The first step to storage security: admit you're vulnerable

Computer Technology Review, April, 2004 by Mark Ferelli

Over the last two months, we have examined differing areas of SAN security from a functional point of view: How to protect data at rest and data in motion, and the central fact that access control is a paramount consideration. But when an integrator's client asks about security, the first thing to consider is vulnerabilities.

Assessing vulnerabilities requires a review for the ports that you use, both Fibre Channel and Ethernet/IP. You need to be sure where they are connected and to which network or networks. Some users might have SANs in connection with a private network (separate from the corporate network), while others will be completely interconnected.

The Storage Networking Industry Association (SNIA) has generated a new technical paper through their storage security forum (SSIF), which outlines minimum security requirements and best practices for IP management ports. But the advice given by the paper on vulnerability assessment is worth the attention for Fibre Channel ports as well as IP.

The paper looks to different kinds of vulnerabilities. Environmental vulnerabilities include unavailable or compromised management that leads to either unavailable data or unauthorized access, unauthorized use of management that leads to unauthorized third-party access, unauthorized changes of the management application that leaves access open, and more.

SSIF also looks at the actual threats that lead to vulnerabilities. Those threats include the hacking of the port that can take a device down, existing services that allow unauthorized access (such as telnet, ftp, http and others), hidden services that create a back door around a secure IP configuration, OS imperfections, IP port connection hijacking that causes a denial of service attack, and more.

Best Practices

Even before the integrator goes in to help assess client IT vulnerabilities, preparing a best practices checklist would not be out of line. Recommended best practices start with the identification phase. Run a discovery tool to be sure you've identified all of the interfaces to the storage network. Next, it might be necessary to create a separate infrastructure for any out-of-band elements (such as virtualization). If connection with the corporate LAN is a must, the obvious precaution is a firewall or a secure router.

This is just a scattering of suggestions. The client needs to maintain a formalized set of company best practices, with buy-in from top management and all affected departments. The set must include attention to data at rest and data in motion. It should address structured data (such as RDBMS) and unstructured data (text files, JPEGs, etc.).

Access control requires dedicated user IDs. These IDs need to be tied to strong password policies, and the policies need to be ruthlessly enforced. Separate networks ... separate SANs, may require separate IDs or passwords--or both, depending how "hard" the sites are to be.

Most important of all is for the integrator to be familiar with the available LAN and storage security tools. VLANs, IPSec, encryption (from companies like NeoScale or Vormetrics), access control tools and software that monitors the storage environment (from firms like Tek-Tools) are going to become part of a regular security activity in the data center. Although it is necessary to accept that there is no such thing as perfect security, it is equally necessary to accept that an intelligent investment in security is becoming less and less a luxury.