NETAPP存储防火墙端口-典型NAS环境下的网络需求

1、网络需求 所有需要执行SnapMirror数据复制的存储之间，需打开以下端口: 协议 UDP 端口 TCP 端口 Sn apMirror 10565 10566 NetApp FAS存储支持通过网络同步时钟。如果存储和NTP服务器之间有防火 墙，则打开以下端口： 协议 UDP端 口 TCP 端口 NTP/SNTP 123 123 TIME/RDATE 37 37 所有被管理的存储，必须通过IP网络与DFM艮务器连通。如果存储和 DFM艮务器之间有防火墙，则打开以下端口： 协议 UDP端 口 TCP 端口 HTTP 80 HTTPS 443 RSH 514 SSH 22 TELNET 23 SN

2、MP 161 SNMP TRAP 162 如果有Windows机器需要管理（例如，客户端安装了 OSS备份软件），则 Windows机器需要通过IP网络与DFM艮务器连通。如果Windowj器和DFM艮 务器之间有防火墙，则打开以下端口： 协议 UDP端 口 TCP 端口 HTTP 4092 HTTPS 4093 NDMP 10000 SNMP 161 SNMP TRAP 162 启用DFM勺autosupport功能，需要DFM艮务器和邮件服务器连通；并且服务 器需要一个不需密码验证的发送邮件的账号。如果邮件服务器和DFM艮务器 之间有防火墙，则打开以下端口： 协议 UDP端 口 TCP 端

3、口 SMTP 25 附录：DOT使用的IP端口 IP port usage on a storage system About this appendix 18 This appendix describes the Data ONTABervices file that is available in the /etc directory. The /etc/servicesfile is in the same format as its corresponding UNIX systems /etc/services file. Although this file is it not

4、used by Data ONTAP,it is provided in this appendix as information useful to system admi nistrators. Host identification Although some port scanners are able to identify storage systems as storage systems, others port sca nners report storage systems as unknown types, UNIX systems because of their NF

5、S support, or Win dows systems because of their CIFS support. There are several services that are not currently listed in the /etc/services file. Below is an example of a complete list of the file contents. time 37/tcp # Time Service time 37/udp # Time Service doma in 53/udp # DNS - outbou nd only d

6、oma in 53/tcp # DNS zone tran sfers - unu sed dhcps 67/udp # DHCP server - outbou nd only dhcp 68/udp # DHCP clie nt - only first-time setup tftp 69/udp # Trivial FTP - for n etboot support http 80/tcp # HTTPlice nse, FilerView, SecureAdmin kerberos 88/udp # Kerberos 5 - outbo und only kerberos 88/t

7、cp # Kerberos 5 - outbo und only portmap 111/udp # aka rpcb ind, used for NFS portmap 111/tcp # aka rpcb ind, used for NFS nntp 119/tcp # unu sed, should nt be listed here. ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol n etbios- n ame 137/udp # NetBIOS nameserver - for CIFS

8、 n etbios- dg ftp-data ssl cifs-tcp snmp shell syslog route kerberos 138/udp 139/tcp 443/tcp 445/tcp 161/udp 514/tcp 514/udp 520/udp 750/udp # NetBIOS datagram service - for CIFS # NetBIOS service session - for CIFS # Secure FilerView (SecureAdm in) # CIFS over TCP with NetBIOS frami ng # For Data F

9、abric Manager or other such tools # rsh, in secure remote comma nd executi on. # outbo und only # for RIP routi ng protocol # outbo und onl y, if at all The nntp and ttcp ports are unusedby your storage system and should n ever be detected by a port sca nner. Ports found in a block starting around 6

10、00 The following ports are found on the storage system with NFSenabled: CP 07 nl ockmgr) U 6NFS quota daem on (quotad. 08 J rquotad) On other systems, the ports appear as follows: 6 NFS mount daem on (moun td) DP 11 | T 6 NFS mount daem on (moun td) cp 12 Dpj U 13 6NFS status daemon (statd, statm on

11、) CP T 14 J 6NFS status daemon (statd, statm on) DP U 15 6NFS lock man ager (lockd, nl ockmgr) CP J T 16 6NFS lock man ager (lockd, nl ockmgr) DP j U 17 6NFS quota daem on (quotad, rquotad) En ter the followi ng comma nd on UNIX systems to obta in the correct in formatio n by query ing the port mapp

12、er on port 111: toaster# rpci nfo -pvers proto port service 100011 1 udp 608 rquotad 100021 4 tcp 607 n lockmgr 100021 3 tcp 607 n lockmgr 100021 1 tcp 607 n lockmgr 100021 4 udp 606 n lockmgr 100021 3 udp 606 n lockmgr 100021 1 udp 606 n lockmgr 100024 1 tcp 605 status 100024 1 udp 604 status 10000

13、5 3 tcp 603 mou ntd 100005 2 tcp 603 mou ntd 100005 1 tcp 603 mou ntd 100005 3 udp 602 mou ntd 100005 2 udp 602 mou ntd 100005 1 udp 602 mou ntd 100003 3 udp 2049 nfs 100003 2 udp 2049 nfs 100000 2 tcp 111 rpcbi nd 100000 2 udp 111 rpcbi nd Note The port nu mbers listed for moun td, statd, lockd, an

14、d quotad are not committed port nu mbers. Storage systems can have these services running on other port nu mbers. Because the system selects these port nu mbers at random when it boots, they are not listed in the /etc/services file. Other ports not listed in /etc/services The follow ing ports appear

15、 in a port sca n but are not listed in /etc/services file. Prot F ocol ort Service TCP r 2 SSH (SecureAdmi n) 2 TCP SSL (SecureAdmi n) 43 TCP L 3 iSCSI-Target 260 UDP x XXX Legato Clie ntPack for your storage system runs on random UDFports and is now deprecated. It is recommende( that NDMP be used t

16、o back up your storage system using Legato Networker. Note Disable ope n ports that you do not n eed. FTP ftp-data ftp File transfer protocol (FTP) uses TCPports 20 and 21. For a detailed description of the FTPsupport for your storage system, see the Data ONTA File Access and Protocols Man ageme nt

17、Guide . If you use FTP to tran sfer files to and from your storage system, the FTPport is required; otherwise, use FilerView or the followi ng CLI comma nd to disable the FTP port: opti ons off FTP is not a secure protocol for two reas ons: Whenusers log in to the system, user names and passwords ar

18、e transmitted over the n etwork in clear text format that can easily be read by a packet sniffer program. These user names and passwords can then be used to access data and other n etwork resources. You should establish and en force policies that preve nt the use of the same passwords to access stor

19、age systems and other n etwork resources. FTPserver software used on platforms other than storage systems contains serious security-related flaws that allow un authorized users to gain adm ini strative (root) access and con trol over the host. SSH ssh Secure Shell (SSH) protocol is a secure replacem

20、ent for RSHand runs on TCP port 22. This only appears in a port sca n if the SecureAdm inTM software is in stalled on your storage system. There are three com mon ly deployed versi ons of the SSH protocol: SSHversio n 1-is much more secure tha n RSHor Tel net, but is vul nerable to TCP sessi on atta

21、cks. This vuln erability to attack lies in the SSH protocol vers ion 1 itself and not in the associated storage system products. SSH versi on 2-has a n umber of feature improveme nts over SSH vers ion 1 and is less vuln erable to attacks. SSH versi on used to ide ntify clie nts or servers that suppo

22、rt both SSH versi ons 1 and 2. To disable SSHsupport or to close TCPport 22, use the following CLI comma nd: secureadm in disable ssh Telnet tel net Telnet is used for administrative control of your storage system and uses TCPconnections on port 23. Telnet is more secure than RSH, as secure as FTP,

23、and less secure than SSH or Secure Socket Layer (SSL). Telnet is not secure because: When users log into a system, such as your storage system, user n ames and passwords are tran smitted over the n etwork in clear text format. Clear text format can be read by an attacker using a packet sniffer progr

24、am. The attacker can use these user namesand passwords to log in to your storage system and execute un authorized admi nistrative fun cti ons, in clud ing destructi on of data on the system. If the administrators use the samepasswords on your storage system as they do on other n etwork devices, the

25、attacker can use these passwords to access those resources as well. Note To reduce the potentialfor attack, establish and enforce policiespreve nting adm ini strators from using the same passwords on your storage system that they use for access to other network resources. Telnet server software used

26、 on other platforms (typically in UNIX en viro nmen ts) have serious security-related flaws that allow un authorized users to gain administrative (root) control over the host. Telnet is also vulnerable to the same type of TCP session attacks as SSH protocol version 1, but because a packet sniffing a

27、ttack is easier, TCP sessi on attacks are less com mon. To disable Teln et, set opti ons to off. SMTP smtp The Simple Mail Tran sport Protocol (SMTP) uses TCP port 25. Your storage system does not listen on this port but makesoutgoing connections to mail servers using this protocol whe n sending Aut

28、oSupport e-mail. Time service time ntp Your storage system supports two differe nt time service protocols: TIME protocol (also known as rdate) is specified in the RFC868 standard. This standard allows for time services to be provided on TCP or UDP port 37. Your storage system uses only UDP port 37.

29、Simple network time protocol (NTP) is specified in the RFC2030 standard and is provided only on UDP port 123. Whenyour storage system has option set to On and a remote protocol (rdate or ntp) is specified, the storage system synchronizes to a network time server. If the opti on is set to Off, your s

30、torage system is un able to synchronize with the n etwork time server using NTP. The rdate time protocol can still be used by manually issuing the rdate commandrom your storage system con sole. You should set the option to On in a cluster configuration. DNS domai n The Doma in Name Service (DNS) use

31、s UDP port 53 and TCP port 53. Your storage system does not typically liste n on these ports because it does not run a domai n n ame server. However, if DNS is en abled on your storage system, it makes outgoing connections using UDPport 53 for host nameand IP address lookups. Your storage system n e

32、ver uses TCP port 53 because this port is used explicitly for com muni cati on betwee n DNS servers. Outgo ing DNS queries by your storage system are disabled by turning off DNS support. Turning off DNS support protects aga inst recei ving bad in formatio n from ano ther DNS server. Because your sto

33、rage system does not run a domai n n ame server, the name service must be provided by one of the following: Network in formatio n service (NIS) An /etc/hosts file Replacement of host names in the configuration files (such as /etc/exports, /etc/, and so on) with IP addresses DNSmust be enabled for pa

34、rticipationin an Active Directory domain. DHCP dhcps Clie nts broadcast messages to the en tire n etwork on UDP port 67 and receive resp on ses from the Dyn amic Host Con figurati on Protocol (DHCP) server on UDP port 68. The same ports are used for the BOOTP protocol. DHCP is used only for the firs

35、t-time setup of your storage system. Detecti on of DHCP activity on your storage system by a port sca n other than the activity during the first-time setup indicates a serious con figurati on or software error. tftp Trivial File Tran sfer Protocol (TFTP) uses TCP port 69. It is used mostly for booti

36、ng UNIXor UNIX-like systems that do not have a local disk (this process is also known as netbooting) and for storing and retrieving con figurati on files for devices such as Cisco routers and switches. Tran sfers are not secure on TFTP because it does not require authentication for clients to connec

37、t and transfer files. Your storage systems TFTPserver is not enabled by default. WhenTFT is enabled, the administrator must specify a directory to be used by TFTI clie nts, and these clie nts cannot access other directories. Eve n withi n the TFTP directory, access is read-only. TFTP should be en ab

38、led only if n ecessary. Disable TFTP using the follow ing opti on: opti ons off http Hypertext Tran sport Protocol (HTTP) r uns on TCP port 80 and is the protocol used by web browsers to access web pages. Your storage system uses HTTP to access Files when the HTTP protocol is enabled FilerView for G

39、raphical User In terface (GUI) admi nistratio n Secure FilerView whe n SecureAdm in is in stalled The SecureAdm in SSL in terface accepts conn ecti ons on TCP port 443. SecureAdmin managesthe details of the SSL network protocol, encrypts the connection, and then passes this traffic through to the no

40、rmal HTTP FilerView in terface through a loopback connection. This loopback conn ecti on does not use a physical n etwork in terface.HTTPco mmun icati on takes place in side your storage system, and no clear text packets are tran smitted. The HTTP protocol is not vuln erable to security attacks beca

41、use it provides read-only access to docume nts by un authe nticated clie nts. Although authentication is not typically used for file access, it is freque ntly used for access to restricteddocume nts or for adm ini strati on purposes, such as FilerView admi nistrati on. The on ly authe nticati on met

42、hods defined by the HTTPprotocol send credentials,such as user names and passwords, over the n etwork without en crypti on. The SecureAdm in product is provided with SSL support to overcome this shortco ming. Note In versions of DataONTAP earlier than , your storage system listens for new connection

43、s (by default, set to TCP port 80) eve n whe n the HTTP protocol is not licensed and FilerView is disabled. However, starting with Data ONTAP , you can stop your storage system from liste ning for new connections by setting the options and to Off. If either of the options is set to On, your storage

44、system will con ti nue to liste n for new conn ecti ons. Kerberos kerberos kerberos-sec There are four Kerberos ports in the /etc/services file: TCPport 88, UDP port 88, TCP port 750, and UDP port 750. These ports are used only for outbo und conn ecti ons from your storage system. Your storage syste

45、m does not run Kerberos servers or services and does no t liste n on these ports. Kerberos is used by your storage system to com muni cate with the Microsoft Active Directory servers for both CIFS authe nticati on an d, if con figured, NFS authe nticati on. NFS portmap nfsd The Network File System (

46、NFS) is used by UNIXclients for file access. NFS uses port 2049. NFSv3 and NFSv2 use the portmapper service on TCP or UDP port 111. The portmapper service is consulted to get the port numbers for services used with NFSv3 or NFSv2 protocols such as mountd, statd, and nlm. NFSv4 does not require the p

47、ortmapper service. NFSv4 provides the delegatio n feature that en ables your storage system to grant local file access to clie nts. To delegate, your storage system sets up a separate connection to the clie nt and sends callbacks on it. To com muni cate with the clie nt, your storage system uses one

48、 of the reserved ports (port numbers less than 1024). To initiate the connection, the client registers the callback program on a random port and in forms the server about it. With delegati ons en abled, NFSv4 is not firewall frien dly because several other ports n eed to be ope ned up as well. You c

49、an disable the TCP and UDP ports by setting the and options to Off. To disable NFS, use the nfs off comma nd. CIFS n etbios-name n etbios-dg n etbios-ss n cifs-tcp The Commotnternet File Service (CIFS) is the successor to the server messageblock (SMB) protocol. CIFS is the primary protocol used by W

50、indowj systems for file shari ng. CIFS uses UDFports 137 and 138, and TCPports 139 and 445. Your storage system sends and receives data on these ports while providing CIFS service. If it is a memberof an Active Directory domain, your storage system also must make outbo und conn ecti ons desti ned fo

51、r DNS and Kerberos. CIFS is required for Windowsfile service. You can disable CIFS using FilerView or by issuing the cifs terminate commanobn your storage system con sole. Note If you disable CIFS, be aware that your storage systems /etc/rc file can be set up to automatically en able CIFS aga in aft

52、er a reboot. SSL ssl The Secure Sockets Layer (SSL) protocol provides en crypti on and authe nticatio n of TCP conn ecti ons. WhenSecureAdmin is in stalled and con figured on your storage system, it listens for SSL connections on TCP port 443. It receives secure web browser connections on this port

53、and uses unen crypted HTTP through a loopback connection to pass the traffic to FilerView, running on TCPport 80. This loopback connection is contained within your storage system anc no unen crypted data is tran smitted over the n etwork. TCP port 443 can be disabled using FilerView or with the foll

54、owing comma nd: secureadm in disable ssl SNMP snmp Simple Network Man ageme nt Protocol (SNMP) is an in dustry-sta ndard protocol used for remote monitoring and managemenbf network devices over UDP port 161. SNMP is not secure because In stead of using en crypti on keys or a user n ame and password

55、pair, SNMP uses a community string for authentication. The community string is transmitted in clear text format over the n etwork, making it easy to capture with a packet sni ffer. Within the in dustry, devices are typically con figured at the factory to use public as the default community string. T

56、he public password allows users to make queries and read values but does not allow users to inv oke comma nds or cha nge values. Some devices are con figured at the factory to useprivate as the default com munity stri ng, allow ing users full read-write access. Even if you change the read and write

57、community string on a device to something other than private , an attacker can easily learn the new string by using the read-only public community string and asking the router for the read-write stri ng. There are three vers ions of SNMP: SNMPvl is the orig inal protocol and is not com monly used. S

58、NMPv2 is identical to SNMPvl from a network protocol standpoint and is vulnerable to the same security problems. The only differences betwee n the two vers ions are in the messages sent, messages received, and the type of i nformatio n that is available. These differe nces are not importa nt froma s

59、ecurity point of view. This vers ion of SNMRs curre ntly used on your storage systems. SNMPv3 is the latest protocol version and includes security improveme nts but is difficult to impleme nt and many ven dors do not yet support it. SNMPv3 supports several differe nt typesof n etwork en crypti on an

60、d authe nticati on schemes. It allows for multiple users, each with differe nt permissi ons, and solves SNMPv1 security problems while mai ntai ning an importa nt level of compatibility with SNMPv2. SNMP is required if you want to monitor a storage system through an SNMPnonitoring tool, such as Data