Ssl Security Improvements; Default Security Settings For Manageability Protocols - IBM N Series Manual

Attention: If you later configure MetroCluster, or use RAID SyncMirror or
the aggregate copy capability on the root aggregate, the root aggregate
Snapshot reserve must be increased to 5% by using the snap reserve
command.
For more information about using the snap reserve command, see the
na_snap(1) man page.

SSL security improvements

As a precautionary measure due to security vulnerability CVE-2009-3555, the
SSL renegotiation feature is disabled in Data ONTAP.

Default security settings for manageability protocols

On storage systems shipped with Data ONTAP 8.0 7-Mode or later, secure
protocols are enabled and non-secure protocols are disabled by default.
SecureAdmin is set up automatically on storage systems shipped with Data
ONTAP 8.0 7-Mode or later. For these systems, the following are the default
security settings:
Secure protocols (including SSH, SSL, and HTTPS) are enabled by default.
v
Non-secure protocols (including RSH, Telnet, FTP, and HTTP) are disabled
v
by default.
On storage systems shipped with Data ONTAP 8.0 7-Mode or later, the
following are the default option settings for SSH and SSL:
v options ssh.enable on
v options ssh2.enable on
v options ssh1.enable off
v options ssh.passwd_auth.enable on
v options ssh.pubkey_auth.enable on
v options httpd.admin.ssl.enable on
Also on storage systems shipped with Data ONTAP 8.0 7-Mode or later, the
following are the default option settings for the non-secure protocols:
v options ftpd.enable off
v options httpd.admin.enable off
v options httpd.enable off
v options rsh.enable off
v options telnet.distinct.enable on
v options telnet.enable off
Note: These default settings apply only to storage systems shipped with Data
ONTAP 8.0 7-Mode or later. For storage systems upgraded from an earlier
New and changed features
27