1 / 43

Configuring SafeNet StorageSecure in a CIFS Domain

Configuring SafeNet StorageSecure in a CIFS Domain. Module 2: Lesson 2 SafeNet StorageSecure Storage Security Course. Lesson Objectives. By the end of this lesson, you should be able to: Add CIFS domain, server, and shares Secure CIFS data using encryption

agrata
Download Presentation

Configuring SafeNet StorageSecure in a CIFS Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring SafeNet StorageSecure in a CIFS Domain Module 2: Lesson 2 SafeNet StorageSecure Storage Security Course

  2. Lesson Objectives • By the end of this lesson, you should be able to: • Add CIFS domain, server, and shares • Secure CIFS data using encryption • Use StorageSecure Access Control Lists (ACLs) • Configure SafeNet StorageSecure Security Settings

  3. Configuring SafeNet StorageSecure in a CIFS Domain

  4. Typical NAS Deployment Virtual Host StorageSecure appliances are deployed in a NAS environment between the hosts and the storage appliance. StorageSecure has two interfaces: one client interface where all clients connect, and a Storage interface where the actual Storage connect. Clients are required to send their I/O requests to the StorageSecure client interface. The actual shares accessible from the file-server interface are virtualized on the client interface.

  5. Adding Domain, Server & Share & Securing Data • To add SafeNet StorageSecure to a CIFS Environment: • Create a “Domain Access User” on the domain. • Add a CIFS domain • Add a CIFS file server • Add a virtual server (VIP) • Add a share • Virtualize the share to the VIP • Create a Storage Vault

  6. Domain Access User • The Domain Access User is a special user account in the SafeNet StorageSecure Management Console for accessing Windows or LDAP domains • In a Windows domain: • Discovers servers and shares • Syncs users and groups with domain controller • In an LDAP domain: • Syncs users and groups with LDAP server • Domain Access User cannot access data through the SafeNet StorageSecure Management Console • Can be any user in a Windows domain

  7. Adding a CIFS Domain

  8. Adding a CIFS Domain – Access User Enter a Domain Access user credentials. The account will need full access control for all shares to be encrypted.

  9. Added CIFS Domain

  10. Adding a CIFS Server

  11. Adding a CIFS Server (Cont.)

  12. Adding a Share

  13. Added Share

  14. Adding a Virtual Server

  15. Virtualizing Shares Virtual server – Vhost1

  16. Securing CIFS Data

  17. Adding a Storage Vault Cross Mapping of share1

  18. Adding a Storage Vault (Cont.)

  19. Storage Vault Access through CIFS Real Share Virtual Share – accessed via StorageSecure

  20. Additional Notes and the Storage Vault • StorageSecure can have up to 1500 Storage Vaults. • Nested Storage Vaults are not supported. • On Storage Vault creation a hidden system “.decru” file is written to the Storage Vault. • .decru file contains metadata relating to the key used for encryption. • Lost or deleted .decru file will leave data accessible until StorageSecure is rebooted. • Re-creation of .decru file is possible. • Each Storage Vault has an associated Storage Vault Key • Files within the Storage Vault have: • 512 bytes of metadata added to the file header. • Are associated with a unique R-Key. • R-Key processes the file before and after encryption to ensure that cipher text is different across files sharing the same content. • Storage Vaults can be multi-protocol - CIFS and NFS.

  21. Configuring SafeNet StorageSecure in a CIFS Domain - ACL

  22. Storage Vault Menu Options • Access Control • IP Restriction • Rekey • Export Trustee Keys • Delete

  23. SafeNet StorageSecure and User or Group Memberships • When adding a Storage vault, the share’s ACL is synchronized with StorageSecure • If there is a conflict between the SafeNet StorageSecure ACL and the Windows ACL, the more restrictive ACL applies.

  24. User or Group Import • SafeNet StorageSecure automatically imports user and group information from the Windows domain for: • Users who have initial access to shares • Users who are added to the ACL of a Storage Vault • Users who are members of a group added to the ACL of Storage Vault • Users who access a Storage Vault with the Everyone group in its ACL • Users who register with SafeNet StorageSecure • StorageSecure queries the domain controller every 30 minutes to check for changes

  25. ACL Import • ACLs should be set on the share before creating a Storage Vault • SafeNet StorageSecure syncs the ACL with the file server when the Storage Vault is created • The ACL is then modified at the file server or SafeNet StorageSecure • Security settings affect the behavior of ACL • If the Local ACL option is disabled, only the storage server’s ACL is honored • If the Local ACL option is enabled, then the most restrictive permissions are used

  26. Local ACLs and SafeNet StorageSecure • CIFS ACLs are synchronized when a Storage Vault is created • Changes to an ACL at the direct share must be manually synchronized • ACLs at the StorageSecure appliance are always in effect for NFS exports

  27. Authentication Process • Authentication process when using CIFS and AD as the user repository • Client connects to a Storage Vault. • If Local ACL is enabled, the StorageSecure checks if the user has access to the StorageVault in its local ACL. • The StorageSecure will prompt the user for credentials or check if the user has a valid Kerberos ticket given by the Active Directory. • The StorageSecure checks if the user has permissions on the file server by using the users credentials / Kerberos ticket. If so, it will provide the user access to the Storage Vault.

  28. StorageSecure User Registration for Storage Vault Owners • Use the WebUI to register: https://<StorageSecure-hostname>/register.htm • Storage Vault owners must set up a SafeNet StorageSecure account.

  29. Management Security Settings Security  Management Security

  30. Management Security Settings (Cont.)

  31. Management Security Settings (Cont.)

  32. Group Review • Allows the SafeNet StorageSecure administrator to review new group members • New members of Windows or UNIX® groups can be accepted or rejected • Users cannot be accepted or rejected individually • The Local ACL feature protects against attacks on the file server • The Group Review feature protects against attacks on the domain controller

  33. Group Review

  34. User Registration • If User Registration is enabled • Storage vault owners can use the WebUI to manage their Storage vaults • End users must register once at the WebUI Login page before they can access a Storage vault • If StorageSecure Password is enabled • Users need a SafeNet StorageSecure-specific password (separate from Windows password) to register • When the Windows password is changed, the user must also change the StorageSecure password • Users can change their StorageSecure password at any time

  35. Storage Vault ACL Modification

  36. Modification of ACL by Storage Vault Owner

  37. WebUI Storage Vault Management • End users can log in to the SafeNet StorageSecure WebUI to view and manage the Storage Vaults they own.

  38. Configure IP Restrictions • Storage Vault access can be restricted to clients within a specified range of IP addresses • For example set IP Range of “10.10.20.100-10.10.20.200”

  39. End-User Access • Mounted as an ordinary share • ACL authentication allows immediate access • Use real server name for virtual server for invisible client-side mounting HTTP Access • SafeNet StorageSecure supports storing and accessing data through the WebUI (HTTP), this includes WebDAV extensions (Future Version) • Web access and WebDAV are automatically enabled on all VIP addresses with virtual shares (Future Version) • Users can access only data for which their CIFS or NFS credentials are valid • Access data using a Web browser • Internet Explorer® 6.0 or later • Mozilla 1.4 or later • Secure Web Access to Storage Vaults is enabled (HTTPS://) (Future Version); WebDAV and FTP - (Future Version)

  40. Secure Web Access

  41. Web-Based Distributed Authoring and Versioning

  42. Lesson Summary • In this lesson, you should have learned to: • Add CIFS domain, server, and shares • Secure CIFS data using encryption • Use SafeNet StorageSecure ACLs • Configure SafeNet StorageSecure security settings

  43. Hands on Exercise:Complete:04 Configuring SafeNetStorageSecure in a CIFS Domain

More Related