Video Screencast Help

Protect files in Netapp CIF share

Created: 06 May 2013 • Updated: 07 May 2013 | 3 comments
VRSM's picture
This issue has been solved. See solution.
Hi all.
Question, is there a way to restrict access to files in a remote location (Netapp CIF share)? Mainly what I want to do is to protect files/folders in a CIF share from Netapp, so I can define which users can access determined files/folders.
As you can't install the agent in Netapp by itself, prevention policies stating files rules -- writable, read-only or no-access -- cannot be deployed as you would do it with a Windows file server. There is a process set, remote_file_ps, which you can use, however it's very limited, it allows you to give full/safe privileges, readonly access or block all access to files if accessed with remote programs, this process set doesn't allow granular settings.
Operating Systems:

Comments 3 CommentsJump to latest comment

Chuck Edson's picture

You cannot run prevention on a remote machine - SCSP Prevention uses kernel level drivers to control access to files/foldes/regkeys etc., so only the machine it is installed on can be protected..

If a post helps you, please mark it as the solution to your issue.

VRSM's picture

Thanks for this important piece of info, Chuck.

So, if it's not possible, how would you deal with this?  any experience on this? As detection policies are supported on remote systems, I was thinking on doing "something" with detection policies + execute command. The "something" part is what I'm trying to figure out. If not, I would be able to uniquely monitor files, isn't it?

Chuck Edson's picture

I don't have a lot of knowledge or experience with NetApp, but because CSP cannot be installed on it, it looks like you have to rely on the native file controls (AD Authentication, Kerberos, NTLM etc.) on the NetApp device.

I glanced at the NetApp overview on their site, and it looks to me that the device appears as another node on the network, so it is out of reach of CSP.  If there is a way to install NetApp as an attached storage device to the Windows machine (where the NetApp device appears as a drive on the Windows Box), then you could use CSP to control read/write access.  But again, my cursory glance at the NetApp documentation leads me to believe that the device is out of the reach of CSP IPS.

As far as your detection/execution idea, you can ship the NetApp logs to a CSP Agent (AKA "Virtual Agent"), and have the logs parsed by CSP and trigger a script that is stored and run on the CSP Agent.  This can be any script, so technically you could, say, disable or lock out a user's account in Active Directory if the event shipped by NetApp contains the data necessary. 

For instance, if a user that is not supposed to touch a file attempts to or is successful at reading a restricted file, and NetApp can record that in its logs and ship that log to the CSP Agent.  When CSP sees that, it can fire off that script that shuts down the user's account (or anything else that you can come up with, like create a ticket with your security department).  The tricky part is getting the data from the event in question (like the username) into the script . . . .

If a post helps you, please mark it as the solution to your issue.