20160822 NAS(Network Attached Storage)
NAS(Network Attached Storage)
■ 용어
● DAS(Direct Attached Storage)
● SAN(Storage Area Network)
● NAS(Network Attached Stotrage)
● FC Protocol
● IP Protocol
■ DAS(Block Level Access)
- Internal DAS(EX: 내장 디스크)
- External DAS(EX: 외장 디스크)
■ SAN(Block Level Access)
- FC SAN
- IP SAN(EX: iSCSI, FCIP, FCoE)
■ NAS(File Level Access)
NAS vs. SAN
● Network Attached Storage(NAS) ● Storage Area Network(SAN) ● Requires a lot of bandwidth
Fibre Channel(FC) ● A specialized high-speed topology ● Servers and storage connect to a Fibre Channel switch
Fibre Channel over the data network ● Fibre Channel over Ethernet(FCoE) ● Fibre Channel over IP(FCIP)
iSCSI ● Internet Small Computer Systems Interface ● Makes a remote disk look and operate like a local disk ● Can be managed quite well in software |
On the whole, we are storing more data than ever before and the numbers continue to increase. From a security perspective, this becomes extremely important because a lot of this data is being transferred across the network. When we talk about storage that’s across the network, we tend to use two terms almost interchangeably, but these two terms are actually very different.
One is Network Attached Storage, or NAS. The NAS storage is storage that is outside of our device. We’re connecting to across the network, but we access the data on that storage at a file level. If we need to change just part of a file, then we have to overwrite the entire file on that storage device. And likewise, if we need just a little bit of data out of a file, we have to retrieve the entire file from that device to be able to work with it.
Another common term you’ll hear for this remote storage device is a SAN, or a Storage Area Network. It is indeed a storage device that is located across the network. But under the surface, it works very differently. A SAN works on something called block-level access. This is very similar to how our local hard drives and storage devices work on our local computers, where if we need to change part of a file, we simply change the individual bytes within that file that we need to change and we leave the rest of the file untouched. Works exactly the same with a SAN, except we’re performing that communication across the network. And as it sounds, it’s much more efficient for reading and writing, because you’re only changing or you’re only reading the information that you need at that particular time.
One very common thing for both of these technologies is that they use a lot of bandwidth. You’re storing information across the network and every time you want to send a file or receive a file, you’re going to be using a lot of bandwidth on that network. It’s very common to engineer these types of networks so that they are on their own isolated network that has no effect on any of the other network traffic in your organization. And it’s not unusual to see very, very high speeds dedicated to this Storage Area Network or the network-attached storage.
The need for such high rates of speed across these storage networks has really driven the creation of a specialized topology called Fibre Channel. This Fibre Channel technology connects directly from a server with a Fibre Channel port to the storage, which is on a, also of course, a Fibre Channel port. And these are very high rates of speed. You can run from two gigabits per second all the way up to the modern versions of 16 gigabits per second over that Fibre Channel link.
Although the initial implementations of Fibre Channel ran over fiber optic technology, today’s modern version of Fibre Channel will run over both fiber and copper cables. Just as ethernet has switches that support the communication across the ethernet topology, Fibre Channel also has Fibre Channel switches that everybody connects to. So if you have a server that needs to connect to Fibre Channel storage, then you will need a Fibre Channel port somewhere on that server.
Often very high end servers will have a Fibre Channel interface already built into the motherboard. But you could, of course, add an adapter card to provide that interface as well. Servers are often referred to as initiators, and the storage devices themselves are referred to as the targets on a Fibre Channel topology. The communication between the initiator and the target is often over very well known technologies like SCSI, serial attached SCSI, or using SATA commands.
On a Fibre Channel storage network, you would ideally connect directly to the Fibre Channel switch. But if you do have devices that are outside the network or still need access to the Fibre Channel storage but don’t have a Fibre Channel interface, you can run Fibre Channel over Ethernet, or FCOE. This communicates and sends Fibre Channel messages over an ethernet network and it doesn’t require your workstation or your server to have a specialized Fibre Channel interface. This is usually something that is integrating to an existing Fibre Channel infrastructure. So there is usually an ethernet connection coming out of your fiber channel switches that provides this link between the Fibre Channel world and the ethernet world.
Fibre Channel over Ethernet is a non-routable protocol that’s using the ethernet frames as communication. So it’s something that you commonly see within a single subnet or a single local area. You don’t often run this type of technology over larger distances where all of that traffic would be routed.
Of course, there’s a solution for sending Fibre Channel information over these routable IP networks, and that’s called Fibre Channel over IP, or FCIP. Fibre Channel over IP is taking all the Fibre Channel information and encapsulating it within the TCP/IP packets themselves. This is sometimes referred to as Fibre Channel tunneling, because we’re putting all the Fibre Channel information and tunneling it through that IP network.
This allows us to have devices that are very geographically dispersed across multiple locations and multiple data centers, but still able to send information and use the storage network on the Fibre Channel infrastructure.
Another popular technology for connecting you to your data across the network is called iSCSI. iSCSI stands for internet small computer systems interface. If you’ve ever worked with SCSI drives on a local computer, this is a way to extend that technology across the network through a routed set of protocols. It’s a standard that was created by IBM and Cisco. And it’s one that, instead of being proprietary, is very open. There’s an RFC standard for iSCSI.
Just like Storage Area Networks and Fibre Channel, iSCSI allows you to use the storage across the network, but make that storage look like it is on your local computer. That block-level storage means you have very efficient reads and writes to that storage. And because it’s SCSI, it’s something that is very well known in the industry. SCSI’s been around for a very long time. And the commands used to access SCSI devices are ones that the developers are very comfortable with. Drivers are available for iSCSI across many different operating systems, and it’s quite easy to implement because you don’t need any proprietary hardware or software to make iSCSI work.
■ FC-SAN(Fibre Channel Storage Area Network)
■ IP-SAN
■ iSCSI
■ FC-IP
■ iSCSI
■ FC-IP
■ FCoE(FC over Ethernet)
■ NAS(Network Attached Storage)
[실습] FreeNAS 설치 및 활용
대표적인 NAS 전용 OS 종류
● FreeNAS(http://www.freenas.org)
● NAS4Free
● OpenMediaVault
NAS 전용 OS에 대한 자세한 차이점은 아래 사이트를 참고한다.
● http://gigglehd.com/zbxe/12355614
FreeNAS에 대해서(http://www.freenas.org/about/features.html)
(1) Storage, liberated.
(2) Network-attached-storage (NAS) software that is both free to use and free as in open source code.
(3) Your data's best friend.
FreeNAS is an operating system that can be installed on virtually any hardware platform to share computer data storage over a computer network. 'Free' as in 'free and open source' and 'NAS' as in "network-attached storage", FreeNAS is the simplest way to create a centralized and easily-accessible home for your data.
The FreeNAS project and software were founded in 2005 on the principle that network storage be made available to the world at no cost and unencumbered by license restrictions. The FreeNAS Project has a mature community and a team of developers dedicated to meeting that goal and providing the best (open-source) network file storage solution in the world.
● 복제(Replication)
ZFS Snapshots are more than just local backups - they can be used to create remote backups as well. Replicating snapshots of the filesystem to a remote ZFS filesystem creates a complete duplicate there. Furthermore, additional snapshots of the same filesystem can be sent incrementally, reducing the size of each backup to the changes that were made between snapshots. In case of catastrophic damage to a local ZFS filesystem (such as disk failure in excess of parity protection or irrecoverable log device failure), any backed-up snapshot can be sent to a new ZFS filesystem, recovering all data up to that backup.
● 데이터 보호(Data Protection)
ZFS is designed for data integrity from top to bottom. RAID-Z, the software RAID that is part of ZFS, offers single parity protection like RAID 5, but without the “write hole” vulnerability thanks to the copy-on-write architecture of ZFS. The additional levels RAID-Z2 and RAID-Z3 offer double and triple parity protection, respectively. A software mirror option is also available. The FreeNAS Volumes screen lists each possible parity arrangement based on the number of disks you select when creating a new volume.
Every ZFS filesystem is also verified with checksums from top to bottom to ensure data integrity. If inconsistencies are found, parity blocks can be used to repair corrupt data. A regular scrub is turned on by default and can be rescheduled or configured from the web interface.
● 백업 서비스(Backup Services)
- Windows Backup
- Apple Time Machine
- rsync
- PC-BSD Life Preserver
● 압호화(Encryption)
FreeNAS is the first and only open source project to offer encryption on ZFS volumes! A full-volume encryption option is available during volume creation, providing industry standard AES-XTS encryption which can be hardware-accelerated (when the processor has AES-NI capability).
Encrypted volumes can only be read by FreeNAS systems in possession of the master key for that volume. The user can optionally create a passphrase to add an additional layer of protection for when the whole system is stolen.
Encryption allows for confidence when retiring and recycling hard drives because the drives no longer need to be wiped provided the master keys are obliterated
● 스냅샷(Snapshots)
Thanks to ZFS, snapshots of the entire filesystem can be made and saved at any time. As long as a snapshot exists, administrators can access files as they were when the snapshot was made.
Snapshots can be made on a one-off basis or scheduled as a cron job from the web interface. At any time, the entire filesystem can be rolled back to the most recent snapshot. Older snapshots can be cloned and accessed to recover data from that version of the filesystem. From the web interface, users can see how much space a particular snapshot is occupying on the volume and delete, clone, or roll back to individual snapshots as needed
● 파일 공유(File Sharing)
File sharing is what FreeNAS does best. Every major operating system is supported with SMB/CIFS (Windows file shares), NFS (Unix file shares) and AFP (Apple File Shares) as well as FTP, iSCSI (block sharing), WebDAV and other methods of sharing data over the network are available. iSCSI also supports VMware VAAI, Microsoft ODX and Microsoft Windows Server 2008 and 2012 R2 Clustering.
Most operating systems, including Windows, Mac OS X, many Linux distributions, and PC-BSD® can connect using SMB shares with little or no additional configuration needed on the client side. Most Unix-like operating systems support connecting with NFS out of the box, and free clients are widely available. AFP is primarily used by Mac OSX and is well suited for a network environment that only connects with Macintosh clients. FreeNAS® also supports Time Machine backups with a few minor tweaks on the system being backed up.
● 웹 인터페이스(Web Interface)
If FreeNAS has one goal, it’s simplifying complex administrative tasks for as wide a user base as possible. Every aspect of a FreeNAS system can be managed from a Web User Interface. A setup Wizard further simplifies configuration at installation time or later in the setup process. Volume creation, or the setting of permissions on individual shares or performing software updates, can be done without missing a critical step or encountering a silent failure.
Of course, the FreeNAS Team knows we can’t think of everything. Many services have advanced configuration options available from the Web User Interface that is available in advanced menus. The full power of the FreeBSD shell environment is also available just a click away or through SSH. Ultimately, FreeNAS makes NAS deployment easier than ever but doesn’t get between you and the solution you need
● 플러그인(Plugins)
FreeNAS® supports the core features of a NAS appliance out of the box. However, many users like to enhance their NAS appliance with third party software for media streaming, alternative protocols, or web applications.
To make sure your NAS can do everything you want, FreeNAS offers a third-party plugin system based on the FreeBSD jails system and the PBI system from PC-BSD. The plugin system isolates third-party software from the core operating system but allows plugins access to user-specified directories and configuration from the main Web User Interface.
FreeNAS 문서는 아래 사이트에서 참고한다.
● http://doc.freenas.org/
● http://doc.freenas.org/9.3/freenas.html
● http://web.freenas.org/images/resources/freenas9.2.1/freenas9.2.1_guide.pdf
● http://www.freenas.org/images/resources/freenas8.3.1/freenas8.3.1_guide.html
[실습1] FreeNAS 설치
설치 과정 유투브 동영상
● https://www.youtube.com/watch?v=k-mRgeDS8rk
준비 사항
● VMware Workstation 프로그램
● FreeNAS ISO 이미지
(가정) VMware workstation 설치 되어 있는 것으로 가정한다.
① FreeNAS를 위한 VM 생성
Select a Guest Operating System
● Guest operating system : Other
● Version : FreeBSD 64-bit
Name the virtual Machine
● Virtual machine name : FreeNAS
● Location : 적당한 위치
Specify Disk Capacity
● Maximum disk size(GB) : 20.0
● [ V ] Store virtual disk as a single file
MEM : 1G 정도
CPU : core 개수 설정
CD/DVD : 위치 지정
새로운 디스크를 7개 장착한다.(주의: 2G 초과 되는 디스크만을 장착해야 한다.)
● 3G : 2개
● 4G : 2개
● 5G : 3개
② FreeNAS 설치 과정
FreeNAS VM Power ON
■ GNU GUB version 2.02~beta2 화면 : <ENTER>
■ FreeNAS 9.3.1-STABLE Console Setup : 1 Install/Upgrade
■ Choose destination media : [ V ] da0 VMware, VMware Virtual S 1.0 -- 20.0 GiB
■ FreeNAS installation : <YES>
■ Enter your root password : soldesk1. (두번 입력)
■ reboot
[실습2] FreeNAS 초기 설정
윈도우에서 FreeNAS 접속하여 설정한다.
- http://192.168.10.137
- ID/PASS: root/soldesk1.
Initial Wizard 창이 나오면 그냥 종료하고 직접 설정하는것으로 한다.
다음과 같은 메인 매뉴가 존재한다.
● Account
● System
● Tasks
● Network
● Storage
● Directory Service
● Sharing
● Services
● Plugins
● Jails
● Reporting
● Guide
● Wizard
● Display System Processes
● Shell
● Log Out
● Reboot
● Shutdown
① 네트워크 설정
Network > Global Configuration
② 언어 및 타임 존 설정
System > General
새로 접속하면 한글로 보여 질것이다.
[실습3] 공유를 위한 사용자 추가
계정 > Users > Add User
[실습4] 리눅스를 위한 Dataset 생성과 공유 설정
① 볼륨 생성
저장소 > Volumes > Volume Manager
② Dataset 생성
저장소 > Volumes > SharePool 선택 > Create Dataset 아이콘 선택
③ Dataset에 퍼미션 설정
저장소 > Volumes > SharePool > LinuxShare1 선택 > Change Permission 선택
-> 테스트용이므로 모든 퍼미션을 주었다.
④ 공유 설정
공유 > Sharing > 유닉스 (NFS) > Add Unix (NFS) Share((주의)고급모드까지 선택한다.)
⑤ 리눅스 머신에서 공유된 자원 마운트 테스트
linux200 서버 Power ON
linux200 네트워크 설정:
IP/NETMASK : 192.168.10.200/24
Gateway : 192.168.10.2
# showmount -e 192.168.10.137
Export list for 192.168.10.137: /mnt/SharePool/LinuxShare1 (everyone) |
# mkdir -p /mnt/nas
# mount 192.168.10.137:/mnt/SharePool/LinuxShare1 /mnt/nas
# df -h
Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 ext3 37G 3.6G 32G 11% / /dev/sda1 ext3 99M 19M 76M 20% /boot tmpfs tmpfs 506M 0 506M 0% /dev/shm /dev/hdc iso9660 3.9G 3.9G 0 100% /media/CentOS_5.9_Final 192.168.10.137:/mnt/SharePool/LinuxShare1 nfs 975M 128K 975M 1% /mnt/nas |
# cd /mnt/nas
# cp /etc/passwd file1
# ls -l
total 4.5K -rw-r--r-- 1 4294967294 root 2.0K Feb 16 13:01 file1 |
-> file1 생성되지 않는다면 NAS에서 퍼미션 변경 작업을 해야 한다.
# cd
# umount /mnt/nas
# df -h
-> 언마운트 확인
linux200 서버 Power OFF
[실습5] 윈도우를 위한 Dataset 생성과 공유 설정
① Dataset 생성
저장소 > Volumes > SharePool 선택 > Create Dataset 선택
② 퍼미션 변경
SharePool > WindowsShare1 선택 > Change Permission
③ 공유 설정
공유 > Sharing > 윈도우 (CIFS) > Add Windows (CIFS) Share
※ Use as home share 체크 해제!!
④ 윈도우즈 서버에서 공유 폴더 접근하기
Windows 2008 R2 서버 Power ON
네트워크 설정:
IP/NETMASK: 192.168.10.201/24
Gateway : 192.168.10.2
\\192.168.10.137 | "네트워크 드라이브 연결" |
WindowsShare1에 마우스 포인터를 대고 오른쪽 마우스를 선택하여 "네트워크 드라이브 연결"을 선택한다. (주의) 반드시 "[ V ] 다른 자격 증명을 사용하여 연결" 부분을 체크하여야 한다.
다음 정보를 사용하여 네트워크 드라이브 연결을 한다.
- ID/PASS: freenasuser1/freenas1
적당한 파일을 네트워크 드라이브에 생성해 본다.
[참고] 윈도우를 위한 iSCSI 설정
① 인증된 접근(Authorized Access) 설정
Sharing > Block(iSCSI) > Authorized Access > Add Authorized Access
● User Secret : soldeskfreenas
● Peer User Secret : soldeskfreenas1. / soldeskfreenas1,
② Initiator 추가
Sharing > Block(iSCSI) > Initiators > Add Initiator
③ Portal 추가
Sharing > Block(iSCSI) > Portals > Add Portal
④ Target 추가
Sharing > Block(iSCSI) > Targets > Add Target
⑤ Device extent 설정
Storage > Volumes > Volumes Manager >
Storage > Volumes > iscsipool 선택 > Create zvol 선택
-> 같은 방법으로 iscsidisk2 생성한다.(용랑: 100MiB)
Sharing > Block(iSCSI) > Extents > Add Extents
Sharing > Block(iSCSI) > Extents > Add Extents
Sharing > Block(iSCSI) > Associated Targets > Add Target / Extent
Sharing > Block(iSCSI) > Associated Targets > Add Target / Extent
⑥ iSCSI service 활성화
Services > iSCSI enable(ON)
⑦ 윈도우에서 iscsi 디스크 가져오기
<CTRL + ESC> => iscsi 검색 | iSCSI 초기화 속성 > 검색 > 포털 검색 |
iSCSI 초기화 속성 > 검색 > 포털 검색 > 고급 |
|
이름(N) : soldeskfreenas 대상암호(S): soldeskfreenas1. |
디스크 작업을 진행한다.
-> 이 부분에 대한 실습은 따로 기술하지 않는다.
->
[참고] 추가적인 실습
● iSCSI 설정(리눅스를 위한 iSCSI 설정)
https://www.synology.com/ko-kr/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux
● Plugin 설치 및 운용
[참고] FreeNAS 관련 비디오 포털
다음 사이트를 반드시 참고한다.
http://www.freenas.org/about/videos.html
● FreeNAS 9.3 - iSCSI Overview
● FreeNAS 9.3 Permissions Overview
● How to Replace Failed HDDs in FreeNas 9.3
● FreeNAS 9.3 - First Time Setup Wizard
● FreeNAS 9.3 Shares Overivew
● Host to install FreeNAS 9.3
● How to Upgrade FreeNAS 9.3
'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글
| 20160823 DoS, DDoS, SNORT (0) | 2016.08.23 |
|---|---|
| 20160822 DoS, DDoS, SNORT (0) | 2016.08.23 |
| 20160819 프로젝트#4 + 피드백 (0) | 2016.08.19 |
| 20160805 Sophos UTM (0) | 2016.08.05 |
| 20160805 Linux Kernel Parameter (0) | 2016.08.05 |