NETAPP存储防火墙端口-典型NAS环境下的网络需求

-

网络需求

所有需要执行SnapMirror数据复制的存储之间，需翻开以下端口：

协议

SnapMirror

UDP端口

10565

10566

TCP端口

NetApp FAS存储支持通过网络同步时钟。如果存储和NTP效劳器之间有防火墙，则翻开以下端口：

协议

NTP/SNTP

TIME/RDATE

123

37

UDP端口

123

37

TCP端口

所有被管理的存储，必须通过IP网络与DFM效劳器连通。如果存储和DFM效劳器之间有防火墙，则翻开以下端口：

协议

S

RSH

SSH

TELNET

SNMP

SNMP TRAP

161

162

UDP端口

80

443

514

22

23

TCP端口

如果有Windows机器需要管理〔例如，客户端安装了OSSV备份软件〕，则Windows机器需要通过IP网络与DFM效劳器连通。如果Windows机器和DFM效劳器之间有防火墙，则翻开以下端口：

协议

S

NDMP

SNMP

SNMP TRAP

161

162

UDP端口

4092

4093

10000

TCP端口

启用DFM的autosupport功能，需要DFM效劳器和效劳器连通；并且效劳器需要一个不需密码验证的发送的账号。如果效劳器和DFM效劳器之间有防火墙，则翻开以下端口：

协议

SMTP

UDP端口

25

TCP端口

附录：DOT 7.2使用的IP端口

-

IP port usage on a storage system

About this appendi*

This appendi* describes the Data ONTAP services file that is available

in the /etc directory. The /etc/servicesfile is in the same format as its

corresponding UNI* systems /etc/servicesfile. Although this file is it

not used by Data ONTAP, it is provided in this appendi* as information

useful to system administrators.

Host identification

Although some port scanners are able to identify storage systems as

storage systems, others port scanners report storage systems as unknown

types, UNI* systems because of their NFS support, or Windows systems

because of their CIFS support. There are several services that are not

currently listed in the /etc/services file.

Below is an e*ample of a plete list of the file contents.

Port/

Protocol

20/tcp

21/tcp

22/tcp

23/tcp

25/tcp

37/tcp

37/udp

53/udp

53/tcp

67/udp

68/udp

Service

ftp-data

ftp

ssh

telnet

smtp

time

time

domain

domain

dhcps

dhcp

Description

# File transfer protocol

# File transfer protocol

# SecureAdmin rsh replacement

# Remote login (insecure)

# outbound connections for autosupport

# Time Service

# Time Service

# DNS - outbound only

# DNS zone transfers - unused

# DHCP server - outbound only

# DHCP client - only first-time setup

-

tftp

kerberos

kerberos

portmap

portmap

nntp

ntp

ntp

69/udp

80/tcp

88/udp

88/tcp

111/udp

111/tcp

119/tcp

123/tcp

123/udp

# Trivial FTP - for netboot support

# license, FilerView, SecureAdmin

# Kerberos 5 - outbound only

# Kerberos 5 - outbound only

# aka rpcbind, used for NFS

# aka rpcbind, used for NFS

# unused, shouldn't be listed here.

# Network Time Protocol

# Network Time Protocol

# NetBIOS nameserver - for CIFS

# NetBIOS datagram service - for CIFS

# NetBIOS service session - for CIFS

# Secure FilerView (SecureAdmin)

# CIFS over TCP with NetBIOS framing

# For Data Fabric Manager or other such

tools

# rsh, insecure remote mand e*ecution.

# outbound only

# for RIP routing protocol

# outbound only, if at all

# outbound only, if at all

# primary NFS service

# primary NFS service

# unused, shouldn't be listed here.

# unused, shouldn't be listed here.

# for network backups

# also SnapVault

netbios-name 137/udp

netbios-dg

ftp-data

ssl

cifs-tcp

snmp

shell

syslog

route

138/udp

139/tcp

443/tcp

445/tcp

161/udp

514/tcp

514/udp

520/udp

kerberos-sec 750/udp

kerberos-sec 750/tcp

nfsd

nfsd

ttcp

ttcp

ndmp

snapmirro

2049/udp

2049/tcp

5001/udp

5001/tcp

10000/tcp

10566/tcp

-

ndmp-local 32243/tcp # Internal connection inside your storage

system

/etc/services NNTP and TTCP ports

The nntp and ttcp ports are unused by your storage system and should never

be detected by a port scanner.

Ports found in a block starting around 600

The following ports are found on the storage system with NFS enabled:

UDP 602 NFS mount daemon (mountd)

TCP 603 NFS mount daemon (mountd)

UDP 604 NFS status daemon (statd, statmon)

TCP 605 NFS status daemon (statd, statmon)

UDP 606 NFS lock manager (lockd, nlockmgr)

TCP 607 NFS lock manager (lockd, nlockmgr)

UDP 608 NFS quota daemon (quotad, rquotad)

On other systems, the ports appear as follows:

UDP 611 NFS mount daemon (mountd)

TCP 612 NFS mount daemon (mountd)

UDP 613 NFS status daemon (statd, statmon)

TCP 614 NFS status daemon (statd, statmon)

UDP 615 NFS lock manager (lockd, nlockmgr)

TCP 616 NFS lock manager (lockd, nlockmgr)

UDP 617 NFS quota daemon (quotad, rquotad)

Enter the following mand on UNI* systems to obtain the correct information

by querying the port mapper on port 111:

-

program vers proto port service

100011 1 udp 608 rquotad

100021 4 tcp 607 nlockmgr

100021 3 tcp 607 nlockmgr

100021 1 tcp 607 nlockmgr

100021 4 udp 606 nlockmgr

100021 3 udp 606 nlockmgr

100021 1 udp 606 nlockmgr

100024 1 tcp 605 status

100024 1 udp 604 status

100005 3 tcp 603 mountd

100005 2 tcp 603 mountd

100005 1 tcp 603 mountd

100005 3 udp 602 mountd

100005 2 udp 602 mountd

100005 1 udp 602 mountd

100003 3 udp 2049 nfs

100003 2 udp 2049 nfs

100000 2 tcp 111 rpcbind

100000 2 udp 111 rpcbind

Note

The port numbers listed for mountd, statd, lockd, and quotad are not mitted

port numbers. Storage systems can have these services running on other

port numbers. Because the system selects these port numbers at random when

it boots, they are not listed in the /etc/services file.

-

Other ports not listed in /etc/services

The following ports appear in a port scan but are not listed in

/etc/services file.

Protocol Port Service

TCP

TCP

TCP

UDP

22 SSH (SecureAdmin)

443 SSL (SecureAdmin)

3260 iSCSI-Target

**** Legato ClientPack for your storage system runs on random

UDP ports and is now deprecated. It is remended that NDMP

be used to back up your storage system using Legato

Networker.

Note

Disable open ports that you do not need.

FTP

ftp-data

•

ftp

•

File transfer protocol (FTP) uses TCP ports 20 and 21. For a detailed

description of the FTP support for your storage system, see the Data ONTAP

File Access and Protocols Management Guide. If you use FTP to transfer

files to and from your storage system, the FTP port is required; otherwise,

use FilerView or the following CLI mand to disable the FTP port:

options off

FTP is not a secure protocol for two reasons:

•

When users log in to the system, user names and passwords are transmitted over the

network in clear te*t format that can easily be read by a packet sniffer program.

These user names and passwords can then be used to access data and

other network resources. You should establish and enforce policies

that prevent the use of the same passwords to access storage systems

and other network resources.

-

•

FTP server software used on platforms other than storage systems contains serious

security-related flaws that allow unauthorized users to gain administrative (root)

access and control over the host.

SSH

•

ssh

Secure Shell (SSH) protocol is a secure replacement for RSH and runs on

TCP port 22. This only appears in a port scan if the SecureAdminTM software

is installed on your storage system.

There are three monly deployed versions of the SSH protocol:

•

SSH version 1--is much more secure than RSH or Telnet, but is vulnerable to TCP

session attacks.

This vulnerability to attack lies in the SSH protocol version 1

itself and not in the associated storage system products.

•

•

SSH version 2--has a number of feature improvements over SSH version 1 and is less

vulnerable to attacks.

SSH version 1.5--is used to identify clients or servers that support both SSH

versions 1 and 2.

To disable SSH support or to close TCP port 22, use the following CLI mand:

secureadmin disable ssh

Telnet

•

telnet

Telnet is used for administrative control of your storage system and uses

TCP connections on port 23. Telnet is more secure than RSH, as secure as

FTP, and less secure than SSH or Secure Socket Layer (SSL).

Telnet is not secure because:

•

When users log into a system, such as your storage system, user names and passwords

are transmitted over the network in clear te*t format.

Clear te*t format can be read by an attacker using a packet sniffer

program. The attacker can use these user names and passwords to log

-

in to your storage system and e*ecute unauthorized administrative

functions, including destruction of data on the system. If the

administrators use the same passwords on your storage system as they

do on other network devices, the attacker can use these passwords

to access those resources as well.

Note

To reduce the potential for attack, establish and enforce policies

preventing administrators from using the same passwords on your

storage system that they use for access to other network resources.

•

Telnet server software used on other platforms (typically in UNI* environments)

have serious security-related flaws that allow unauthorized users to gain

administrative (root) control over the host.

Telnet is also vulnerable to the same type of TCP session attacks as SSH

protocol version 1, but because a packet sniffing attack is easier, TCP

session attacks are less mon.

To disable Telnet, set options to off.

SMTP

•

smtp

The Simple Mail Transport Protocol (SMTP) uses TCP port 25. Your storage

system does not listen on this port but makes outgoing connections to mail

servers using this protocol when sending AutoSupport .

Time service

time

•

ntp

•

Your storage system supports two different time service protocols:

•

TIME protocol (also known as rdate) is specified in the RFC 868 standard. This

standard allows for time services to be provided on TCP or UDP port 37. Your storage

system uses only UDP port 37.

•

Simple network time protocol (NTP) is specified in the RFC 2030 standard and is

provided only on UDP port 123.

-

When your storage system has option set to On and a remote

protocol (rdate or ntp) is specified, the storage system synchronizes to

a network time server.

If the option is set to Off, your storage system is unable

to synchronize with the network time server using NTP. The rdate time

protocol can still be used by manually issuing the rdate mand from your

storage system console.

You should set the option to On in a cluster configuration.

DNS

•

domain

The Domain Name Service (DNS) uses UDP port 53 and TCP port 53. Your storage

system does not typically listen on these ports because it does not run

a domain name server. However, if DNS is enabled on your storage system,

it makes outgoing connections using UDP port 53 for host name and IP

address lookups. Your storage system never uses TCP port 53 because this

port is used e*plicitly for munication between DNS servers. Outgoing DNS

queries by your storage system are disabled by turning off DNS support.

Turning off DNS support protects against receiving bad information from

another DNS server.

Because your storage system does not run a domain name server, the name

service must be provided by one of the following:

•

•

•

Network information service (NIS)

An/etc/hosts file

Replacement of host names in the configuration files (such as /etc/e*ports,

/etc/, and so on) with IP addresses

DNS must be enabled for participation in an Active Directory domain.

DHCP

•

dhcps

Clients broadcast messages to the entire network on UDP port 67 and receive

responses from the Dynamic Host Configuration Protocol (DHCP) server on

UDP port 68. The same ports are used for the BOOTP protocol.

-

DHCP is used only for the first-time setup of your storage system.

Detection of DHCP activity on your storage system by a port scan other

than the activity during the first-time setup indicates a serious

configuration or software error.

TFTP

•

tftp

Trivial File Transfer Protocol (TFTP) uses TCP port 69. It is used mostly

for booting UNI* or UNI*-like systems that do not have a local disk (this

process is also known as netbooting) and for storing and retrieving

configuration files for devices such as Cisco routers and switches.

Transfers are not secure on TFTP because it does not require

authentication for clients to connect and transfer files.

Your storage system's TFTP server is not enabled by default. When TFTP

is enabled, the administrator must specify a directory to be used by TFTP

clients, and these clients cannot access other directories. Even within

the TFTP directory, access is read-only. TFTP should be enabled only if

necessary. Disable TFTP using the following option:

options off

Hyperte*t Transport Protocol ( ) runs on TCP port 80 and is the protocol

used by web browsers to access web pages. Your storage system uses to

access

•

•

•

Files when the protocol is enabled

FilerView for Graphical User Interface (GUI) administration

Secure FilerView when SecureAdmin is installed

The SecureAdmin SSL interface accepts connections on TCP port 443.

SecureAdmin manages the details of the SSL network protocol, encrypts the

connection, and then passes this traffic through to the normal

FilerView interface through a loopback connection. This loopback

connection does not use a physical network interface. munication

takes place inside your storage system, and no clear te*t packets are

transmitted.

The protocol is not vulnerable to security attacks because it

provides read-only access to documents by unauthenticated clients.

Although authentication is not typically used for file access, it is

-

frequently used for access to restricted documents or for administration

purposes, such as FilerView administration. The only authentication

methods defined by the protocol send credentials, such as user names

and passwords, over the network without encryption. The SecureAdmin

product is provided with SSL support to overe this shorting.

Note

In versions of Data ONTAP earlier than 7.0, your storage system listens

for new connections (by default, set to TCP port 80) even when the

protocol is not licensed and FilerView is disabled. However, starting with

Data ONTAP 7.0, you can stop your storage system from listening for new

connections by setting the options and to Off. If either

of the options is set to On, your storage system will continue to listen

for new connections.

Kerberos

kerberos

•

kerberos-sec

•

There are four Kerberos ports in the /etc/services file: TCP port 88, UDP

port 88, TCP port 750, and UDP port 750. These ports are used only for

outbound connections from your storage system. Your storage system does

not run Kerberos servers or services and does not listen on these ports.

Kerberos is used by your storage system to municate with the Microsoft

Active Directory servers for both CIFS authentication and, if configured,

NFS authentication.

NFS

portmap

•

nfsd

•

The Network File System (NFS) is used by UNI* clients for file access.

NFS uses port 2049.

NFSv3 and NFSv2 use the portmapper service on TCP or UDP port 111. The

portmapper service is consulted to get the port numbers for services used

with NFSv3 or NFSv2 protocols such as mountd, statd, and nlm. NFSv4 does

not require the portmapper service.

-

NFSv4 provides the delegation feature that enables your storage system

to grant local file access to clients. To delegate, your storage system

sets up a separate connection to the client and sends callbacks on it.

To municate with the client, your storage system uses one of the reserved

ports (port numbers less than 1024). To initiate the connection, the

client registers the callback program on a random port and informs the

server about it.

With delegations enabled, NFSv4 is not firewall friendly because several

other ports need to be opened up as well.

You can disable the TCP and UDP ports by setting the and options to Off.

To disable NFS, use the nfs off mand.

CIFS

netbios-name

•

netbios-dg

•

netbios-ssn

•

cifs-tcp

•

The mon Internet File Service (CIFS) is the successor to the server message

block (SMB) protocol. CIFS is the primary protocol used by Windows systems

for file sharing.

CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445. Your storage

system sends and receives data on these ports while providing CIFS service.

If it is a member of an Active Directory domain, your storage system also

must make outbound connections destined for DNS and Kerberos.

CIFS is required for Windows file service. You can disable CIFS using

FilerView or by issuing the cifs terminate mand on your storage system

console.

Note

If you disable CIFS, be aware that your storage system's /etc/rc file can

be set up to automatically enable CIFS again after a reboot.

SSL

•

ssl

-

The Secure Sockets Layer (SSL) protocol provides encryption and

authentication of TCP connections.

When SecureAdmin is installed and configured on your storage system, it

listens for SSL connections on TCP port 443. It receives secure web browser

connections on this port and uses unencrypted through a loopback

connection to pass the traffic to FilerView, running on TCP port 80. This

loopback connection is contained within your storage system and no

unencrypted data is transmitted over the network.

TCP port 443 can be disabled using FilerView or with the following mand:

secureadmin disable ssl

SNMP

•

snmp

Simple Network Management Protocol (SNMP) is an industry-standard

protocol used for remote monitoring and management of network devices over

UDP port 161.

SNMP is not secure because

•

Instead of using encryption keys or a user name and password pair, SNMP uses a munity

string for authentication. The munity string is transmitted in clear te*t format

over the network, making it easy to capture with a packet sniffer.

Within the industry, devices are typically configured at the

factory to use

public as the default munity string. The public

password allows users to make queries and read values but does not

allow users to invoke mands or change values. Some devices are

configured at the factory to use

private as the default munity

string, allowing users full read-write access.

•

Even if you change the read and write munity string on a device to something other

than

private, an attacker can easily learn the new string by using the read-only

public munity string and asking the router for the read-write string.

There are three versions of SNMP:

•

•

SNMPv1 is the original protocol and is not monly used.

SNMPv2 is identical to SNMPv1 from a network protocol standpoint and is

vulnerable to the same security problems. The only differences between the

two versions are in the messages sent, messages received, and the type of

-

information that is available. These differences are not important from

a security point of view. This version of SNMP is currently used on your

storage systems.

•

SNMPv3 is the latest protocol version and includes security improvements

but is difficult to implement and many vendors do not yet support it. SNMPv3

supports several different types of network encryption and authentication

schemes. It allows for multiple users, each with different permissions,

and solves SNMPv1 security problems while maintaining an important level

of patibility with SNMPv2.

SNMP is required if you want to monitor a storage system through an SNMP

monitoring tool, such as DataFabric® Manager. Your storage system's SNMP

implementation allows read-only access. Regardless of the munity string

used, the user cannot issue mands or change variables using SNMP on your

storage system.

You should use the option to restrict SNMP access to a named

set of trusted hosts.

Set the option to Off to disable SNMP entirely.

The snmp munity delete and snmp munity add mands are used to change the

munity string to something other than the default value.

RSH

•

shell

Remote shell protocol (RSH) is used for remote mand e*ecution and is the

only protocol supported on your storage system. It is even less secure

than TFTP and uses TCP port 514.

RSH is not secure because passwords are not required for login and mands

are easy to misconfigure. If possible, RSH should be disabled by setting

the option to off.

You should use the SSH supplied with SecureAdmin for remote mand e*ecution

and login. If this is not possible, Telnet is preferred to RSH.

If RSH is the only alternative, follow these guidelines when using RSH:

•

•

Specify only secure, trusted hosts in the /etc/ file.

Always use IP addresses rather than host names in the /etc/ file.

-

•

•

•

Always specify a single IP address with a single user name on each line in

/etc/ file.

Use the

option instead of the

option for access

control.

Make sure the

_any_ifaddr option is set to off.

Syslog

•

syslog

Your storage system sends messages to hosts specified by the user in the

/etc/ file using the syslog protocol on UDP port 514. It does

not listen on this port, nor does it act as a syslog server.

Routed

•

routed

The route daemon, routed, listens on UDP port 520. It receives broadcast

messages from routers or other hosts using the Routing Information

Protocol (RIP). These messages are used by your storage system to update

its internal routing tables to determine which network interfaces are

optimal for each destination.

Your storage system never broadcasts RIP messages containing routes

because Data ONTAP is not capable of acting as a router.

RIP is not secure because an attacker can easily send artificial RIP

messages and cause hosts running the routed daemon (such as your storage

system) to redirect network traffic to the attacker. The attacker can then

receive and sift this traffic for passwords and other information and send

it on to the actual destination, where the intrusion is undetected. This

method can also be used as a starting point for TCP session attacks.

Because of these security issues, use static routes (those set up using

the route mand on your storage system) instead of using the routed daemon.

NDMP

ndmp

•

ndmp-local

•

-

Network Data Management Protocol (NDMP) runs on TCP port 10000 and is used

primarily for backup of network-attached storage (NAS) devices, such as

your storage systems.

The protocol defines three authentication methods:

•

•

•

NONE--allows authentication without restriction

TE*T--sends a clear te*t password over the network, similar to Telnet or FTP

MD5--uses the MD5 message digest algorithm along with a challenge-response message

e*change to implement a secure login mechanism

Your storage systems support both the TE*T and MD5 authentication methods.

Most NDMP-enabled backup software uses MD5 by default.

To entirely disable the TE*T authentication method, set the

pe option to challenge.

To restrict NDMP mands to certain authorized backup hosts, use the

option.

Regardless of the authentication method used, NDMP sends backup data in

unencrypted format over the network, as does most other backup software.

A separate network optimized for backup is a mon means to increase

performance while retaining data security.

To disable NDMP, set the option to off.

SnapMirror and SnapVault

•

snapmirror

SnapMirror and SnapVault use TCP port 10566 for data transfer. Network

connections are always initiated by the destination system; that is,

SnapMirror and SnapVault

pull data rather than

push data.

Authentication is minimal with both SnapMirror and SnapVault. To restrict

inbound TCP connections on port 10566 to a list of authorized hosts or

IP addresses, configure the or option.

Once a connection is established, the destination storage system

municates its host name to the source storage system, which then uses this

host name to determine if a transfer is allowed. You should confirm a match

between the host name and its IP address. To confirm that the host name

and the IP address match, set the option to On.

-

To disable SnapMirror, set the option to Off. To disable

SnapVault, set the option to Off.