The first step to storage security: admit you're vulnerable.Over the last two months, we have examined differing areas of SAN security from a functional point of view: How to protect data at rest and data in motion, and the central fact that access control is a paramount consideration. But when an integrator's client asks about security, the first thing to consider is vulnerabilities. Assessing vulnerabilities requires a review for the ports that you use, both Fibre Channel and Ethernet/IP. You need to be sure where they are connected and to which network or networks. Some users might have SANs in connection with a private network (separate from the corporate network), while others will be completely interconnected. The Storage Networking Industry Association An association of producers and consumers of storage networking products, whose goal is to further storage networking technology and applications. The Storage Networking Industry Association, or SNIA (SNIA (Storage Networking Industry Association, San Francisco, CA, www.snia.org) An organization devoted to the advancement of mission critical storage systems. Founded in 1997, its goal is to determine the standards that must be developed to allow hosts and storage systems to interact via ) has generated a new technical paper through their storage security forum (SSIF SSIF Space Station Integration Facility SSIF SACDIN System Integration Facility SSIF System Software Interrupt Flag ), which outlines minimum security requirements and best practices for IP management ports. But the advice given by the paper on vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. is worth the attention for Fibre Channel ports as well as IP. The paper looks to different kinds of vulnerabilities. Environmental vulnerabilities include unavailable or compromised management that leads to either unavailable data or unauthorized access, unauthorized use of management that leads to unauthorized third-party access, unauthorized changes of the management application that leaves access open, and more. SSIF also looks at the actual threats that lead to vulnerabilities. Those threats include the hacking of the port that can take a device down, existing services that allow unauthorized access (such as telnet, ftp, http and others), hidden services that create a back door around a secure IP configuration, OS imperfections, IP port connection hijacking hijacking Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when that causes a denial of service attack An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. , and more. Best Practices Even before the integrator goes in to help assess client IT vulnerabilities, preparing a best practices checklist would not be out of line. Recommended best practices start with the identification phase. Run a discovery tool to be sure you've identified all of the interfaces to the storage network. Next, it might be necessary to create a separate infrastructure for any out-of-band elements (such as virtualization An umbrella term for enhancing a computer's ability to do work. Following are the ways virtualization is used. Hardware Virtualization Partitioning the computer's memory into separate and isolated "virtual machines" simulates multiple machines within one physical computer. ). If connection with the corporate LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. is a must, the obvious precaution is a firewall or a secure router. This is just a scattering of suggestions. The client needs to maintain a formalized for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. set of company best practices, with buy-in from top management and all affected departments. The set must include attention to data at rest and data in motion. It should address structured data (such as RDBMS (Relational DataBase Management System) See relational database and DBMS. RDBMS - relational database ) and unstructured data (text files, JPEGs, etc.). Access control requires dedicated user IDs. These IDs need to be tied to strong password policies, and the policies need to be ruthlessly enforced. Separate networks ... separate SANs, may require separate IDs or passwords--or both, depending how "hard" the sites are to be. Most important of all is for the integrator to be familiar with the available LAN and storage security tools. VLANs, IPSec, encryption (from companies like NeoScale or Vormetrics), access control tools and software that monitors the storage environment (from firms like Tek-Tools) are going to become part of a regular security activity in the data center. Although it is necessary to accept that there is no such thing as perfect security, it is equally necessary to accept that an intelligent investment in security is becoming less and less a luxury. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion