The State of Security and Storage

Over the past week, two major security announcements were made; one pertains to Intel’s Active Management Technology (AMT) and the other addresses the presence of malware on IBM’s USB media that is used to initialize their Storwize arrays.  Intel’s errata is far more concerning as its reach extends to hardware solutions that will no longer be under any type of support from a variety of manufacturers.  Out of band management platforms may not receive the appropriate level of scrutiny from IT departments and the OEMs that produce such offerings.  Premium interfaces from companies such as HP Enterprise and Dell EMC incur further costs via additional hardware or licenses that may be required for enabling full functionality.  The fact that their solutions reside outside of the domain of the native system stack and receive regular updates that promptly address security or performance related issues will further justify the added cost in light of Intel’s egregious error.  Disablement of the associated technology on a per-platform basis is recommended for mitigating the risks with AMT.  IBM’s error is considerably more amateur, as it alludes to the fact that baseline client security suites were either nowhere to be found or were disabled on the system(s) used to construct the boot media.  The annoyance of missing files when certain solutions are overly aggressive (looking specifically at you Trend Micro) in scanning and filtering data transmitted to and from external media would have been of benefit in this situation.

Major shakeups and drama have transpired over at ixSystems, the makers of FreeNAS.  The combination of internal politics, lack of individuals with a spine to challenge the status quo, and the departure of the CTO (along with dismissal or departure of other resources) has made FreeNAS Corral the shortest-lived NAS platform in recent memory.  Due to hectic schedules, the announcements and subsequent decisions to “reverse course while moving forward” has resulted in the following developments:

• FreeNAS Corral is no more; 10.0.4 went from Prod to “Experimental/Test/Eval” with a complete lack of communication via e-mail.
• FreeNAS 9.10.2 (and jail hell for CrashPlan) is the gold standard once again.
• FreeNAS 9.10.3 becomes FreeNAS 11, and doesn’t reach feature parity with what was FreeNAS Corral.  The refreshed UI being offered as a work in progress doesn’t look terrible, but it’s not the “new hotness” that was Corral’s UI.
• FreeNAS 9.10.4 becomes FreeNAS 11.1, which aims to be closer to the feature set of FreeNAS Corral.

Bugs and errata will always be faced by those who ride the bleeding edge of technology.  Some things (i.e. the UI elements for establishing iSCSI connectivity) were not functional in Corral, but viable workarounds using the CLI existed.  Getting the taste of how much better things can be with a native implementation of Docker makes reverting to 9.10.2 (or the release candidate of 11) a non-starter.  Arbitrary and unjustified changes to a statically configured jail require time and troubleshooting to resolve; time that would be better spent not doing so when things can “just work”.  Processing both sides of the story, the fact that those with legitimate concerns didn’t speak up during the development of FreeNAS Corral raises questions about the internal structure of the organization.  Making change for the sake of doing something different can be disastrous.  Raising concerns about deficiencies that will arise during the “long game” takes courage; far more courage than removing a headphone jack.  If factional silos were enabled and persisted during such a major platform transformation, what prevents such behavior and outcomes from occurring again?  Would QNAP, Synology, Dell EMC, Nexenta, or others retain customers after pulling such an about-face less than 60 days after blessing a product release as generally available or “production”?

Doing the data relocation hokey pokey yet again to revert to a supported release is not appealing to our organization, yet it becomes inevitable based upon the features we’ve utilized within the provided product.  Our long-term move will be to return to a commercial, off-the-shelf solution to avoid this type of disruption from happening again.  The decision making challenge we face is as follows:

• Synology offers btrfs natively, which provides comparable benefit to ZFS related to prevention of data corruption.  However, the newer SMB offerings are still using the Intel Atom C2000 processor which has its own set of flaws.
• QNAP does not offer btrfs natively, but does offer highly expandable models and can function as a hyper converged appliance (Virtualization Station + Container Station).  The QNAP solution that does offer ZFS is outside of scope due to price.