NETAPP存储防火墙端口典型NAS环境下的网络需求.docx
《NETAPP存储防火墙端口典型NAS环境下的网络需求.docx》由会员分享,可在线阅读,更多相关《NETAPP存储防火墙端口典型NAS环境下的网络需求.docx(17页珍藏版)》请在冰豆网上搜索。
NETAPP存储防火墙端口典型NAS环境下的网络需求
网络需求
所有需要执行SnapMirror数据复制的存储之间,需打开以下端口:
协议
UDP端口
TCP端口
SnapMirror
10565
10566
NetAppFAS存储支持通过网络同步时钟。
如果存储和NTP服务器之间有防火墙,则打开以下端口:
协议
UDP端口
TCP端口
NTP/SNTP
123
123
TIME/RDATE
37
37
所有被管理的存储,必须通过IP网络与DFM服务器连通。
如果存储和DFM服务器之间有防火墙,则打开以下端口:
协议
UDP端口
TCP端口
HTTP
80
HTTPS
443
RSH
514
SSH
22
TELNET
23
SNMP
161
SNMPTRAP
162
如果有Windows机器需要管理(例如,客户端安装了OSSV备份软件),则Windows机器需要通过IP网络与DFM服务器连通。
如果Windows机器和DFM服务器之间有防火墙,则打开以下端口:
协议
UDP端口
TCP端口
HTTP
4092
HTTPS
4093
NDMP
10000
SNMP
161
SNMPTRAP
162
启用DFM的autosupport功能,需要DFM服务器和邮件服务器连通;并且服务器需要一个不需密码验证的发送邮件的账号。
如果邮件服务器和DFM服务器之间有防火墙,则打开以下端口:
协议
UDP端口
TCP端口
SMTP
25
附录:
DOT7.2使用的IP端口
IPportusageonastoragesystem
Aboutthisappendix?
ThisappendixdescribestheDataONTAPservicesfilethatisavailableinthe/etcdirectory.The/etc/servicesfileisinthesameformatasitscorrespondingUNIXsystems/etc/servicesfile.AlthoughthisfileisitnotusedbyDataONTAP,itisprovidedinthisappendixasinformationusefultosystemadministrators.
Hostidentification?
Althoughsomeportscannersareabletoidentifystoragesystemsasstoragesystems,othersportscannersreportstoragesystemsasunknowntypes,UNIXsystemsbecauseoftheirNFSsupport,orWindowssystemsbecauseoftheirCIFSsupport.Thereareseveralservicesthatarenotcurrentlylistedinthe/etc/servicesfile.
Belowisanexampleofacompletelistofthefilecontents.
Service
Port/Protocol
Description
ftp-data
20/tcp
#Filetransferprotocol
ftp
21/tcp
#Filetransferprotocol
ssh
22/tcp
#SecureAdminrshreplacement
telnet
23/tcp
#Remotelogin(insecure)
smtp
25/tcp
#outboundconnectionsforautosupport
time
37/tcp
#TimeService
time
37/udp
#TimeService
domain
53/udp
#DNS-outboundonly
domain
53/tcp
#DNSzonetransfers-unused
dhcps
67/udp
#DHCPserver-outboundonly
dhcp
68/udp
#DHCPclient-onlyfirst-timesetup
tftp
69/udp
#TrivialFTP-fornetbootsupport
http
80/tcp
#HTTPlicense,FilerView,SecureAdmin
kerberos
88/udp
#Kerberos5-outboundonly
kerberos
88/tcp
#Kerberos5-outboundonly
portmap
111/udp
#akarpcbind,usedforNFS
portmap
111/tcp
#akarpcbind,usedforNFS
nntp
119/tcp
#unused,shouldn'tbelistedhere.
ntp
123/tcp
#NetworkTimeProtocol
ntp
123/udp
#NetworkTimeProtocol
netbios-name
137/udp
#NetBIOSnameserver-forCIFS
netbios-dg
138/udp
#NetBIOSdatagramservice-forCIFS
ftp-data
139/tcp
#NetBIOSservicesession-forCIFS
ssl
443/tcp
#SecureFilerView(SecureAdmin)
cifs-tcp
445/tcp
#CIFSoverTCPwithNetBIOSframing
snmp
161/udp
#ForDataFabricManagerorothersuchtools
shell
514/tcp
#rsh,insecureremotecommandexecution.
syslog
514/udp
#outboundonly
route
520/udp
#forRIProutingprotocol
kerberos-sec
750/udp
#outboundonly,ifatall
kerberos-sec
750/tcp
#outboundonly,ifatall
nfsd
2049/udp
#primaryNFSservice
nfsd
2049/tcp
#primaryNFSservice
ttcp
5001/udp
#unused,shouldn'tbelistedhere.
ttcp
5001/tcp
#unused,shouldn'tbelistedhere.
ndmp
10000/tcp
#fornetworkbackups
snapmirro
10566/tcp
#alsoSnapVault
ndmp-local
32243/tcp
#Internalconnectioninsideyourstoragesystem
/etc/servicesNNTPandTTCPports?
Thenntpandttcpportsareunusedbyyourstoragesystemandshouldneverbedetectedbyaportscanner.
Portsfoundinablockstartingaround600?
ThefollowingportsarefoundonthestoragesystemwithNFSenabled:
UDP
602
NFSmountdaemon(mountd)
TCP
603
NFSmountdaemon(mountd)
UDP
604
NFSstatusdaemon(statd,statmon)
TCP
605
NFSstatusdaemon(statd,statmon)
UDP
606
NFSlockmanager(lockd,nlockmgr)
TCP
607
NFSlockmanager(lockd,nlockmgr)
UDP
608
NFSquotadaemon(quotad,rquotad)
Onothersystems,theportsappearasfollows:
UDP
611
NFSmountdaemon(mountd)
TCP
612
NFSmountdaemon(mountd)
UDP
613
NFSstatusdaemon(statd,statmon)
TCP
614
NFSstatusdaemon(statd,statmon)
UDP
615
NFSlockmanager(lockd,nlockmgr)
TCP
616
NFSlockmanager(lockd,nlockmgr)
UDP
617
NFSquotadaemon(quotad,rquotad)
EnterthefollowingcommandonUNIXsystemstoobtainthecorrectinformationbyqueryingtheportmapperonport111:
toaster#rpcinfo-p
programversprotoportservice
1000111udp608rquotad
1000214tcp607nlockmgr
1000213tcp607nlockmgr
1000211tcp607nlockmgr
1000214udp606nlockmgr
1000213udp606nlockmgr
1000211udp606nlockmgr
1000241tcp605status
1000241udp604status
1000053tcp603mountd
1000052tcp603mountd
1000051tcp603mountd
1000053udp602mountd
1000052udp602mountd
1000051udp602mountd
1000033udp2049nfs
1000032udp2049nfs
1000002tcp111rpcbind
1000002udp111rpcbind
Note
Theportnumberslistedformountd,statd,lockd,andquotadarenotcommittedportnumbers.Storagesystemscanhavetheseservicesrunningonotherportnumbers.Becausethesystemselectstheseportnumbersatrandomwhenitboots,theyarenotlistedinthe/etc/servicesfile.
Otherportsnotlistedin/etc/services?
Thefollowingportsappearinaportscanbutarenotlistedin/etc/servicesfile.
Protocol
Port
Service
TCP
22
SSH(SecureAdmin)
TCP
443
SSL(SecureAdmin)
TCP
3260
iSCSI-Target
UDP
xxxx
LegatoClientPackforyourstoragesystemrunsonrandomUDPportsandisnowdeprecated.ItisrecommendedthatNDMPbeusedtobackupyourstoragesystemusingLegatoNetworker.
Note
Disableopenportsthatyoudonotneed.
FTP?
∙ftp-data
∙ftp
Filetransferprotocol(FTP)usesTCPports20and21.ForadetaileddescriptionoftheFTPsupportforyourstoragesystem,seetheDataONTAPFileAccessandProtocolsManagementGuide.IfyouuseFTPtotransferfilestoandfromyourstoragesystem,theFTPportisrequired;otherwise,useFilerVieworthefollowingCLIcommandtodisabletheFTPport:
optionsftpd.enableoff
FTPisnotasecureprotocolfortworeasons:
∙Whenuserslogintothesystem,usernamesandpasswordsaretransmittedoverthenetworkincleartextformatthatcaneasilybereadbyapacketsnifferprogram.
Theseusernamesandpasswordscanthenbeusedtoaccessdataandothernetworkresources.Youshouldestablishandenforcepoliciesthatpreventtheuseofthesamepasswordstoaccessstoragesystemsandothernetworkresources.
∙FTPserversoftwareusedonplatformsotherthanstoragesystemscontainsserioussecurity-relatedflawsthatallowunauthorizeduserstogainadministrative(root)accessandcontroloverthehost.
SSH?
∙ssh
SecureShell(SSH)protocolisasecurereplacementforRSHandrunsonTCPport22.ThisonlyappearsinaportscaniftheSecureAdminTMsoftwareisinstalledonyourstoragesystem.
TherearethreecommonlydeployedversionsoftheSSHprotocol:
∙SSHversion1--ismuchmoresecurethanRSHorTelnet,butisvulnerabletoTCPsessionattacks.
ThisvulnerabilitytoattackliesintheSSHprotocolversion1itselfandnotintheassociatedstoragesystemproducts.
∙SSHversion2--hasanumberoffeatureimprovementsoverSSHversion1andislessvulnerabletoattacks.
∙SSHversion1.5--isusedtoidentifyclientsorserversthatsupportbothSSHversions1and2.
TodisableSSHsupportortocloseTCPport22,usethefollowingCLIcommand:
secureadmindisablessh
Telnet?
∙telnet
TelnetisusedforadministrativecontrolofyourstoragesystemandusesTCPconnectionsonport23.TelnetismoresecurethanRSH,assecureasFTP,andlesssecurethanSSHorSecureSocketLayer(SSL).
Telnetisnotsecurebecause:
∙Whenuserslogintoasystem,suchasyourstoragesystem,usernamesandpasswordsaretransmittedoverthenetworkincleartextformat.
Cleartextformatcanbereadbyanattackerusingapacketsnifferprogram.Theattackercanusetheseusernamesandpasswordstologintoyourstoragesystemandexecuteunauthorizedadministrativefunctions,includingdestructionofdataonthesystem.Iftheadministratorsusethesamepasswordsonyourstoragesystemastheydoonothernetworkdevices,theattackercanusethesepasswordstoaccessthoseresourcesaswell.
Note
Toreducethepotentialforattack,establishandenforcepoliciespreventingadministratorsfromusingthesamepasswordsonyourstoragesystemthattheyuseforaccesstoothernetworkresources.
∙Telnetserversoftwareusedonotherplatforms(typicallyinUNIXenvironments)haveserioussecurity-relatedflawsthatallowunauthorizeduserstogainadministrative(root)controloverthehost.
TelnetisalsovulnerabletothesametypeofTCPsessionattacksasSSHprotocolversion1,butbecauseapacketsniffingattackiseasier,TCPsessionattacksarelesscommon.
TodisableTelnet,setoptionstelnet.enabletooff.
SMTP?
∙smtp
TheSimpleMailTransportProtocol(SMTP)usesTCPport25.YourstoragesystemdoesnotlistenonthisportbutmakesoutgoingconnectionstomailserversusingthisprotocolwhensendingAutoSupporte-mail.
Timeservice?
∙time
∙ntp
Yourstoragesystemsupportstwodifferenttimeserviceprotocols:
∙TIMEprotocol(alsoknownasrdate)isspecifiedintheRFC868standard.ThisstandardallowsfortimeservicestobeprovidedonTCPorUDPport37.YourstoragesystemusesonlyUDPport37.
∙Simplenetworktimeprotocol(NTP)isspecifiedintheRFC2030standardandisprovidedonlyonUDPport123.
Whenyourstoragesystemhasoptiontimed.enablesettoOnandaremoteprotocol(rdateorntp)isspecified,thestoragesystemsynchronizestoanetworktimeserver.
Ifthetimed.enableoptionissettoOff,yourstoragesystemisunabletosynchronizewiththenetworktimeserverusingNTP.Therdatetimeprotocolcanstillbeusedbymanuallyissuingtherdatecommandfromyourstoragesystemconsole.
Youshouldsetthetimed.enableoptiontoOninaclusterconfiguration.
DNS?
∙domain
TheDomainNameService(DNS)usesUDPport53andTCPport53.Yourstoragesystemdoesnottypicallylistenontheseportsbecauseitdoesnotrunadomainnameserver.However,ifDNSisenabledonyourstoragesystem,itmakesoutgoingconnectionsusingUDPport53forhostnameandIPaddresslookups.YourstoragesystemneverusesTCPport53becausethisportisusedexplicitlyforcommunicationbetweenDNSservers.OutgoingDNSqueriesbyyourstoragesystemaredisabledbyturningoffDNSsupport.TurningoffDNSsupportprotectsagainstreceivingbadinformationfromanotherDNSserver.
Becauseyourstoragesystemdoesnotrunadomainnameserver,thenameservicemustbeprovidedbyoneofthefollowing:
∙Networkinformationservice(NIS)
∙An/etc/hostsfile
∙Replacementofhostnamesintheconfigurationfiles(suchas/etc/exports,/etc/usermap.cfg,andsoon)withIPaddresses
DNSmustbeenabledforparticipationinanActiveDirectorydomain.
DHCP?
∙dhcps
ClientsbroadcastmessagestotheentirenetworkonUDPport67andreceiveresponsesfromtheDynamicHostConfigurationProtocol(DHCP)serveronUDPport68.ThesameportsareusedfortheBOOTPprotocol.
DHCPisusedonlyforthefir
升级会员 