insurance
>>> policies and to process claims. Your information is also used for business
>>> purposes such as fraud prevention and detection and financial management.
>>> This may involve sharing your information with third parties such as
>>> insurers, reinsurers, other brokers, claims handlers, loss adjusters,
>>> credit reference agencies, service providers, professional advisors, our
>>> regulators, police and government agencies or fraud prevention agencies.
>>>
>>> We may record telephone calls to help us monitor and improve the service
>>> we provide. For further information on how your information is used and
>>> your rights in relation to your information please see our privacy notice
>>> at https://www.ajginternational.com/Privacy-Policy/. If you are
>>> providing personal data of another individual to us, you must tell them you
>>> are providing their information to us and show them a copy of this notice.
>>>
>>> Where you are obtaining a non-consumer policy of (re)insurance, or cover
>>> for additional risks or renewal under an existing policy, you are required
>>> to make a fair presentation of the risk to a (re)insurer which discloses
>>> every material circumstance which you know or ought to know relating to the
>>> risk to be insured. A circumstance is material if it would influence the
>>> judgment of a prudent insurer in determining whether to provide insurance
>>> for the risk and, if so, on what terms. Disclosure must be reasonably clear
>>> and accessible to a prudent insurer and made in good faith. The
>>> aforementioned duty of disclosure is the applicable duty under the laws of
>>> England and Wales. If your policy is not subject to English law you are
>>> expected to disclose risk information in accordance with the requirements
>>> of the applicable law. In such circumstances we expect you will disclose
>>> risk information at least equal to the standard required under English law
>>> and where the applicable law requires you to disclose information over and
>>> above the level required under English law you will provide such
>>> information in accordance with that law.
>>>
>>> Where you are obtaining a consumer policy of insurance, you must read
>>> each question and answer honestly and fully and must take reasonable care
>>> to not make a misrepresentation.
>>>
>>> Failure to comply with the above disclosure requirements, as they apply
>>> to you, could mean that your policy of (re)insurance is void, its terms are
>>> materially altered or that (re)insurers are not liable to pay all or part
>>> of your claim(s). If you are in any doubt as to your obligations you should
>>> ask your usual contact.
>>>
>>> This e-mail and any attachments are CONFIDENTIAL and may contain legally
>>> privileged information. If you are not the intended recipient of this
>>> e-mail message, please telephone or e-mail us immediately, delete this
>>> message from your system and do not read, copy, distribute, disclose or
>>> otherwise use this e-mail message and any attachments. Although the above
>>> company has taken reasonable precautions to ensure this e-mail and any
>>> attachments are free of any virus or other defect that may affect your
>>> computer, it is the responsibility of the recipient to ensure that it is
>>> virus free and the above company does not accept any responsibility for any
>>> loss or damage arising in any way from its use.
>>> _______________________________________________
>>> Toasters mailing list
>>> Toasters@teaparty.net
>>> http://www.teaparty.net/mailman/listinfo/toasters
>>>
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>

You can certainly use snaplock. Not even an admin can delete snaplock data, unless they use their admin credentials to physically access the data center and steal the drives.

I know one petabyte-scale customer who planned for this scenario with SnapVault. The snapvault destination teams are managed by a different team than the production systems. They did it for protection against a rogue admin, not an intruder.

Not everyone has enough staff to grant separate credentials like this, but someone could at least ensure that the passwords aren't the same on each system. I know one customer where they split the responsibility. One person has the first half of the admin password, and another person has the second half. That would be tedious to manage everything like that, but for a relatively statically configured system like a Snapvault destination that might be doable. You can still use RBAC to create sub-administrative user accounts with the ability to perform most tasks, but restrict the ability to destroy a volume.

Personally, I'd also restrict the network ports. In my experience, most customer do leave the administrative ports open to the network at large, but there's a significant minority who only allow certain subnets to access the administrative interfaces. Ensure a primary and snapvault controller are on different subnets, and you get added security against intruders, but still don't forget about the chance of a malicious internal user with admin credentials.

From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Chris Hague
Sent: Tuesday, January 29, 2019 6:00 AM
To: Toasters <toasters@teaparty.net>
Subject: Cyber Security Question

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.



Hi All,

The scenario is;

An attacker has compromised security on your LAN and gained access to admin access on the NetApp filers.
Subsequently they have wiped the primary and DR filers, including all SnapVault backups.

How could this be protected against?

KR,
Chris.
p.s. Apologies in advance for the insanely long signature!

This email is being sent by a subsidiary of Arthur J. Gallagher Holdings (UK) Limited, part of the Arthur J. Gallagher & Co. global group of companies. For details of the registered office, company number and, where applicable, regulated status of our subsidiaries, please visit https://www.ajginternational.com/legal-regulatory-information/.

We are the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.

We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at https://www.ajginternational.com/Privacy-Policy/. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.

Where you are obtaining a non-consumer policy of (re)insurance, or cover for additional risks or renewal under an existing policy, you are required to make a fair presentation of the risk to a (re)insurer which discloses every material circumstance which you know or ought to know relating to the risk to be insured. A circumstance is material if it would influence the judgment of a prudent insurer in determining whether to provide insurance for the risk and, if so, on what terms. Disclosure must be reasonably clear and accessible to a prudent insurer and made in good faith. The aforementioned duty of disclosure is the applicable duty under the laws of England and Wales. If your policy is not subject to English law you are expected to disclose risk information in accordance with the requirements of the applicable law. In such circumstances we expect you will disclose risk information at least equal to the standard required under English law and where the applicable law requires you to disclose information over and above the level required under English law you will provide such information in accordance with that law.

Where you are obtaining a consumer policy of insurance, you must read each question and answer honestly and fully and must take reasonable care to not make a misrepresentation.

Failure to comply with the above disclosure requirements, as they apply to you, could mean that your policy of (re)insurance is void, its terms are materially altered or that (re)insurers are not liable to pay all or part of your claim(s). If you are in any doubt as to your obligations you should ask your usual contact.

This e-mail and any attachments are CONFIDENTIAL and may contain legally privileged information. If you are not the intended recipient of this e-mail message, please telephone or e-mail us immediately, delete this message from your system and do not read, copy, distribute, disclose or otherwise use this e-mail message and any attachments. Although the above company has taken reasonable precautions to ensure this e-mail and any attachments are free of any virus or other defect that may affect your computer, it is the responsibility of the recipient to ensure that it is virus free and the above company does not accept any responsibility for any loss or damage arising in any way from its use.