What are the major security considerations when implementing a SAN or NAS solution?
Security is more of a problem for SANs than NAS - (What? is that howling already from the SAN folks?)
NAS has built in file system security, including authentication. If a user doesn't have rights, you can't get to the files. That said, there are hacking attacks to guess logins and passwords, there are snooping attacks to steal logins and passwords and there are denial of service attacks to overwhelm systems and gain access through system failure modes.
SANs have fewer built-in security systems. There are no user logins or passwords in a SAN. A system that can send a SCSI command to storage in the SAN will get some sort of response. So, how does a system gain access to the SAN? They can be directly connected to the SAN, they can access it through an IP connection with a management port in a SAN device or they can work their way through if there happen to be IP/FC bridging/routing products installed (iFCP or FCIP).
In general, the prevention of unauthorized access can be achieved through hard zoning that prevents frame forwarding. A rule of thumb in designing SANs is to figure out which machines are intended to communicate with each other establish a zone to segregate them from others. SAN entities should be allowed access only on a "need to connect" basis. This type of segregation can also be achieved through the use of private loop FC SANs where local loop entities can have access, but nothing else can.
The possibility of accessing a SAN through the IP port of a switch is real. How real? I don't know. All management ports in SAN devices should require user authentication. How dangerous is connecting through a management port? I don't know what the direct damage could be, but any entity that can generate SCSI CDBs should be considered potentially harmful. Also, an intruder that accesses a switch could change the zoning memberships on the switch to allow different systems to access certain storage devices.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in our Storage Networking discussion forum at --> --> .MullaECzaUO^1@.ee83ce4!viewtype=convdate> http://searchstorage.discussions.techtarget.com/WebX?replyToMessage@200.MullaECzaUO^1@.ee83ce4!viewtype=convdate or e-mail us directly at firstname.lastname@example.org.
This was first published in October 2001