Fortifying your Netezza Appliance Against Vulnerabilities
Netezza systems N2001 and N3001 run on RedHat 6. Ordinarily bug fixes and security patches are provided for each version of an operating system but RHEL 6 reached end of support in November 2020 and IBM has never provided official updates to be able to move Netezza to RHEL 7. Even if they did, it wouldn’t be a solution for most customers because RHEL 7 reached end of support in July 2024. Bug fixes and security patches are currently only available for RHEL 8 and above.
So, now we're at the stage where vulnerabilities will not be fixed on the Netezza platform. There are workarounds. You can manually compile the code and apply patches, but nobody up the chain is taking responsibility for that. It would fall back on whoever's manually compiling and applying it, not IBM.
Not receiving patches to known vulnerabilities is a real problem for security teams, even if the perceived risk is low or there is a workaround. One recent example is CVE-2016-6515 (a problem with the auth_password function in OpenSSH) which is fixed in RHEL7 but not in RHEL6.
As we discussed recently in our Sweating your Netezza Asset blog, the vulnerability issue may be the main impediment to running your Netezza appliances ad-infinitum even though the business continues to get a lot of value from the system.
We’ve been chewing over what to do about this for ages. With a modern Linux operating system, you're continuously patching vulnerabilities. So, what we needed was a way to break out of this loop that we were stuck in.
Happily, we have found a solution. Because upgrading RedHat on Netezza is not an option, instead we found a way of running NPS code in a Virtual Machine (VM) and in so doing hide it behind all possible firewalls (the only port you need to open is the one used by ODBC/JDBC for running SQL queries – 5480), effectively fortifying your appliance. We can install NPS on any Enterprise Linux flavour up to EL 9.5.
We have also installed the new OS and VM on new SSD drives, thus preserving the original RAID array, as a rollback option. As you can imagine, we are seeing significant performance gains on host-bound activity because of upgrading to SSD storage. Furthermore, it’s also possible to upgrade the RAM on the Netezza hosts to deploy other VMs, such as nzPortal or our own Smart Management Frameworks Database Replication, Access Control, and/or System Management modules.
The beauty of this approach is:
- It requires no changes to the hardware or OS configurations
- It’s fast to deploy with virtually no downtime
- The OS does not have to be limited to RedHat anymore and can be any other flavour preferred by your organisation.
- It’s a reversible solution, with an option to revert to the previous OS, so it carries virtually no risk.
Only two periods of downtime are required:
- To install new SSD drives - 30 mins downtime
- To copy OS data from active host into the VM - 2 hours downtime
Virtualising the NPS Host affords us a much smarter way to administer all your Netezza / CP4D appliances and is included with our Netezza Support Plus Managed tier.
If you’d like to hear more, why not give us a shout.