Security
The Nasuni Edge Appliance includes a number of security features that you can configure. For more details on any of these topics, see the Nasuni Edge Appliance Administration Guide.
Tip: In the Nasuni model, customers provide their own cloud accounts for the storage of their data. Customers should leverage their cloud provider's role-based access and identity access management features as part of their overall security strategy. Such features can be used to limit or prohibit administrative access to the cloud account, based on customer policies.
A. HTTPS proxy server
You can configure the Nasuni Edge Appliance to use a proxy server. All HTTPS traffic goes through the proxy server that you specify. A valid User Name and Password are required. For details of HTTPS traffic, see Firewall and Port Requirements.
On Nasuni Edge Appliance: Click Configuration, then select HTTPS Proxy from the list.
B. Firewall protection
You can specify which network hosts are allowed to connect to the Nasuni Edge Appliance user interface and the Nasuni Support SSH port. You can also specify firewall limits for traffic groups.
On Nasuni Edge Appliance: Click Configuration, then select Firewall from the list.
C. SSL certificates
You use SSL Certificates when accessing the Nasuni Edge Appliance's Web-based user interface. You can generate a Certificate Request. You can add signed certificates. You can also create a self-signed certificate instead of a certificate request.
On Nasuni Edge Appliance: Click Configuration, then select SSL Certificates from the list. On NMC: Click Filers, then click SSL Certificates.
D. Encryption keys
Note: For details of encryption key management, see Encryption Key Best Practices.
The Nasuni Edge Appliance automatically encrypts your data at your premises using your encryption keys that you control. You can generate your own encryption keys using any OpenPGP- compatible program, such as Gpg4win, GPGTools, and OpenPGP Studio. For details, see Generating Encryption Keys. You can then upload your encryption keys to use. All uploaded encryption keys must be at least 2048 bits long. (For security reasons, encryption keys that you upload cannot be downloaded from the system.)
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
You can generate keys to use, and then download them for safekeeping. You can also escrow your encryption keys with Nasuni. You can enable and disable encryption keys.
Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use these to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance.
Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.
Note: You can specify that you do not want Nasuni to generate any of your encryption keys.
If you want to specify that Nasuni not generate encryption keys, request Nasuni Support to disable key generation in your license.
Similarly, you can specify that you do not want Nasuni to escrow encryption keys. If you want to specify that Nasuni not escrow encryption keys, request Nasuni Support to disable key escrow in your license.
To ensure that no encryption keys are escrowed with Nasuni, you must specify BOTH that Nasuni not generate encryption keys AND that Nasuni not escrow encryption keys.
On Nasuni Edge Appliance: Click Configuration, then select Security/Encryption from the list. On NMC: Click Filers, then click Encryption Keys.
E. Role-based access control
You can define specific access permissions for groups and users to perform actions within the Nasuni Edge Appliance user interface. You can associate permission groups with Active Directory domain groups to enable logging in using Active Directory credentials. Similarly, you can associate permission groups with LDAP Directory Services domain groups to enable logging in using LDAP Directory Services credentials.
On Nasuni Edge Appliance: Click Configuration, then select Users/Groups from the drop-down list.
Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.
F. Email notifications
You can configure receiving email notifications when conditions occur on the Nasuni Edge Appliance.
On Nasuni Edge Appliance: Click Configuration, then select Email Settings from the list.
On Nasuni Edge Appliance: To configure directory-specific quota email notifications, click File Browser, select a directory, then click Quota.
On NMC: Click Filers, then click Email Settings. Select Nasuni Edge Appliances, then click Edit Filers.
G. Antivirus Protection and Ransomware Detection
You can enable or disable antivirus protection and ransomware detection for CIFS and NFS volumes, and FTP/SFTP directories.
The Antivirus Service scans every new or modified file for the presence of viruses and other malware. Nasuni Edge Appliance Antivirus Protection uses the Clam AntiVirus (ClamAV®) open- source antivirus engine and updates the antivirus definition files multiple times daily.
Synchronization with the ClamAV virus database occurs within four hours of an update to that database. If you encounter a false positive, you can report the false positive on Clam AntiVirus’s Report False Positive page.
Ransomware Detection provides a layer of security at the file server level by identifying known ransomware patterns, and notifying administrators of their presence.
Ransomware Detection includes the following processing:
Regularly updates known ransomware patterns used for detection.
Reads creation and renaming events, and analyzes their paths.
Emits a notification if an attack is underway.
Logs individual pattern violations to .nasuni.
Edge Appliances running versions before 9.7.4 send a summary notification twice per day, which includes the attack signature (such as *.wannacry), the target volume, the number of violations detected so far, and the timestamp of first detection.
Tip: To receive notifications of violations, you must have the “Manage all aspects of the Filer (super user)” or “Manage Notifications” permissions, and the appropriate “Filer Access” permissions.
To receive emails of violations, if email is enabled, you must also ensure that Violation Alerts is selected for the user’s group.
On NMC: Click Cyber Resilience, then click Detection & Mitigation or Antivirus Services.
H. File System Auditing
You can configure extensive file system auditing and logging of operations for volumes. You can configure external auditing (such as Varonis). You can send Notification messages and auditing events to syslog servers.
Tip: Auditing volume events such as Create, Delete, Rename, and Security can aid in recovering from ransomware attacks.
On Nasuni Edge Appliance: Click Volumes, then select the volume from the menu. From the Properties drop-down menu, select Auditing.
On NMC: Click Volumes, then click Auditing. For the selected volumes, click Edit Volumes.
I. SNMP monitoring
You can configure monitoring of the Nasuni Edge Appliance via the Simple Network Management Protocol (SNMP). Both 32-bit and 64-bit SNMP network counters are supported. Nasuni provides two ways to configure SNMP monitoring:
You can enable SNMP traps, which send information to destinations that you provide.
You can use apps that can pull SNMP information, using the definitions in the NASUNI-FILER- MIB.
You can configure either or both.
As the SNMP agent, Nasuni receives requests on UDP port 161 from the third-party SNMP manager used for system monitoring. Nasuni sends agent responses back to the source port on the third-party SNMP manager. The third-party SNMP manager receives notifications (including Traps and InformRequests) on SNMP destination port 162. You cannot change port 161 or port 162.
On Nasuni Edge Appliance: Click Configuration, then select SNMP Monitoring from the list.
On NMC: Click Filers, then click SNMP Settings. Select Nasuni Edge Appliances, then click Edit Filers.
J. Change password
You can change the user password.
On Nasuni Edge Appliance: Click Configuration, then select Change Password from the list.
K. Snapshot directory access
You can enable or disable access to the directory that holds snapshot data. To view the .snapshot directory, the following must all be true:
The NFS protocol is not enabled on the volume.
Snapshot Directory Access is enabled on the volume.
Snapshot Directory Access is enabled on the share that points to the root of the volume.
The user of the primary domain is an Administrative User.
In Windows, “Show Hidden Files, folders, and drives” is enabled.
In Windows, “Hide protected operating system files” is disabled.
When all of the above are true, disconnect your CIFS connection and then reconnect.
Note: Snapshot access can add a significant load to the Nasuni Edge Appliance.
On Nasuni Edge Appliance: Click Volumes, then select the volume from the menu. Click the
Snapshot Directory Access status.
On NMC: Click Volumes, then click Snapshot Access. For the selected volumes, click Edit Volumes.
Tip: If both the SMB (CIFS) protocol and the NFS protocol are enabled on a volume, then the .snapshot directory is not available.
L. Remote access
You can enable or disable access to a volume by your remote offices attached to your Nasuni.com account.
On NMC: Click Volumes, then click Remote Access. For the selected volumes, click Edit Volumes.
M. Snapshot retention
For compliance purposes or your own best practices, you can specify to delete older snapshots from cloud object storage, based on a configured policy for a specific volume.
On Nasuni Edge Appliance: Click Volumes, then select the volume from the menu. Click the
Snapshot Retention status.
On NMC: Click Volumes, then click Snapshot Retention. For the selected volumes, click Edit Volumes.
N. File Alert Service
For compliance and other purposes, you can receive alerts (no more than one per day) when files and directories whose names match patterns you specify are written to the Nasuni Edge Appliance.
On Nasuni Edge Appliance: Click Volumes, then select the volume from the menu. Click the File Alert Service status.
On NMC: Click Volumes, then click File Alert Service. For the selected volumes, click Edit Volumes.
Tip: To receive File Alert messages, you must also enable Violation Alerts for the group for the user, and define Email for the user.
O. CIFS authentication
When you create a CIFS volume, you can select either Public security, LDAP authentication, or Active Directory authentication for the volume. You cannot change the authentication mode after the volume is created.
Tip: For Nasuni recommendations for volume configuration, see Appendix C, “Volume Configuration,”.
P. CIFS share security
You can configure a number of security features of CIFS shares.
On Nasuni Edge Appliance: Click Volumes, then select the volume with the CIFS protocol enabled from the menu. Select CIFS Shares from the Properties drop-down list. For the CIFS share that you want to edit, click Edit Share.
On NMC: Click Volumes, then click Shares. For the selected share, click Edit.
Visible Share
You can enable whether a share is visible when browsing the Nasuni Edge Appliance.
Read Only Share
You can select that a share be read-only, so that users cannot change the contents of the share.
Allowed Hosts
You can specify which hosts are allowed to access the share.
Hide Unreadable Files
You can specify that files and folders that the user cannot access do not appear in folder listings.
Web Access
Tip: “Mobile Access” must be enabled in the customer license before Web Access can be used with a Nasuni Edge Appliance.
You can enable or disable access to data via Web browsers.
Authentication (Active Directory and LDAP Directory Services only)
If Active Directory or LDAP Directory Services security is chosen, you can select whether to authenticate all users, or to authenticate only the groups and users that you explicitly specify. You can associate permission groups with Active Directory domain groups. Similarly, you can associate permission groups with LDAP Directory Services domain groups.
Q. NFS export security
You can configure a number of security features of NFS exports.
On Nasuni Edge Appliance: Click Volumes, then select the NFS volume from the menu. Select NFS Exports from the Properties drop-down list. For the NFS export that you want to edit, click Edit Export.
On NMC: Click Volumes, then click Exports. For the selected export, click Edit.
Read Only
You can select that an export be read-only, so that users cannot change the contents of the export.
Allowed Hosts
You can specify which hosts are allowed to access the export.
R. FTP/SFTP directory security
You can configure a number of security features of FTP/SFTP directories.
Note: Nasuni supports SFTP, the SSH File Transfer Protocol. This is not the same as FTPS, the File Transfer Protocol over SSL.
Tip: You can ensure that the SFTP (SSH File Transfer Protocol) protocol is used, rather than the FTP protocol, with the Firewall page in the Edge Appliance UI. For each Traffic Group, select SFTP and deselect FTP.
On Nasuni Edge Appliance: Click Volumes, then select the volume that has the FTP protocol enabled from the list. Select FTP Directories Exports from the Properties drop-down list. For the FTP/SFTP directory that you want to edit, click Edit FTP Directory.
On NMC: Click Volumes, then click FTP Directories. For the selected FTP/SFTP directory, click
Read Only
You can select that an FTP/SFTP directory be read-only, so that users cannot change the contents of the FTP/SFTP directory.
Visibility
You can specify how much of the FTP/SFTP directory is visible to the user.
Allowed Hosts
You can specify which hosts are allowed to access the FTP/SFTP directory.
Allowed Users
You can specify which users are allowed to access the FTP/SFTP directory.
Allowed Groups
You can specify which groups are allowed to access the FTP/SFTP directory.
S. Remote Support Service
You can enable or disable remote access to your Nasuni Edge Appliance by Nasuni support personnel.
On Nasuni Edge Appliance: Click Services, then select Remote Support Service from the list.
On NMC: Click Filers, then click Remote Support. Select Nasuni Edge Appliances, then click Edit Filers.
T. Default SECLEVEL is 2
In OpenSSL, security levels (SECLEVEL) are defined to enforce different levels of cryptographic security. These levels restrict the algorithms, key lengths, and protocols that can be used, providing varying levels of security assurance.
For NEA versions before 10.0, SECLEVEL is set to 1 for all Nasuni Edge Appliance OpenSSL connections to all object storage providers.
In NEA version 10.0 and later, SECLEVEL is 2 for any public object storage provider (including AWS, Azure, and GCP) connections, while any other private object storage providers have their security level set to SECLEVEL=1.
If you are using multiple different object storage providers, the lowest level setting is applied to all Nasuni Edge Appliances for your account. You can check your account setting and have this security setting changed to 2 by contacting Nasuni Support and requesting a change.