Open access can be a major security liability providing anyone with the proper credentials access to your server. Qumulo does not endorse or recommend exposing your cluster for open access. The details provided in this article are for informational purposes only.
IN THIS ARTICLE
Provides an overview of open access networks with Qumulo
- Cluster running Qumulo Core
Qumulo is first and foremost, a purveyor of storage specific software and associated appliances. Qumulo supports these products fully and without reservation.
A number of customers have approached Qumulo with questions regarding the exposure of Qumulo clusters and the data contained within to open networks, or networks referring to public or public adjacent access. While it is possible to expose a Qumulo storage cluster to an open network (e.g., the Internet), Qumulo cannot endorse or make recommendations regarding this activity due to the possible security implications.
The following information is provided to inform, and is not an endorsement or recommendation, on how one might go about exposing a Qumulo cluster for open access.
Configure Open Access on a Qumulo Cluster
There are four methods or protocols in which data is made available for reading and writing with Qumulo, all over TCP transport only.
SMBv2/3 or Server Message Block
SMBv2/3 or Server Message Block is a networking protocol which provides an authenticated inter-process communication mechanism. The most popular usage of SMB involves computers running any version of Microsoft Windows
- The SMB protocol is often used with NetBIOS over TCP/IP (NBT) over TCP port numbers 137 and 139.
- The SMB Protocol can also be used without a separate transport protocol directly over TCP, using port 445.
- SMB depends on the use of a UID (UUID, GUID and SID), or three separate Unique Identifiers to assign user, group and security specific privileges, managed through Microsoft Active Directory or other LDAP for instance. This also promotes the usage of ACLs or Access Control Lists, which further secures ownership of data to specific organizations, groups or users.
NFSv3 or Network File System
NFSv3 or Network File System is a distributed file system protocol developed in the mid-1980’s.
- Only one IP port (port 2049) utilizing TCP transport is used to run the NFS service, which simplifies using the protocol across firewalls.
- User and Group UIDs, uidNumber and gidNumber are the only two UIDs used within NFSv3, hence permissions and accessibility are tied to networks, group association and username privileges only. More complex access assignments and permissions are not possible with NFSv3, nor is formal user authentication. This is the intended design of NFSv3 as reflected in associated RFCs.
FTP or File Transfer Protocol
FTP or File Transfer Protocol is a standard network protocol used for the transfer of computer files between a client and server.
- FTP is built on a client-server model architecture using separate control and data connections between the client and the server. FTP users may authenticate using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it.
- FTP may run in active or passive mode, which determines how the data connection is established. In both cases, the client creates a TCP control connection from a random, usually an unprivileged, TCP port x to the FTP server command port 21.
- In active mode, the client starts listening for incoming data connections from the server on TCP port y. It sends the FTP command PORT y to inform the server on which port it is listening. The server then initiates a data channel to the client from its TCP port 20, the FTP server data port.
- In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive mode may be used. In this mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection from an arbitrary TCP client port to the server IP address and the server TCP port number received.
REST over HTTPS
REST over HTTPS is the fourth authenticated methodology for accessing file system services on Qumulo. HTTPS is transported via TCP port 443. A RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
Any of these network protocol facilities may be utilized to interact with the data contained within the Qumulo cluster. Each presents its own security challenges when exposed to an open network. Qumulo does provide API tools that must be customized to specific environments to monitor and audit storage access, but does not inherently “secure” access, as that would be specific to an Enterprise’s security policies and specific security use case software, hardware and/or appliances.
Utilization of a jump box or bastion server to expose data contained within the Qumulo cluster is also a possibility. This functionality would be in conjunction with the potential utilization of one or more of the four network protocols mentioned previously. The “jump server”, in this configuration would most likely have an insecure DMZ (demilitarized zone) physical interface and a second secured physical network interface facing the Qumulo cluster inside the secured walls of the Enterprise.
- A simple Apache/NGINX/webserver read-only share
- Apache/NGINX/webserver/WebDAV read-write share
- Various private cloud applications
In any event, particular attention should be paid to acceptable performance parameters, as well as permissions, accessibility and privileges, including AAA services of access control, policy enforcement and auditing framework for the involved compute and storage systems.
Example of a Jump Server and its associated network connectivity:
You should now have an overall understanding of open access networks with Qumulo
Like what you see? Share this article with your network!