
	Home > Ask the Storage Technology Experts > Questions & Answers > SAN/NAS security considerations

Ask The Storage Expert: Questions & Answers

EMAIL THIS

SAN/NAS security considerations

EXPERT RESPONSE FROM: Marc Farley

		Pose a Question

		Other Storage Categories

		Meet all Storage Experts
		Become an Expert for this site

QUESTION POSED ON: 11 October 2001
What are the major security considerations when implementing a SAN or NAS solution?

Security is more of a problem for SANs than NAS - (What? is that howling already from the SAN folks?)

NAS has built in file system security, including authentication. If a user doesn't have rights, you can't get to the files. That said, there are hacking attacks to guess logins and passwords, there are snooping attacks to steal logins and passwords and there are denial of service attacks to overwhelm systems and gain access through system failure modes.

SANs have fewer built-in security systems. There are no user logins or passwords in a SAN. A system that can send a SCSI command to storage in the SAN will get some sort of response. So, how does a system gain access to the SAN? They can be directly connected to the SAN, they can access it through an IP connection with a management port in a SAN device or they can work their way through if there happen to be IP/FC bridging/routing products installed (iFCP or FCIP).

In general, the prevention of unauthorized access can be achieved through hard zoning that prevents frame forwarding. A rule of thumb in designing SANs is to figure out which machines are intended to communicate with each other establish a zone to segregate them from others. SAN entities should be allowed access only on a "need to connect" basis. This type of segregation can also be achieved through the use of private loop FC SANs where local loop entities can have access, but nothing else can.

The possibility of accessing a SAN through the IP port of a switch is real. How real? I don't know. All management ports in SAN devices should require user authentication. How dangerous is connecting through a management port? I don't know what the direct damage could be, but any entity that can generate SCSI CDBs should be considered potentially harmful. Also, an intruder that accesses a switch could change the zoning memberships on the switch to allow different systems to access certain storage devices.

Regards,
Marc

Editor's note: Do you agree with this expert's response? If you have more to share, post it in our Storage Networking discussion forum at http://searchstorage.discussions.techtarget.com/WebX?replyToMessage ((Content component not found.)) .MullaECzaUO^1@.ee83ce4!viewtype=convdate or e-mail us directly at editor@searchstorage.com.

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Search for Data Management Tools

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2000 - 2009, TechTarget \| Read our Privacy Policy