The OneFS 9.3 and newer Security and Configuration Guides recommend disabling the USB ports on Isilon nodes and configuring a BIOS or iDRAC password for security purposes. Implementing these changes however make the node more difficult to service in certain scenarios. Before these changes are implemented, the benefits and drawbacks should be weighed carefully and an informed decision made by the parties responsible for each cluster on whether these changes are needed and required in each cluster's specific environment. To assist with the decision-making process, we are outlining some of the benefits and drawbacks here.
Benefits:
- Increased Physical Security: Disabling the USB ports prevents unauthorized physical storage devices from interacting directly with the cluster, eliminating a possible route for data exfiltration. Configuring a strong BIOS password prevents unauthorized individuals from undoing this change.
- Authentication Bypass Prevention: The USB ports on the node can be used to boot it from an external storage device containing an alternate operating system. This can enable attackers to bypass authentication measures on the cluster and access or tamper with data not otherwise accessible to them. Disabling the USB ports prevents this.
- Stricter Compliance Mode Adherence: Booting a node from a OneFS reimage device can allow attackers to bypass certain restrictions enforced by OneFS compliance mode, enabling them to run commands that cannot otherwise be run while the node is in compliance mode. Disabling the USB ports prevents this.
Drawbacks:
- Serviceability Complications: The USB port is routinely used by service personnel for maintenance operations such as reimaging nodes and restoring lost configuration information. In addition, some issues that may occur on compliance mode clusters require service personnel to bypass compliance mode restrictions by booting from a USB stick to resolve them. Many of these service tasks cannot be accomplished while the USB ports are disabled.
- Increased Service Window Duration: If a service operation requires USB port access on a node with disabled USB ports, additional service time is required for the service person to locate a user's representative to give them the BIOS password if configured, log in to the BIOS, and modify the settings to permit USB port access, then re-disable it after the service is complete. There is also a risk of inconsistent configuration if the person performing the service forgets to re-disable the USB ports after service, which can create a false sense of security. In addition, if the service person is not informed proactively that the node being serviced has disabled USB ports prior to the start of the service window, the service person may assume that the node does not boot from their USB storage device because the storage device is faulty or corrupted, leading to additional unnecessary troubleshooting time while attempting to resolve this perceived problem.
- Other Password Management Overhead: If a strong BIOS password is configured, this password must be tracked, managed, and measures must be taken to make it available to any service personnel that might need it. This can be an issue especially if access is needed after hours, when the user-appointed custodian of the password may not be available to provide it.
Ultimately, almost all security best practices involve tradeoffs, and only the user can decide whether their situation merits implementation in their specific environment and use case. If after consideration, the user decides the benefits outweigh the drawbacks, the steps for disabling/reenabling USB ports and setting BIOS and iDRAC passwords can be found in the OneFS Security Configuration Guide (SCG) for their specific OneFS version, which can be downloaded from the Dell Support site. For example, the OneFS 9.5 SCG can be found in the article How to Register for Access to Dell Technologies Online Support or Upgrade an Existing Account.