NETAPP存储防火墙端口-典型NAS环境下的网络需求

1、网络需求所有需要执行SnapMirror数据复制的存储之间，需打开以下端口:协议UDP 端口TCP 端口Sn apMirror1056510566NetApp FAS存储支持通过网络同步时钟。如果存储和 NTP服务器之间有防火墙，则打开以下端口：协议UDP 端口TCP 端口NTP/SNTP123123TIME/RDATE3737所有被管理的存储，必须通过IP网络与DFM服务器连通。如果存储和DFM服务器之间有防火墙，则打开以下端口：协议UDP 端口TCP 端口HTTP80HTTPS443RSH514SSH22TELNET23SNMP161SNMP TRAP162如果有Windows机器需要管理

2、（例如，客户端安装了 OSSV备份软件）， 则Windows机器需要通过IP网络与DFM服务器连通。 如果Windows机器和 DFM服务器之间有防火墙，则打开以下端口：协议UDP 端口TCP 端口HTTP4092HTTPS4093NDMP10000SNMP161SNMP TRAP162启用DFM的autosupport功能，需要DFM服务器和邮件服务器连通； 并且服务器需要一个不需密码验证的发送邮件的账号。如果邮件服务器和DFM服务器之间有防火墙，则打开以下端口：协议UDP 端口TCP 端口SMTP25附录：DOT 7.2使用的IP端口IP port usage on a storage s

3、ystemAbout this appendixThis appendix describes the Data ONTAP services file that is available in the /etc directory. The /etc/services file is in the same format as its corresp onding UNIX systems /etc/servicesfile. Although this file is it notused by Data ONTAP, it is provided in this appe ndix as

4、 in formati on useful to system admi nistrators.Host identificationAlthough some port sca nners are able to ide ntify storage systems as storage systems, others port sca nners report storage systems as unknown types, UNIX systems because of their NFS support, or Win dows systems because of their CIF

5、S support. There are several services that are not currently listed in the /etc/services file.Below is an example of a complete list of the file contents.Port/ServiceProtocolDescriptio nftp-data20/tcp# File tran sfer protocolftp21/tcp# File tran sfer protocolntp123/udp# Network Time Protocoln etbios

6、-n ame137/udp# NetBIOS nameserver - for CIFSn etbios-dg138/udp# NetBIOS datagram service - for CIFSftp-data139/tcp# NetBIOS service session - for CIFSssl443/tcp# Secure FilerView (SecureAdm in)cifs-tcp445/tcp# CIFS over TCP with NetBIOS frami ngsnmp161/udp# For Data Fabric Man ager or other suchtool

7、sshell514/tcp# rsh, in secure remote comma ndexecutio n.syslog514/udp# outbo und onlyroute520/udp# for RIP routing protocolkerberos-sec750/udp# outbo und onl y, if at allkerberos-sec750/tcp# outbo und onl y, if at allnfsd2049/udp# primary NFS servicenfsd2049/tcp# primary NFS servicettcp5001/udp# unu

8、 sed, should nt be listed here.The nntp and ttcp ports are unu sed by your storage system and should n ever be detected by a port sca nner.Ports found in a block starting around 600The following ports are found on the storage system with NFS enabled:UD60NFS mount daem on (moun td)P2TCP60NFS mount da

9、em on (moun td)3UD 1P604 ；NFS status daemon (statd, statmon)TCP60NFS status daemon (statd, statmon)5UD60NFS lock man ager (lockd, nl ockmgr)N6TCP60NFS lock man ager (lockd, nl ockmgr)7UD60NFS quota daem on (quotad, rquotad)N8On other systems, the ports appear as follows:UD61NFS mount daem on (moun t

10、d)p1TCP61NFS mount daem on (moun td)2UD 161NFS status daemon (statd, statmon)P3TCP61NFS status daemon (statd, statmon)4UD61NFS lock man ager (lockd, nl ockmgr)P5En ter the followi ng comma nd on UNIX systems to obta in the correct in formatio n by query ing the port mapper on port 111:toaster# rpc i

11、nfo -p storage.system. name.or.ip.addressprogram vers proto port service100011 1 udp 608 rquotad100021 4 tcp 607 n lockmgr100021 3 tcp 607 n lockmgr100021 1 tcp 607 n lockmgr100021 4 udp 606 n lockmgr100021 3 udp 606 n lockmgr100021 1 udp 606 n lockmgr100024 1 tcp 605 status100024 1 udp 604 status10

12、0005 3 tcp 603 mou ntd100005 2 tcp 603 mou ntd100005 1 tcp 603 mou ntd100005 3 udp 602 mou ntd100005 2 udp 602 mou ntd100005 1 udp 602 mou ntd100003 3 udp 2049 nfs100003 2 udp 2049 nfs100000 2 tcp 111 rpcbi nd100000 2 udp 111 rpcbi ndNoteThe port nu mbers listed for moun td, statd, lockd, and quotad

13、 are not committed port nu mbers. Storage systems can have these services running on other port nu mbers. Because the system selects these port numbers at random when it boots, they are not listed in the /etc/services file.Other ports not listed in /etc/servicesThe follow ing ports appear in a port

14、sca n but are not listed in /etc/services file.ProtocoPortServiceTCP22SSH (SecureAdmi n)TCP 443 SSL (SecureAdmi n)UDPxxxxTCP 326 iSCSI-TargetLegato Clie ntPack for your storage system runs on ran dom UDP ports and is now deprecated. It is recommended that NDMP be used to back up your storage system

15、using Legato Networker.NoteDisable ope n ports that you do not n eed.FTPftp-data? ftpFile transfer protocol (FTP) uses TCP ports 20 and 21. For a detailed descripti on of the FTP support for your storage system, see the Data ONTAP File Access and Protocols Management Guide. If you use FTP totransfer

16、 files to and from your storage system, the FTP port is required; otherwise, use FilerView or the followi ng CLI comma nd to disable theFTP port:opti ons ftpd.e nable offFTP is not a secure protocol for two reasons:? When users log in to the system, user n ames and passwords are tra nsmitted overthe

17、 n etwork in clear text format that can easily be read by a packet sniffer program.These user n ames and passwords can the n be used to access data and other n etwork resources. You should establish and en force policies that preve nt the use of the same passwords to access storage systems and other

18、 n etwork resources.?FTP server software used on platforms other tha n storage systems containsserious security-related flaws that allow unauthorized users to gain administrative (root) access and con trol over the host.SSH? sshSecure Shell (SSH) protocol is a secure replaceme nt for RSH and runs on

19、TCP port 22. This only appears in a port scan if the SecureAdmin software is in stalled on your storage system.There are three common ly deployed versi ons of the SSH protocol:? SSH versi on 1-is much more secure tha n RSH or Teln et, but is vul nerable to TCP sessi on attacks.This vuln erability to

20、 attack lies in the SSH protocol versi on 1 itself and not in the associated storage system products.? SSH versi on 2-has a n umber of feature improveme nts over SSH vers ion 1 and is less vuln erable to attacks.? SSH version 1.5-is used to identify clients or servers that support both SSH versi ons

21、 1 and 2.To disable SSH support or to close TCP port 22, use the following CLI comma nd: secureadm in disable sshTelnet? tel netTelnet is used for admi nistrative control of your storage system and uses TCP conn ecti ons on port 23. Telnet is more secure tha n RSH, as secure as FTP, and less secure

22、than SSH or Secure Socket Layer (SSL).Telnet is not secure because:? When users log into a system, such as your storage system, user n ames and passwords are tra nsmitted over the n etwork in clear text format.Clear text format can be read by an attacker using a packet sniffer program. The attacker

23、can use these user n ames and passwords to log in to your storage system and execute un authorized admi nistrative fun cti ons, in clud ing destructi on of data on the system. If the admi nistrators use the same passwords on your storage system as they do on other n etwork devices, the attacker can

24、use these passwords to access those resources as well.NoteTo reduce the pote ntial for attack, establish and en force policies preve nting adm ini strators from using the same passwords on yourstorage system that they use for access to other n etwork resources.Telnet server software used on other pl

25、atforms (typically in UNIX en vir onmen ts) have serious security-related flaws that allow un authorized users to gain adm ini strative (root) con trol over the host.Telnet is also vuln erable to the same type of TCP sessi on attacks as SSH protocol version 1, but because a packet sniffing attack is

26、 easier, TCP sessi on attacks are less com mon.To disable Telnet, set options telnet.enable to off.SMTPsmtpThe Simple Mail Tran sport Protocol (SMTP) uses TCP port 25. Yourstorage system does not liste n on this port but makes outgo ing conn ecti ons to mail servers using this protocol whe n sending

27、 AutoSupport e-mail.Time servicetimentpYour storage system supports two differe nt time service protocols:? TIME protocol (also known as rdate) is specified in the RFC 868 standard. This standard allows for time services to be provided on TCP or UDP port 37. Your storage system uses only UDP port 37

28、.? Simple network time protocol (NTP) is specified in the RFC 2030 standard and is provided only on UDP port 123.When your storage system has option timed.enable set to On and a remote protocol (rdate or n tp) is specified, the storage system synchroni zes to a n etwork time server.If the timed.enab

29、le option is set to Off, your storage system is unable to synchronize with the n etwork time server using NTP. The rdate time protocol can still be used by manu ally issu ing the rdate comma nd from your storage system con sole.You should set the timed.enable option to On in a cluster configuration.

30、doma inThe Domai n Name Service (DNS) uses UDP port 53 and TCP port 53.Your storage system does not typically liste n on these ports because it does not run a doma in n ame server. However, if DNS is en abled on your storage system, it makes outgo ing conn ecti ons using UDP port 53 for host n ame a

31、nd IP address lookups. Your storage system n ever uses TCP port 53 because this port is used explicitly for com muni cati on betwee n DNS servers. Outgoi ng DNS queries by your storage system are disabled by tur ning off DNS support. Turning off DNS support protects aga inst recei ving bad in format

32、io n from ano ther DNS server.Because your storage system does not run a doma in n ame server, the name service must be provided by one of the following:? Network in formatio n service (NIS)? An /etc/hosts file? Replaceme nt of host n ames in the con figurati on files (such as /etc/exports,/etc/user

33、map.cfg, and so on) with IP addressesDNS must be enabled for participation in an Active Directory domain.? dhcpsClie nts broadcast messages to the en tire n etwork on UDP port 67 andreceive resp on ses from the Dyn amic Host Con figurati on Protocol (DHCP) server on UDP port 68. The same ports are u

34、sed for the BOOTP protocol. DHCP is used only for the first-time setup of your storage system.Detecti on of DHCP activity on your storage system by a port sca n other than the activity during the first-time setup indicates a serious con figurati on or software error.TFTP 口? tftpTrivial File Tran sfe

35、r Protocol (TFTP) uses TCP port 69. It is used mostly for booting UNIX or UNIX-like systems that do not have a local disk (this process is also known as n etbooti ng) and for stori ng and retriev ing con figurati on files for devices such as Cisco routers and switches.Tran sfers are not secure on TF

36、TP because it does not require authentication for clients to connect and transfer files.Your storage systems TFTP server is not en abled by default. When TFTP is en abled, the adm ini strator must specify a directory to be used by TFTP clients, and these clients cannot access other directories. Even

37、 within the TFTP directory, access is read-only. TFTP should be en abled only if n ecessary. Disable TFTP using the follow ing opti on: opti ons tftpd.e nable offHTTP? httpHypertext Tran sport Protocol (HTTP) ru ns on TCP port 80 and is the protocol used by web browsers to access web pages. Your sto

38、rage system uses HTTP to access? Files whe n the HTTP protocol is en abled? FilerView for Graphical User In terface (GUI) admi nistratio n? Secure FilerView whe n SecureAdm in is in stalledThe SecureAdm in SSL in terface accepts connections on TCP port 443. SecureAdm in man ages the details of the S

39、SL n etwork protocol, en crypts the connection, and then passes this traffic through to the normal HTTP FilerView in terface through a loopback connection. This loopback conn ecti on does not use a physical n etwork in terface. HTTP com muni cati on takes place in side your storage system, and no cl

40、ear text packets are tran smitted.The HTTP protocol is not vuln erable to security attacks because it provides read-only access to docume nts by un authe nticated clie nts. Although authentication is not typically used for file access, it is freque ntly used for access to restricted docume nts or fo

41、r adm ini strati on purposes, such as FilerView admi nistrati on. The on ly authe nticati on methods defi ned by the HTTP protocol send crede ntials, such as user n ames and passwords, over the n etwork without en crypti on. The SecureAdm in product is provided with SSL support to overcome this shor

42、tco ming.NoteIn versions of Data ONTAP earlier than 7.0, your storage system listens for new conn ecti ons (by default, set to TCP port 80) eve n whe n the HTTP protocol is not licensed and FilerView is disabled. However, starting with Data ONTAP 7.0, you can stop your storage system from liste ning

43、 for new connections by setti ng the opti ons httpd.e nable and httpd.adm in.en able to Off. If either of the opti ons is set to On, your storage system will continue to liste n for new conn ecti ons.Kerberoskerberos kerberos-secThere are four Kerberos ports in the /etc/services file: TCP port 88, U

44、DP port 88, TCP port 750, and UDP port 750. These ports are used only for outbo und connections from your storage system. Your storage system does not run Kerberos servers or services and does no t liste n on these ports.Kerberos is used by your storage system to com muni cate with theMicrosoft Acti

45、ve Directory servers for both CIFS authe nticati on an d, if con figured, NFS authe nticati on.NFSportmapnfsdThe Network File System (NFS) is used by UNIX clie nts for file access. NFS uses port 2049.NFSv3 and NFSv2 use the portmapper service on TCP or UDP port 111. The portmapper service is con sul

46、ted to get the port nu mbers for services used with NFSv3 or NFSv2 protocols such as moun td, statd, and nlm. NFSv4 does not require the portmapper service.NFSv4 provides the delegati on feature that en ables your storage system to grant local file access to clie nts. To delegate, your storage syste

47、m sets up a separate connection to the clie nt and sends callbacks on it. To com muni cate with the clie nt, your storage system uses one of the reserved ports (port numbers less than 1024). To initiate the connection, the clie nt registers the callback program on a ran dom port and in forms the ser

48、ver about it.With delegations enabled, NFSv4 is not firewall friendly because several other ports n eed to be ope ned up as well.You can disable the TCP and UDP ports by setting the nfs.tcp.enable and n fs.udp.e nable optio ns to Off.To disable NFS, use the nfs off comma nd.CIFSn etbios-name n etbio

49、s-dg n etbios-ss n cifs-tcpThe Com mon Internet File Service (CIFS) is the successor to the server message block (SMB) protocol. CIFS is the primary protocol used by Win dows systems for file shari ng.CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445. Your storage system sends and receives

50、data on these ports while provid ing CIFS service. If it is a member of an Active Directory domain, your storage system also must make outbo und conn ecti ons dest ined for DNS andKerberos.CIFS is required for Windows file service. You can disable CIFS using FilerView or by issu ing the cifs termi n

51、ate comma nd on your storage system con sole.NoteIf you disable CIFS, be aware that your storage systems /etc/rc file can be set up to automatically en able CIFS aga in after a reboot.? sslThe Secure Sockets Layer (SSL) protocol provides en cryptio n and authe nticatio n of TCP conn ecti ons.Whe n S

52、ecureAdm in is in stalled and con figured on your storage system, it listens for SSL connections on TCP port 443. It receives secure web browser connections on this port and uses unen crypted HTTP through a loopback connection to pass the traffic to FilerView, running on TCP port 80. This loopback c

53、onnection is contained within your storage system and no unen crypted data is tran smitted over the n etwork.TCP port 443 can be disabled using FilerView or with the following comma nd: secureadm in disable sslSNMP? snmpSimple Network Man ageme nt Protocol (SNMP) is an in dustry-sta ndardprotocol us

54、ed for remote mon itori ng and man ageme nt of n etwork devices over UDP port 161.SNMP is not secure because? In stead of using en crypti on keys or a user n ame and password pair, SNMP uses acommunity string for authentication. The community string is transmitted in cleartext format over the n etwo

55、rk, maki ng it easy to capture with a packet sniffer.Within the in dustry, devices are typically con figured at the factoryto use public as the default community string. The publicpassword allows users to make queries and read values but doesnot allow users to inv oke comma nds or cha nge values. So

56、medevices are con figured at the factory to useprivate as the defaultcommunity string, allowing users full read-write access.? Eve n if you cha nge the read and write commu nity stri ng on a device to somethi ngother than private , an attacker can easily learn the new string by using theread-only public community string and asking the router for the read-write string.There are three versi ons of SNMP: ? SNMPvl is the origi nal protocol and is not com monly used.? SNMPv2 is ide ntical to SNMPv1 from a network protocol stan d