Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > Build and maintain a secure network and systems
The first pair of requirements focuses on creating a secure network and systems. The network must be protected and isolated from outside access. The reference to “systems” means all the components within the IT environment.
In previous releases of PCI-DSS this requirement focused specifically on firewalls. As corporate networks have evolved further into multiple environments that span locations and into multiple clouds, it is important to consider the security infrastructure. Traditionally, security was limited to firewalls but now requires a broader scope that provides the integrity, safeguards, and measures of a network to prevent unauthorized access. Network security controls (NSCs) include firewalls, routers, and other network security technologies that enforce policies between network segments.
NSCs are critical to the protection of an organization because they are responsible for limiting external traffic from accessing the internal network. In the network hierarchy, a PowerScale cluster must be located securely behind a firewall and/or other NSCs. All the nodes within a PowerScale cluster shall only have external network access through the NSCs, ensuring all traffic interacting with OneFS is filtered and approved. The configuration of this requirement is outside the scope of the PowerScale cluster.
As a best practice for any enterprise system, this requirement enforces those systems run secure configurations, rather than the default configuration a vendor applies from the factory. The secure configuration includes custom passwords and settings, rather than the default vendor configured settings. Unauthorized malicious parties gain system access by first trying system defaults and publicly known settings.
OneFS allows administrators to define login settings at the initial system deployment or to update a production cluster. For configuration steps, see the OneFS CLI Administration Guide for the relevant OneFS release at PowerScale Info Hubs.
Note: As a best practice, before deploying a production PowerScale cluster, design the system access hierarchy containing the wanted profiles. This minimizes complications in the future, as security profiles do not require modifications.
In addition to updating passwords, additional login security measures should also be considered. OneFS provides Role Based Access Control (RBAC), limiting system access based on an administrative role. Utilizing RBAC minimizes the administrators who have full system access to a PowerScale cluster, allowing each administrator to manage a subset of the cluster only. In addition to RBACs, configure multifactor authentication. Furthermore, consider the other security configurations in this paper. For more information about RBAC and multifactor authentication, see the OneFS Security Configuration Guide for the relevant OneFS release at PowerScale Info Hubs and the PowerScale OneFS Authentication, Identity Management, and Authorization white paper.
Note: As a best practice, before deploying a production PowerScale cluster, test a security configuration on the PowerScale simulator in a lab environment. As recommended in the PCI DSS standard, update all system login access information before placing a system on the network.
Once the login and hierarchy requirements are configured, this requirement also considers insecure services and protocols, recommending that only necessary services and protocols should be enabled. Before deploying a PowerScale cluster, consider the data protocols and services that are required for an environment. If the plan does not include the use of certain protocols, consider disabling them. For more information about disabling protocols, see the OneFS Security Configuration Guide for the relevant OneFS release at PowerScale Info Hubs.