Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Z

zerothehero

64 Posts

1905

July 3rd, 2014 06:00

Disable access to webinterface and CLI for specific network

Hi.

Does anybody know a way (except for firewalls) to prevent access to the Isilon Webinterface and CLI for a specific network?

Case here:

Customer has a Management LAN and a Production LAN.

From Production LAN only clients access the Isilon. No need to access the Admin interfaces though. This should only be possible through Management LAN.

Production and Management also use separate ext-interfaces.

Can i disable webinterface and CLI for the Production LAN? Any ideas?

dynamox

1 Rookie

 • 

20.4K Posts

July 3rd, 2014 08:00

have you see this solution ?

https://support.emc.com/kb/16602

zerothehero

64 Posts

July 5th, 2014 06:00

The solution seems good for clusters with version 6.5 or below.

I'm interested in a solution for 7.x

cadiletta

106 Posts

July 8th, 2014 10:00

The document that dynamox has pointed to was written and tested against 6.5, but fundamentally the information still holds true for 7.x and beyond.  There may be minor syntax differences that we'd need to verify in order to update the document, but the idea is correct.

Any network connectivity that gets through HTTP or SSH ports to any node, and who has the root or administrative password, will be able to utilize the WebUI or CLI. 

In this situation, to keep all network traffic from the Production LAN out, you'll want to stop the network traffic from reaching their destination at all.  Host file updates (as documented) or other firewall solutions are your best option.

Alternatively, making use of RBAC, Role Based Access Controls, could allow restricted access to the Web interface if there are reasons to grant people access for monitoring, but not access to make changes.  Also, Access Zones being released in OneFS 7.1.1 could be leveraged to separate areas of data usage vs the system zone where administration is performed, though wouldn't stop incoming HTTP or SSH requests. 

So I would use the documentation provided above as the best resource to accomplish your need here.

zerothehero

64 Posts

July 9th, 2014 01:00

The new feature in 7.1.1 sounds interesting, I will give that a try by moving SMB to a seperate access zone.

Concerning the "old solution":

Will these manual changes stay after OneFS upgrades?

View More

View All

No Events found!

Top