Chatee ahora con Soporte
Chat con el soporte

QoreStor 7.4.1 - User Guide

Introducing QoreStor Accessing QoreStor Configuring QoreStor settings
Licensing QoreStor Configuring SAML Configuring an SSL Certificate for your QoreStor System Configuring Active Directory settings Securing QoreStor server root logins Understanding system operation scheduling Configuring Secure Connect Enabling MultiConnect Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Configuring and using the Recycle Bin Configuring Cloud Reader Configuring RDA immutability
Managing containers Managing local storage Managing cloud storage Managing replications Managing users Monitoring the QoreStor system Managing QoreStor remotely Support, maintenance, and troubleshooting Security recommendations guide About us

Security recommendations guide

The following table describes the recommendations Quest offers for specific security scenarios.

Table 10: Security recommendations

Sr. No.

Asset

Recommendation

1

Secure connect certificates

Use third-party signing certificates like DigiCert, SSL.com, etc. Refer to the QoreStor User Guide for instructions on using third party certificates.

2

Object Container Certificate

Use third-party signing certificate. Currently Object Container and QS UI use the same certificate. We recommend using different certificates for each service.

3

QS UI Certificate

Use third-party signing certificate that can be uploaded via UI Dashboard. Refer to the QoreStor User Guide for instructions on using third party certificates.

4

QoreStor default passwords

The user should change the passwords immediately after installation. Minimum strength policies must be enforced at the time of changing passwords.

Passwords to change:

  • backup_user (default OST user)
  • UI admin password
  • CIFS admin password, if enabled

In addition, Cloud Tier and Archive Tier need passphrases at the time of creation of the storage groups. These passphrases must be treated like passwords from security and strength standpoint.

5

Default port settings and firewall settings

Quest recommends disabling the network ports that are not needed for customer use cases.

  • Quest recommends enabling just the following ports: 9443 (secure connect), 22 (SSH) and 5233 (HTTPS)
  • Quest recommends disabling the following ports unless the customer is using the specific functionality: 80 (HTTP), 9000-9005 (Object container), 12000-12127 (RDA-NDMP), 9920, 10011, 11000 (OST/RDA without secure connect), 9904, 9911, 9915, 9916 (Replication), 111, 2049 (NFS), 138, 139, 445 (CIFS), 10000, 43000-43040 (NDMP) and 3260 (iSCSI)
  • Customers can enable or disable ports using system firewall configuration. Alternatively, customers can use fw_config, a script provided by QoreStor, to manage the port settings. Below are some commands to open ports using fw_config:

To limit the set of open ports to a minimum set

{This implicitly includes the UI port and ssh which is enabled by the OS)

/opt/qorestor/bin/fw_config -c sc

To enable ports used for RDCIFS or CIFS

/opt/qorestor/bin/fw_config -c sc,cifs

To enable ports used for RDNFS or NFS

/opt/qorestor/bin/fw_config -c sc,nfs

To enable ports used for the object container

/opt/qorestor/bin/fw_config -c sc,object

To enable ports used for replication from a DR Appliance to the QoreStor server

/opt/qorestor/bin/fw_config -c sc,oca

To enable ports used for iSCSI

/opt/qorestor/bin/fw_config -c sc,iscsi

To enable ports used for VTL NDMP

/opt/qorestor/bin/fw_config -c sc,ndmp

NOTE: Ports can be combined if needed. For example, to enable ports for replication from a DR, and RDCIFS, you would use:

/opt/qorestor/bin/fw_config -c sc,cifs,oca

6

AWS least privileges

As a general rule, enable only the least set of permissions needed to perform operations on cloud objects.

  • Bucket policies: Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account.
  • IAM Policies: Batch and Lambda operations use IAM policies to manage access and permissions. Please refer to the QoreStor User Guide for sample policies.

7

Azure and other SPs least privileges and

As a general rule, enable only the least set of permissions needed to perform operations on cloud objects. For storage buckets, Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account

8

Network Security Group (NSG) port settings for Azure market place images

Please refer to Azure market pace deployment guide for recommended NSG settings

9

UI log-in attempts

Quest recommends monitoring login attempts from UI using events. This will be useful to detect unauthorized login attempts to QoreStor via the UI. Refer to user guide for instructions on event monitoring.

10

Users logged intoQoreStor

Monitor local users logged into the QoreStor server. Super users can check /var/log/secure for shell logins.

11

Access to external CIFS/NFS shares

Quest recommends restricting access to CIFS/NFS shares based on IP white-listing. Check QoreStor events for mount access to the shares.

12

Encryption at rest and replication channel encryption

Quest recommends encryption at rest and encryption of in-flight data (replication channel) using internal keys and SHA256 to secure the backup data. Please refer to the user guide for instructions on how to enable them

13

RDA immutability

QoreStor version 7.1 and later offers enhanced security using RDA Immutability, which is under integration by DMAs. Please refer to user guide for details on the feature and instructions to enable it.

14

Recycle Bin

QoreStor version 7.1 and later offers protection against ransomware attacks with Recycle Bin.  Please refer to user guide for details on the feature and instructions to enable it.

 

 

About us

Quest provides software solutions for the rapidly-changing world of enterprise IT. We help simplify the challenges caused by data explosion, cloud expansion, hybrid datacenters, security threats, and regulatory requirements. We are a global provider to 130,000 companies across 100 countries, including 95% of the Fortune 500 and 90% of the Global 1000. Since 1987, we have built a portfolio of solutions that now includes database management, data protection, identity and access management, Microsoft platform management, and unified endpoint management. With Quest, organizations spend less time on IT administration and more time on business innovation. For more information, visit www.quest.com.

Technical support resources

Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

  • Submit and manage a Service Request.
  • View Knowledge Base articles.
  • Sign up for product notifications.
  • Download software and technical documentation.
  • View how-to-videos.
  • Engage in community discussions.
  • Chat with support engineers online.
  • View services to assist you with your product.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación