Archive for September, 2014

The Impact of GNU Bash ShellShock Vulnerability on EMC Isilon OneFS

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

The ShellShock vulnerability (CVE-2014-6271 & CVE-2014-7169) affects GNU Bash in a way that could allow an unauthenticated remote attacker to inject arbitrary commands on a targeted system. Following the release of this vulnerability, EMC immediately initiated a review of EMC Information Infrastructure products to assess any potential impact.

For the most up-to-date information about the impact of the ShellShock vulnerability and EMC Isilon OneFS and other EMC products, see the following knowledgebase article:

Bash Code Injection Vulnerability (ShellShock/BashBug) in EMC products (192608)

EMC will continue to update information as review and remediation continues through standard customer communication channels (including Security Advisories).

You can also refer to the EMC Product Security Blog on this topic for more information.

[display_rating_result]

Behind the scenes: Making the Access Zones technical demo video

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein
Amol Choukekar

Amol Choukekar

The Offer & Enablement (O&E) team within the EMC® Isilon® Professional Services department is a well-oiled machine when it comes to making videos. In the past year, they’ve played a key role in conceptualizing and collaborating to develop almost a third of the videos published to the Isilon Support YouTube playlist—from whiteboard videos to technical demos—that demonstrate how features of the OneFS® operating system work.

Principal Solutions Architect Amol Choukekar describes the story behind the origin and production of their latest video, Technical Demo: Access Zones in OneFS 7.1.1. In this interview, you’ll learn how frequently asked questions from customers about Access Zone configuration and directory layouts inspired the O&E team to create this video.

Q: Tell us about your team and why you produce these videos?

A: Our team is comprised of solutions architects and technical program managers who all contribute to making these videos. There is a lot of effort that goes into these projects. Specifically, creating and revising the script and setting up the demo environments that we use to create these videos.

Our main objective in producing these videos is to demonstrate OneFS features in a simple-to-follow format. The value for our customers and partners is to use the knowledge gained in the video and then apply that to their EMC Isilon solution.

Q: Why was Access Zones selected as a topic for a technical demo?

A: Access Zones was initially introduced in the OneFS 7.0 release. The OneFS 7.1.1 release includes interesting changes to the Access Zones feature, such as the concept of a zone-base directory. Other feature changes include zone-specific SMB shares, which eliminate the duplicate share name issue that existed in previous versions of OneFS (login is required to view Isilon OneFS 7.1.1 Release Notes). Also, our HDFS support is now zone-aware, which is becoming very popular. These changes represent another step in the evolution of our scale out multi-tenancy story in OneFS. The purpose of the video is to make our customers aware of these important changes.

Q: What were some frequently asked questions about Access Zones that helped you develop the script?

A: One of the criteria in configuring Access Zones is the zone-base directory, because a main criteria in configuring a OneFS cluster is to correctly lay out the directory structure. Our field teams were frequently asked questions about directory layout. For example, when we configure Access Zones or our cluster, where should we base our zone directory considering the various workflows and data segregation needs? This is an important design decision when deploying a scale-out network attached storage (NAS) solution such as EMC Isilon.

One of the objectives of the video was to demonstrate the proper use of the OneFS directory path convention. For example, with /ifs as the cluster root path, the best practices we’ve seen in the field for creating the directory layout is to use a /ifs/clustername/zonename/ structure. That can become your Access Zone rule, and then you can create SMB shares under that directory.

Zone-based directories in OneFS 7.1.1

Zone-base directories in OneFS 7.1.1

Q: What were some of the other goals when making this video?

A: The other goals for the video were to demonstrate the new Access Zone feature in a simplistic way without using any technical jargon. We really wanted the audience to easily grasp the concepts because these are the building blocks for the OneFS solution.And we wanted to demonstrate the feature in a workflow format to help the viewer understand the concepts related to Access Zones.

Q: What were some of the challenges when making this video?

A: While the content of the video is introductory, there was a lot of effort put in by our technical program managers to create the environment and make sure that the technical steps were complete and easily reproducible. Although it was a bit time consuming, it was not difficult at all because OneFS is one of the easiest NAS operating systems that I have ever worked with.

Q: What else would you like to add?

A: We hope all of our viewers find this useful. If you do find it useful, we highly encourage you to share it with your peers, customers, or anybody that uses OneFS and needs to configure Access Zones. And provide us with feedback on this video or existing videos, or suggestions for new topics.

[Editor’s note: please provide your feedback and suggestions by sending an email to isicontent@emc.com]

Start a conversation about Isilon content

Have a question or feedback about Isilon content? Visit the online EMC Isilon Community to start a discussion. If you have questions or feedback about this blog, contact us at isi.knowledge@emc.com. To provide documentation feedback or request new content, contact isicontent@emc.com.

[display_rating_result]

Racking EMC Isilon nodes

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

With EMC® Isilon® scale-out storage, it’s easy to add performance and capacity to your cluster simply by adding new nodes. For example, after you acquire a new node, a certified technician locates an open space in a rack (either 2U or 4U, depending on the node size), installs rails, installs the node into the rack, connects the network and InfiniBand cables, and then joins the node to the cluster. After joining the node, you’ll have more space and performance capacity right away.EMC Isilon 4U rail kit installation

The node installation process is simple and fast; but be sure to take the time to check that the nodes are safely secured to the rails and rack to minimize the risk of personal injury and damage to equipment.

Check out the following videos, which show the proper procedures for racking EMC Isilon 2U and 4U nodes, including both node installation and node removal from a rack.

Installing a node into a rack

Isilon nodes mount in a standard 19-inch wide rack and use a sliding rail system. Watch the following videos to learn how to install 2U and 4U nodes into a standard rack with 3/8-inch square holes.

For written descriptions of these procedures, see the EMC Isilon 2U rail kit installation guide and 4U rail kit installation guide, which are available on the EMC Online Support site (login is required).

Removing a node from a rack

If you need to remove nodes from the rack to service them or because you’re relocating your cluster, it’s important to be sure that you always shut down nodes as described in the knowledge base article, How to safely shut down an Isilon cluster prior to a schedule power outage (16529). If you don’t shut down a node properly, you increase the risk of data loss.

After the node is shut down, you can remove a 2U node and a 4U node from a rack. Watch the following videos to learn the safest way to remove these nodes from a rack.

For written descriptions of these procedures, see the node removal guides on the EMC Online Support site.

Start a conversation about Isilon content

Have a question or feedback about Isilon content? Visit the online EMC Isilon Community to start a discussion. If you have questions or feedback about this blog, contact us at isi.knowledge@emc.com. To provide documentation feedback or request new content, contact isicontent@emc.com.

[display_rating_result]

Top 20 EMC Isilon support documents in August 2014

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

Top 20 EMC Isilon support documentsOne of the goals of this blog is to share the most useful EMC® Isilon® support-related content that we have to offer. In this post, we’re highlighting 20 of the most viewed knowledgebase (KB) articles and product documents from the month of August.

We hope these documents will help you to quickly find an answer to a common question or resolve an issue.

Top 10 KB articles

To access these KB articles, log in to the EMC Online Support site. Articles in bold are new to the top 10 list.

  1. How to download OneFS 7.1.1 (172492)
  2. OneFS 7.0.2.9: SMB and Authentication Rollup Patch (172623)
  3. OneFS 7.1.0.3 SMB and Authentication Rollup Patch (174372)
  4. Best practices for NFS client settings (90041)
  5. OneFS 7.0: Active Directory clients cannot connect to the cluster after the machine account password is changed (169843)
  6. How to create SPN account to allow Kerberos authentication using SmartConnect DNS entries (16528)
  7. How to safely shut down an Isilon cluster prior to a scheduled power outage (16529)
  8. How to configure Windows DNS for a SmartConnect zone (183530)
  9. Troubleshooting performance issues (88844)
  10. How to reset the CELOG database and clear all historical events (16586) 

 

Top 10 product documents

To access these PDF documents, log in to the EMC Online Support site. Documents in bold are new to the top 10 list.

  1. Current Isilon OneFS patches
  2. Current Isilon Software Releases
  3. Isilon Supportability and Compatibility Guide
  4. OneFS 7.1 CLI Administration Guide
  5. OneFS 7.1.0 MR Release Notes
  6. OneFS 7.0.2 Administration Guide
  7. OneFS 7.0.2 Command Reference
  8. OneFS Upgrade Planning and Process Guide
  9. OneFS 7.1 Web Administration Guide
  10. OneFS 7.0.1 Administration Guide

 

If you have questions or feedback about this blog, contact us at isi.knowledge@emc.com. To provide documentation feedback or request new content, contact isicontent@emc.com.

 

[display_rating_result]

How to secure a Hadoop data lake with EMC Isilon

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

Apache™ Hadoop®, open-source software for analyzing huge amounts of data, is a powerful tool for companies that want to analyze information for valuable insights.

Hadoop redefines how data is stored and processed. A key advantage of Hadoop is that it enables analytics on any type of data. Some organizations are beginning to build data lakes—essentially large repositories for unstructured data—on the Hadoop Distributed File System (HDFS) so they can easily store data collected from a variety of sources, and then run compute jobs on data in its original file format. There’s no need to load data into the HDFS for analysis, saving data scientists time and money. They can then survey their Hadoop data lake and discover big data intelligence to drive their business.

However, the Hadoop data lake also presents challenges for organizations that want to protect sensitive information stored in these data repositories. For example, organizations might need to follow internal enterprise security policies or external compliance regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX). A Hadoop data lake is difficult to secure because HDFS was neither designed nor intended to be an enterprise-class file system. It is a complex, distributed file system of many client computers with a dual purpose: data storage and computational analysis. HDFS has many nodes, each of which presents a point of access to the entire system. Layers of security can be added to a Hadoop data lake, but managing each layer adds to complexity and overhead.

Best of both worlds

The EMC® Isilon® scale-out data lake offers the best of both worlds for organizations using Hadoop: enterprise-level security and easy implementation of Hadoop for data analytics.securing a hadoop data lake

The new white paper, Security and Compliance for Scale-Out Hadoop Data Lakes, describes how Hadoop data is stored on Isilon scale-out network-attached storage (NAS), and how the OneFS® operating system helps to secure that data.

An Isilon cluster separates data from compute clients in which the Isilon cluster becomes the HDFS file system. All data is stored on an Isilon cluster and secured by using access control lists, access zones, self-encrypting drives, and other security features. OneFS implements the server-side operations of HDFS as a native protocol. Therefore, Hadoop clients access data on the cluster through HDFS and standard protocols such as SMB and NFS.

For more information about how Hadoop is implemented on an Isilon cluster, see EMC Isilon Scale-Out NAS for In-Place Hadoop Data Analytics.

Isilon security capabilities

OneFS can facilitate your efforts to comply with regulations such as HIPAA, SOC, SEC 17a-4, the Federal Information Security Management Act (FISMA), and the Payment Card Industry Data Security Standard (PCI DSS). The table below summarizes some of the challenges of securing a Hadoop data lake, and how the capabilities of an Isilon cluster can help to address these issues. For full descriptions of these capabilities, see Security and Compliance for Scale-Out Hadoop Data Lakes.

 Hadoop data lakes: security challenges and Isilon capabilities

Security challenges Isilon capabilities Description
A Hadoop data lake can contain sensitive data—intellectual property, confidential customer information, and company records. Any client connected to the data lake can access or alter this sensitive data.
  • Compliance mode and write-once, read-many (WORM) storage
  • Auditing
The SEC 17a-4 regulation requires that data is protected from malicious, accidental, or premature alteration. Isilon SmartLock™ is a OneFS feature that locks down directories through WORM storage. Use compliance mode only for scenarios where you need to comply with SEC 17a-4 regulations. In addition, auditing can help detect fraud, unauthorized access attempts, or other threats to security.
ACL policies help to ensure compliance. However, clients may be connecting to the Hadoop cluster by using different protocols, such as NFS or HTTP.
  • Authentication and cross-protocol permissions
OneFS authenticates users and groups connecting to the cluster through different protocols by using POSIX mode bits, NTFS, and ACL policies. By managing ACL policies in OneFS, you can address compliance requirements for environments that mix NFS, SMB, and HDFS.
Applying restricted access to directories and files in HDFS requires adding layers to your file system.
  • Role-based access control for system administration (RBAC)
  • Identity management
  • User mapping
  • Access zones
The PCI DSS Requirement 7.1.2 specifies that access must be restricted to privileged user IDs. RBAC, a OneFS feature, lets you manage administrative access by role, and assign privileges to a role. You can associate one user with one ID through identity management and user mapping, and then assign that ID to a role. In OneFS, access zones are a virtual security context in which OneFS connects to directory services, authenticates users, and controls access to a segment of the file system.
FISMA and HIPAA and other compliance regulations might require protection for data at rest. Encryption of data at rest Isilon self-encrypting drives are FIPS 140-2 Level 3 validated. The drives automatically apply AES-256 encryption to all data stored in the drives without requiring additional equipment. You can enable a WORM state on directories for data at rest.

To learn how to implement Hadoop on your Isilon cluster, see 7 best practices for setting up Hadoop on an EMC Isilon cluster.

Start a conversation about Isilon content

Have a question or feedback about Isilon content? Visit the online EMC Isilon Community to start a discussion. If you have questions or feedback about this blog, contact isi.knowledge@emc.com. To provide documentation feedback or request new content, contact isicontent@emc.com.

 

[display_rating_result]