It is very important to ensure that your data is able to meet your organization’s security objectives. ONTAP includes many security capabilities and features. However, since each organization’s security objectives are different, not all of the security features within ONTAP are enabled automatically. As a result, many customers have to manually implement or activate some ONTAP security controls to achieve the level of protection they require for their environment.  This can be a challenge. To help make this process simpler and faster NetApp has created an Ansible security role to automate this process. 

ONTAP Security Hardening with the Unified Capabilities Deployment Guide Ansible Role. 

The ONTAP Security Unified Capabilities Deployment Guide role for Ansible or nar_ontap_security_ucd_guide was created to help customers configure and hardens the ONTAP cluster to the specifications detailed in the NetApp DoD Unified Capabilities (UC) Deployment Guide (NetApp TR-4754).  

IMPORTANT – There are a few things to keep in mind prior to using this role:

  • This role focuses on how government customers can deploy and harden an ONTAP system. To comply with the more stringent security policies in these environments some functionality such as Autosupport/Active IQ or managing the ONTAP system via System Manager is restricted or non permitted.
  • You should use extreme caution when utilizing this Ansible role as it is intended for “extremely” hardened ONTAP security configurations .
  • If used incorrectly it is possible to lock yourself out of the ONTAP system and create a situation where you are unable to regain access.
  • Reviewing TR-4754 prior to deploying this role is highly recommended.
  • Ansible 2.8 or later is required
  • ONTAP 9.6 is later is required
  • The should be intensely reviewed prior to deploying this role as it contains additional dependencies, variables, and an example playbook

Where To Get The Role And How To Use It.

The nar_ontap_security_ucd_guide role is available for download on github at the following link.  The role can be used in two primary ways.

  1. The role can be used in its entirety to harden an ONTAP system according to the guidelines and recommendations in the NetApp DoD Unified Capabilities (UC) Deployment Guide (NetApp TR-4754). Keep in mind that this guide was written for government customers who would deploy and harden an ONTAP systems.   Some functionality is sacrificed for security reasons.
  2. Only certain tasks in the role can be utilized to enable the specific security features your organization needs. Other tasks can be removed or commented out if they are not needed.

The README.md file should be reviewed prior to deploying the role in order to determine the best approach for your organization.  The file contains requirements, dependencies, role variables, and an example playbook.

What If I’m Not Familiar With Ansible And Its Use For Security Hardening?

If you’re already familiar with Ansible and ONTAP security hardening you can skip this section.  For those who are not familiar with it, Ansible is agentless automation solution.  Once configured, it is straightforward to utilize for automating configuration and deployment tasks.  In this authors opinion it’s easy to setup for first time users.  Being new to Ansible myself, I simply followed our 5 part introduction to Ansible series on netapp.io to get started.  If you’re not familiar with Ansible I highly recommend starting there.

Another benefit of Ansible is that it can be used on more than just NetApp data management systems.  Ansible can be used to automate, configure and manage servers, network, and data management platforms from almost any vendor. Once you are familiar with Ansible you can create playbooks to automate almost everything, including ONTAP security configurations.

To simplify the automation of security features and enable hardening, NetApp has published its own Ansible Security Role that you can leverage for your ONTAP security configuration goals.

If you’re not familiar with security hardening in ONTAP I suggest you review the ONTAP 9 Hardening Guide .The guide contains information on ONTAP security features both current and new with detailed information on how to manually implement those features.

What Should I Do Next?

Enabling security features can often have an unexpected change in how things work in the environment.  Prior to deploying the role be sure to review the README.md file and ensure you’ve met the requirements, dependencies, etc.

Once you’re comfortable with how the role should work, NetApp recommends deploying the nar_ontap_security_ucd_guide in a controlled lab environment before proceeding with it in production.  This allows you to ensure all applications and data services continue to function as desired.  In addition, it will let you determine whether you want to use all of the security features in the role or only some of them.

Stay tuned to github and netapp.io in the future as we have plans to create additional Ansible roles for security hardening.

Matt Trudewind
Technical Marketing Engineer for Security at NetApp
Now on his 2nd tour at NetApp across 7 years, Matt is a Technical Marketing Engineer with a primary focus on portfolio Security. This includes but is not limited to Data Governance, Data Privacy Frameworks, Security Tools, and Security Best Practices. Prior to this role he was a Staff Engineer focused on ONTAP product Supportability specifically in the areas of networking and SMB/CIFS. In between NetApp stints Matt worked with a NetApp partner (Eze Castle Integration) for 7 years as pre sales/post sales storage architect focusing on early 7-mode to cDOT migration. He has also focused on Microsoft Windows Active Directory, Exchange, SQL and VmWare during his 21 years of IT experience with 15 of those years coming in the storage industry. Prior to NetApp and ECI, he also worked a contract at Microsoft as a Technical Support Engineer.

Pin It on Pinterest