To secure an existing cluster peering relationship against man-in-the-middle attacks, encryption must be enabled for the intercluster traffic. NetApp ONTAP uses Transport Layer Security (TLS) to provide authentication and encryption for this communication. The cluster peer modify command is used to alter the properties of an existing peer relationship. Specifically, the -encryption-protocol-proposed parameter is used to propose and enable a TLS encryption policy on the connection, thereby securing all subsequent SnapMirror and management traffic between the clusters.

A. Modify the firewall policy settings on the Intercluster LIFs.

Firewall policies on LIFs control which services (e.g., management, NFS, iSCSI) are permitted to access the LIF; they do not encrypt the data traffic itself.

B. Enable aggregate level encryption.

NetApp Aggregate Encryption (NAE) is a data-at-rest encryption technology. It encrypts data on the physical disks within an aggregate, not data in transit over the network.

D. Enable IPsec between the sites.

While IPsec is an encryption protocol, ONTAP's native and integrated method for securing cluster peering and SnapMirror traffic is TLS, which is managed directly through the cluster peer command set.

1. NetApp ONTAP Documentation, cluster peer modify command reference:

"Use the cluster peer modify command to modify the attributes of a cluster peer relationship. ... -encryption-protocol-proposed {none|tls-psk} - Encryption Protocol Proposed. This parameter specifies the proposed encryption protocol to be used for authenticating the peer cluster and encrypting intercluster data."

Source: NetApp ONTAP 9.12.1 Documentation Center, Command Reference, cluster peer modify.

2. NetApp ONTAP Documentation, Security and data encryption:

"You can use Transport Layer Security (TLS) to encrypt all traffic between peered clusters, including SnapMirror replication traffic and management traffic. TLS encryption protects against eavesdropping and man-in-the-middle attacks. You can enable TLS encryption when you create a cluster peer relationship, or you can enable it later by modifying the relationship."

Source: NetApp ONTAP 9.12.1 Documentation Center, "Security and data encryption," section "Encrypting intercluster traffic with TLS."

3. NetApp Technical Report TR-4569, "ONTAP 9 Security Hardening Guide":

"ONTAP supports TLS encryption for intercluster communication. This includes cluster peering, SnapMirror, and SnapVault traffic. Enabling TLS encryption for intercluster communication is a recommended security best practice to protect data in transit from eavesdropping and man-in-the-middle attacks."

Source: NetApp TR-4569, "ONTAP 9 Security Hardening Guide," Page 23, Section "Intercluster Communication."