This article can also be found in the Premium Editorial Download "Storage magazine: Comparing the top data backup packages."
Download it now to read this article plus other related content.
In the early days of storage area network (SAN) deployments, ignorance was our greatest security tool. However, now that system support personnel and would-be hackers have moved up the learning curve, you'll need a more prudent approach.
Unlike direct-attached storage (DAS), SANs allow multiple access points to your data. No longer does a hacker need to bypass the security mechanisms of a host operating system and its layered security applications to gain access to data spinning on disk. Switches, bridges and routers are even closer to the actual data than the host, and therefore impose a new set of practices to prevent and detect intrusion.
Approaching SAN security requires you to examine all of these pathways to ensure both user and administrative data flow within your SAN securely and unencumbered. To date, no storage hardware vendor supplies all of the tools you'll need to completely safeguard your SAN data for free. To do so, you'll need to make full use of your fabric's OS, and add a layered security product on top of your OS for tighter control and increased administrative functionality.
Lock the door
Before you take steps to protect the various weak points, the most basic check you can make is to ensure that access to your SAN gear is limited to authorized personnel only.
Because the Fibre Channel protocol (FCP) enables it, you may be tempted to place interconnect devices (e.g., a departmental switch)
The second most basic step you can take is to make sure all unused ports on your switches are locked down in a state that doesn't allow the port to initialize to an operational state and requires administrative access to the switch to circumvent this security block. With this measure in place, even if someone did gain physical access to the data center, they won't simply be able to connect their accompanying device to your SAN and perform a fabric login.
After locking the door and barring the windows, now we can develop a SAN security plan to identify the potential weaknesses in your SAN infrastructure. There are four communication paths that can be compromised by an intruder to do their bidding (see "Fighting break-ins on four fronts"):
This was first published in March 2003