当前位置：网站首页>7、 Experimental report of security implementation scheme in San and NAS environment

In the 3、4 On the basis of chapter SAN and NAS On the basis of , Add corresponding security measures to prevent unauthorized access to enterprise sensitive data .

Two 、【 Experimental equipment 】

Windows server 2016、ISCSI service

3、 ... and 、【 The experimental steps 】

preparation ：

build IP-SAN Environmental Science （ Reference resources Windows Use... In the environment FreeNAS To form a IP-SAN Experimental report ）

（1） establish 3 individual 5g Hard disk .

Storage —— Storage pool ——ADD

Fill in the name —— Select the disk you want to create a storage pool , choice Strie.

Select the disk you just created ——Add Zvol

Fill in the name —— choice Zvol Capacity size , It can be seen from the above figure , What we created is 5.33GiB Storage pool , Select the Zvol The capacity cannot exceed 80%, So here we choose 4GiB.

Create success .

（2） To configure iSCSI.

service ——iSCSI——Configure

Target Global Configuration The basic name cannot be modified , Just follow what he gave .

Initiators——Add—— Use the default ALL Just fine —— preservation .

Create a successful group ID=1

Authorized Access——Add

group ID Fill in 1—— Fill in the user name “oracle”, Password to fill out “[email protected]#qwe”—— End users fill “FreeNasOracle”, The password for “[email protected]#qwe”.

Create success , It is found that the certification group number is 1.

Portals—— Certification method selection CHAP—— The authentication group fills in the group that has just been created ID：1—— Discovery certification IP Choose your own address freenas Connect IP, Is your login IP.

Create success .

Targets——Add

Fill in the target name by yourself —— there ID Are just created , All are 1, Selection of identification method CHAP.

Create success .

Extents——Add

Fill in the name by yourself —— Type selection Device—— Select the device just created Zvol—— preservation .

Create success .

Associated Targets——Add

Select the goal you just created and Extent, Connect .Lun It means logical unit number .

Create success .

Last , go back to Target Global Configuration preservation .

（3） Back to service —— open iSCSI service

Subtask one ：IP-SAN Logical unit in environment lun Port mapping

（1）initiatornode Name certification

Server open iSCSI Program . Find the initiator name in the configuration , Copy .iqn.1991-05.com.microsoft:win-p94vps04v5u

Get into freenas—— service ——iSCSI

Initiators—— Select the just created —— edit

take iqn.1991-05.com.microsoft:win-p94vps04v5u Copy it up . Click save .

Change complete .

To configure （CHAP） Challenge Handshake Authentication Protocol

It's ready for work , I won't repeat it here .

initator Client security configuration

stay freenas Turn on iSCSI service .

stay server Connect .

（2） Connect to server

open iSCSI service —— Find out —— Discovery portal —— senior

Fill in the user name “oracle”, Password to fill out “[email protected]#qwe”

fill freenas Of IP—— determine .

The goal is —— Connect —— senior

Fill in the user name “oracle”, Password to fill out “[email protected]#qwe”

determine . Successful connection .

stay server Disk management can be seen .

Subtask 2 ：NAS Permission configuration of local users in the environment

Suddenly found that we can also open the classic mode like the book .

（1） Create local user groups

user —— group ——ADD—— Write the name developer,GID It shouldn't be a big problem, whatever

To create a seles.

（2） Create local users

Set up four users ：developer1,developer2,sale1,sale2.

Account —— user ——ADD.

establish developer1.

Uncheck new primary user group —— choice developer Group .

Empathy , establish developer2.

Empathy , establish sale1.

Uncheck new primary user group —— Primary user group selection sales.

Empathy , establish sale2.

This completes the establishment .

You can also create users first , Then add users to the Group .

（3） Attached to disk

Create two hard disks .

Create storage pools

No way

Make innovations 3g Of .

First create da1 Storage pool , Editing authority .

Similarly, set the second disk , The difference is this choice sales Group .

Choose here sales Group .

（4） Next, we will SMB share .

Choose the path .developer The path is da1,sales yes da2.

（5） test

use developer1 Log in and try .

Input developer1 User's account password .

Get into developer Folder , Accessible and modifiable .

Click on sales Folder , But you can't access .

Four 、【 Summary of the experiment 】

（1） There are some problems when doing the experiment , First of all, I have done it before SAN and NAS I don't remember how to do the experiment , Look for the previous experimental report , Fortunately, the experimental report made at that time was more detailed , Remember how to do .

（2） How do I feel about subtask one compared to the previous IP SAN In the experiment, there are more peer user passwords , Nothing else has changed , Not very useful feeling , The two sides CHAP verification , It's just freenas Add a server The origination name of , I don't quite understand the function of this logical unit port .

（3） The last experiment is relatively simple , After entering the voucher once , I want to exit and re-enter my voucher , It needs to be done again , So troublesome .

Note that the storage pool permissions are root jurisdiction , Then the group selects their corresponding , Remember to select recursive attributes , then “ other ” Do not check all permissions , Others should be no different from the previous experiments .

原网站

版权声明
本文为[Hello_ cx]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/197/202207131738189997.html