5.1 Denial of Service (DoS) Attacks

The NetApp C230 has been tested against all DoS attacks that are mentioned in the CERT archives (Land, Teardrop, Winnuke et al.). The NetApp is not vulnerable to any of these attacks. As far as we can tell, it is not currently possible to remotely crash a NetApp C230 without administrative permissions. Some attacks, however, might cause some performance degradation. These will only slow down the NetApp, but not interrupt the service in any way.

5.2 Access

We found the security features of the NetApp C230 lacking. Only insecure protocols can be used for configuration (telnet, HTTP without SSL). Usage of insecure protocols for administrative access to servers is forbidden according to our site's security policy, and can only be allowed on 'secure' networks.

We solved this problem by agreeing to never use the telnet access from outside the Computing Center, and connecting the NetApp's console port to a nearby server with SSH.. In a phonecall with NetApp Tech Support, they assured us that there will be SSL capabilities in one of the next software releases.

Another thing that surprised us was that the NetApp OS is currently running some daemons that can not be turned off or configured at all; it turned out that a RPC portmapper is running. While this doesn't directly affect security, it has absolutely nothing to do with webcaching.

The rpcinfo output: