Security

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation
Warning:

This content is for reference only. Always consult official vendor documentation for your distribution. Test thoroughly in a lab environment before production use. In case of conflicts, vendor documentation takes precedence.

Network Security

1. Network Isolation

Dedicated Storage Network:

  • Never route storage traffic through management network: Prevents unauthorized access to storage traffic; reduces attack surface; improves performance.

  • Use dedicated VLANs or physical networks for storage: Isolates storage from other network traffic; prevents VLAN hopping attacks.

  • No default gateway on storage interfaces: Prevents routing storage traffic outside the storage network; reduces exposure.

Configuration:

# Storage interfaces should NOT have gateway configured
# /etc/network/interfaces
auto ens1f0
iface ens1f0 inet static
    address 10.100.1.101/24
    mtu 9000
    # NO gateway line

Verification:

# Verify no default route on storage interface
ip route show dev ens1f0
# Should show only local subnet route

2. Firewall Configuration

Option 1: Disable Filtering on Storage Interfaces (Recommended)

For dedicated, isolated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection.

# Add storage interfaces to trusted zone (firewalld)
firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
firewall-cmd --permanent --zone=trusted --add-interface=ens1f1
firewall-cmd --reload

# Or accept all traffic on interfaces (iptables)
iptables -A INPUT -i ens1f0 -j ACCEPT
iptables -A INPUT -i ens1f1 -j ACCEPT

Why disable filtering on storage interfaces:

  • CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles

  • Performance impact: At high IOPS (millions with NVMe-TCP), filtering overhead becomes significant

  • Network isolation: Dedicated storage VLANs provide security at the network layer

  • Simplicity: No port rules to maintain for storage traffic

Option 2: Port Filtering (For Shared or Non-Isolated Networks)

Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.

Important:

Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.

# Allow only NVMe-TCP traffic on storage interfaces
# Port 4420 = Data port (connections)
# Port 8009 = Discovery port (optional)
iptables -A INPUT -i ens1f0 -p tcp --dport 4420 -j ACCEPT
iptables -A INPUT -i ens1f0 -p tcp --dport 8009 -j ACCEPT
iptables -A INPUT -i ens1f0 -j DROP  # Drop all other traffic

Required Ports (if using port filtering): Port 4420 (data), Port 8009 (discovery)

3. Access Control

Storage Array Configuration:

  • Register only authorized Host NQNs

  • Implement IP-based ACLs on storage array

  • Regularly audit authorized hosts

Verify host identifier:

# Check host NQN
cat /etc/nvme/hostnqn
# Example: nqn.2014-08.org.nvmexpress:uuid:12345678-1234-1234-1234-123456789abc

Best Practice:

  • Use unique NQN per host (don't clone VMs without regenerating)

  • Document all registered NQNs

  • Remove decommissioned hosts from storage array

Authentication and Encryption

NVMe-TCP with TLS (if supported):

Why use TLS:

  • Encrypts data in transit

  • Prevents eavesdropping on storage traffic

  • Required for compliance in some industries

Configuration:

# Connect with TLS (requires kernel 5.15+ and array support)
nvme connect -t tcp -a <portal_ip> -s 4420 -n <subsystem_nqn> \
    --tls

Considerations:

  • Performance impact: 5-15% throughput reduction

  • CPU overhead: Encryption/decryption uses CPU cycles

  • Certificate management: Requires PKI infrastructure

  • Only use if required by security policy or compliance

Host Security

1. Minimize Attack Surface

Disable unnecessary services:

# List running services
systemctl list-units --type=service --state=running

# Disable unnecessary services
systemctl disable <service_name>
systemctl stop <service_name>

2. Keep Systems Updated

Regular patching:

# RHEL/Rocky/AlmaLinux
dnf update

# Debian/Ubuntu
apt update && apt upgrade

# SUSE
zypper update

Best Practices:

  • Patch monthly at minimum

  • Test patches in non-production first

  • Have rollback plan

  • Monitor security advisories for NVMe/kernel updates

3. Audit and Logging

Enable audit logging:

# Install and enable auditd
systemctl enable --now auditd

# Add audit rules for NVMe devices
auditctl -w /dev/nvme0n1 -p rwa -k nvme_access
auditctl -w /etc/nvme/ -p wa -k nvme_config

SELinux Configuration

Oracle Linux has SELinux enabled by default (enforcing mode).

Verify SELinux status:

# Check status
getenforce

# Should return: Enforcing

SELinux policy for NVMe-TCP:

# Check for denials
sudo ausearch -m avc -ts recent | grep nvme

# If denials found, generate policy
sudo ausearch -m avc -ts recent | grep nvme | audit2allow -M nvme_tcp_policy

# Review the policy
cat nvme_tcp_policy.te

# Install policy
sudo semodule -i nvme_tcp_policy.pp

# Verify
sudo semodule -l | grep nvme

Common SELinux contexts for storage:

# Set correct context for NVMe devices
sudo restorecon -Rv /dev/nvme*

# Set context for mount points
sudo semanage fcontext -a -t var_t "/mnt/nvme-storage(/.*)?"
sudo restorecon -Rv /mnt/nvme-storage

Firewall Configuration

Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)

For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is critical for high-throughput NVMe-TCP storage.

Why disable filtering on storage interfaces:

  • CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles

  • Performance impact: At high IOPS (millions with NVMe-TCP), filtering overhead becomes significant

  • Network isolation: Dedicated storage VLANs provide security at the network layer

  • Simplicity: No port rules to maintain for storage traffic

# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1

# Reload
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --zone=trusted --list-all

Option 2: Port Filtering (For Shared or Non-Isolated Networks)

Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.

Warning:

Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.

# Create dedicated zone for storage with port filtering
sudo firewall-cmd --permanent --new-zone=storage
# Port 4420 = Data port (connections)
# Port 8009 = Discovery port (optional, for nvme discover)
sudo firewall-cmd --permanent --zone=storage --add-port=4420/tcp
sudo firewall-cmd --permanent --zone=storage --add-port=8009/tcp

# Add storage interfaces to storage zone
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f1

# Set target to DROP (deny by default except allowed ports)
sudo firewall-cmd --permanent --zone=storage --set-target=DROP

# Reload
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --list-all-zones

Oracle Linux Security Features

Enable automatic security updates:

# Install dnf-automatic
sudo dnf install -y dnf-automatic

# Configure for security updates only
sudo nano /etc/dnf/automatic.conf
# Set: upgrade_type = security
# Set: apply_updates = yes

# Enable and start
sudo systemctl enable --now dnf-automatic.timer

# Verify
systemctl status dnf-automatic.timer

Audit daemon for compliance:

# Install auditd
sudo dnf install -y audit

# Add rules for storage access
sudo tee -a /etc/audit/rules.d/storage.rules > /dev/null <<'EOF'
# Monitor NVMe device access
-w /dev/nvme0n1 -p rwa -k nvme_access

# Monitor NVMe configuration changes
-w /etc/nvme/ -p wa -k nvme_config
-w /etc/nvme/hostnqn -p wa -k nvme_hostnqn

# Monitor network configuration changes
-w /etc/sysconfig/network-scripts/ -p wa -k network_config
EOF

# Reload rules
sudo augenrules --load

# Enable and start
sudo systemctl enable --now auditd