NetApp ONTAP and NAS Antivirus Protection
NetApp storage systems with ONTAP firmware support NAS integration with antivirus, so that files are first checked before reading / writing, this feature is called Off-box Anti-Virus Scanning. It allows you to increase the level of protection of corporate environments and unload the extra workload from workstations. Since the support of anti-virus databases of all workstations up to date may not be a feasible task. Supported products from:
In addition, it supports the advanced file-screening functionality (FPolicy), which allows you to restrict work with files not only on the basis of their extension, but also on the type of file based on the header inside this file.
Today, I would like to elaborate on the integration of ONTAP with CIFS (SMB) and McAfee antivirus system. Which is basically similarly arranged with other anti-virus systems.
')
For details, contact the compatibility matrix .
Antivirus interaction scheme when requesting from SMB client to NAS.
In accordance with the diagram below, you need to install and configure all software components to integrate with the NAS.
Install McAfee VSEfS, which can operate in two modes: as a standalone product or as a product managed by McAfee ePolicy Orchestrator (McAfee ePO). In this article I will consider the "stand-alone product" mode. To install McAfee VSEfS, you will need to have it already installed and configured:
To begin with, we will create several SCAN servers in order to balance the load of the anti-virus scan between them. Each SCAN server will be installed on the Windows Server and include the following components: McAfee VSE, McAfee VSEfS and ONTAP AV Connector. For example, let's prepare three such servers: SCAN1, SCAN2, SCAN3.
Create a user scanuser in the domain (in our example, the domain "NetApp") with administrative rights on the servers SCAN1, SCAN2, SCAN3.
Let's configure ONTAP, create a Cluster Management LIF and one VSM Management LIF. We include support for CIFS protocol and run integration with AD, create data-LIFs for end-user access to file balls. Create a file ball. Create a user scanuser for the cluster and VSM, which will be authenticated in the same AD domain as the SCANx server. Let the Cluster be available on the management IP address named NCluster-mgmt, and the VSM management IP address named VSM01-mgmt.
install ONTAP AV Connector on each SCAN-server and launch the configuration, after the installer finishes we drive in the username and password:
If the application says "Access is denied", check that UAC (Use Account Control) is turned off, restart the computer.
Start → All Programs → NetApp → ONTAP AV Connector → Configure ONTAP Management LIFs
In the field “Management LIF” we enter the IP or DNS name of the VSM or cluster: NCluster-mgmt or VSM01-mgmt.
In the "Account" field we drive in the name and password of an AD domain user: NetApp \ scanuser. Press the "Test" button, then "Update" and "Save", if the test was successful.
on each SCAN server, we go as Administrator and start: Windows taskbar - right-click on “McAfee menulet → Choose VirusScan console”, in VirusScan console - open “Network Appliance Filer AV Scanner”, then go to the tab “Network Appliance Filer AV Scanner and Network Appliance Filers. In the “This Server is a processing request for these filers” field, we create a server using the “Add” button, in the “Server name” field we type “127.0.0.1” (not ONTAP!). Next, fill in the “Administrator Account” fields, where we enter all the same AD user “scanuser”, and in the “Domain” field, separate from the user name, enter the domain, in our case “NetApp”.
And we configure integration: we configure off-box scanning, enable it, create and apply a scanning policy:
FPolicy and Off-box Anti-Virus Scanning do not require any additional licenses from the storage system, this functionality is present in the ONTAP basic distribution. On the part of anti-virus protection software and software, extended licenses for FPolicy may require additional licenses, which can be clarified with the respective vendors and their partner representatives.
The ability to integrate the NAS with the anti-virus system allows, on the one hand, to load the load of the end clients, but also eliminates the potential threat of infection due to the inability to keep all clients' anti-virus databases up to date. And FPolicy restricts the recording of non-storage files in a corporate environment.
PS
Also note the document describing ONTAP security settings to enhance security (Security Hardening Guide for NetApp ONTAP 9) .
Translation to English:
ONTAP & Antivirus NAS protection
This may contain links to Habra articles that will be published later .
I ask to send messages on errors in the text to the LAN .
Comments, additions and questions on the article on the contrary, please in the comments .
- Kaspersky
- Symantec
- Trend micro
- Computer associates
- Mcafee
- Sophos
In addition, it supports the advanced file-screening functionality (FPolicy), which allows you to restrict work with files not only on the basis of their extension, but also on the type of file based on the header inside this file.
Today, I would like to elaborate on the integration of ONTAP with CIFS (SMB) and McAfee antivirus system. Which is basically similarly arranged with other anti-virus systems.
')
- To configure the integration, we need several components:
- Microsoft Windows Server 2008 and up
- Storage with ONTAP firmware (based on the NetApp FAS hardware platform or as an ONTAP Select virtual machine or ONTAP Cloud in the Amazone / Azure cloud)
- McAfee VirusScan Enterprise for Storage. Download VSEfS here
- SMB 2 and later is used for scanning, version 1.0 is not supported.
- NetApp ONTAP AV Connector. Download AV Connecor here
For details, contact the compatibility matrix .
Antivirus interaction scheme when requesting from SMB client to NAS.
Training
In accordance with the diagram below, you need to install and configure all software components to integrate with the NAS.
Vsefs
Install McAfee VSEfS, which can operate in two modes: as a standalone product or as a product managed by McAfee ePolicy Orchestrator (McAfee ePO). In this article I will consider the "stand-alone product" mode. To install McAfee VSEfS, you will need to have it already installed and configured:
- McAfee VirusScan Enterprise (VSE). Download VSE here
- McAfee ePolicy Orchestrator (ePO), not needed if VirusScan is used as a standalone product.
SCAN server
To begin with, we will create several SCAN servers in order to balance the load of the anti-virus scan between them. Each SCAN server will be installed on the Windows Server and include the following components: McAfee VSE, McAfee VSEfS and ONTAP AV Connector. For example, let's prepare three such servers: SCAN1, SCAN2, SCAN3.
AD
Create a user scanuser in the domain (in our example, the domain "NetApp") with administrative rights on the servers SCAN1, SCAN2, SCAN3.
ONTAP
Let's configure ONTAP, create a Cluster Management LIF and one VSM Management LIF. We include support for CIFS protocol and run integration with AD, create data-LIFs for end-user access to file balls. Create a file ball. Create a user scanuser for the cluster and VSM, which will be authenticated in the same AD domain as the SCANx server. Let the Cluster be available on the management IP address named NCluster-mgmt, and the VSM management IP address named VSM01-mgmt.
NCluster::> network interface create -vserver NCluster -home-node NCluster-01 -home-port e0M -role data -protocols none -lif NCluster-mgmt -address 10.0.0.100 -netmask 255.0.0.0 NCluster::> network interface create -vserver VSM01 -home-node NCluster-01 -home-port e0M -role data -protocols none -lif VSM01-mgmt -address 10.0.0.105 -netmask 255.0.0.0 NCluster::> domain-tunnel create -vserver VSM01 NCluster::> security login create -username netApp\scanuser -application ontapi -authmethod domain -role readonly -vserver NCluster NCluster::> security login create -username netApp\scanuser -application ontapi -authmethod domain -role readonly -vserver VSM01 ONTAP AV Connector
install ONTAP AV Connector on each SCAN-server and launch the configuration, after the installer finishes we drive in the username and password:
If the application says "Access is denied", check that UAC (Use Account Control) is turned off, restart the computer.
Start → All Programs → NetApp → ONTAP AV Connector → Configure ONTAP Management LIFs
In the field “Management LIF” we enter the IP or DNS name of the VSM or cluster: NCluster-mgmt or VSM01-mgmt.
In the "Account" field we drive in the name and password of an AD domain user: NetApp \ scanuser. Press the "Test" button, then "Update" and "Save", if the test was successful.
McAfee Network Appliance Filer AV Scanner Administrator Account
on each SCAN server, we go as Administrator and start: Windows taskbar - right-click on “McAfee menulet → Choose VirusScan console”, in VirusScan console - open “Network Appliance Filer AV Scanner”, then go to the tab “Network Appliance Filer AV Scanner and Network Appliance Filers. In the “This Server is a processing request for these filers” field, we create a server using the “Add” button, in the “Server name” field we type “127.0.0.1” (not ONTAP!). Next, fill in the “Administrator Account” fields, where we enter all the same AD user “scanuser”, and in the “Domain” field, separate from the user name, enter the domain, in our case “NetApp”.
Go back to ONTAP
And we configure integration: we configure off-box scanning, enable it, create and apply a scanning policy:
NCluster::> vserver vscan scanner-pool create -vserver VSM01 -scanner-pool POOL1 -servers SCAN1,SCAN2,SCAN3 -privileged-users NetApp\scanuser NCluster::> vserver vscan scanner-pool show Scanner Pool Privileged Scanner Vserver Pool Owner Servers Users Policy -------- ---------- ------- ------------ ------------ ------- VSM01 POOL1 vserver SCAN1, NetApp\scanuser idle SCAN2,SCAN3 NCluster::> vserver vscan scanner-pool show -instance Vserver: VSM01 Scanner Pool: POOL1 Applied Policy: idle Current Status: off Scanner Pool Config Owner: vserver List of IPs of Allowed Vscan Servers: SCAN1, SCAN2, SCAN3 List of Privileged Users: NetApp\scanuser NCluster::> vserver vscan scanner-pool apply-policy -vserver VSM01 -scanner-pool POOL1 -scanner-policy primary NCluster::> vserver vscan enable -vserver VSM01 NCluster::> vserver vscan connection-status show Connected Connected Vserver Node Server-Count Servers --------- -------- ------------ ------------------------ VSM01 NClusterN1 3 SCAN1, SCAN2, SCAN3 NCluster::> vserver vscan on-access-policy show Policy Policy File-Ext Policy Vserver Name Owner Protocol Paths Excluded Excluded Status --------- --------- ------- -------- ---------------- ---------- ------ NCluster default_ cluster CIFS - - off CIFS VSM01 default_ cluster CIFS - - on CIFS Licenses
FPolicy and Off-box Anti-Virus Scanning do not require any additional licenses from the storage system, this functionality is present in the ONTAP basic distribution. On the part of anti-virus protection software and software, extended licenses for FPolicy may require additional licenses, which can be clarified with the respective vendors and their partner representatives.
findings
The ability to integrate the NAS with the anti-virus system allows, on the one hand, to load the load of the end clients, but also eliminates the potential threat of infection due to the inability to keep all clients' anti-virus databases up to date. And FPolicy restricts the recording of non-storage files in a corporate environment.
PS
Also note the document describing ONTAP security settings to enhance security (Security Hardening Guide for NetApp ONTAP 9) .
Translation to English:
ONTAP & Antivirus NAS protection
This may contain links to Habra articles that will be published later .
I ask to send messages on errors in the text to the LAN .
Comments, additions and questions on the article on the contrary, please in the comments .
Source: https://habr.com/ru/post/280666/
All Articles