How to block the four paths to your data


This article can also be found in the Premium Editorial Download "Storage magazine: Comparing the top data backup packages."

Download it now to read this article plus other related content.

In the early days of storage area network (SAN) deployments, ignorance was our greatest security tool. However, now that system support personnel and would-be hackers have moved up the learning curve, you'll need a more prudent approach.

Unlike direct-attached storage (DAS), SANs allow multiple access points to your data. No longer does a hacker need to bypass the security mechanisms of a host operating system and its layered security applications to gain access to data spinning on disk. Switches, bridges and routers are even closer to the actual data than the host, and therefore impose a new set of practices to prevent and detect intrusion.

Approaching SAN security requires you to examine all of these pathways to ensure both user and administrative data flow within your SAN securely and unencumbered. To date, no storage hardware vendor supplies all of the tools you'll need to completely safeguard your SAN data for free. To do so, you'll need to make full use of your fabric's OS, and add a layered security product on top of your OS for tighter control and increased administrative functionality.

Lock the door
Before you take steps to protect the various weak points, the most basic check you can make is to ensure that access to your SAN gear is limited to authorized personnel only.

Because the Fibre Channel protocol (FCP) enables it, you may be tempted to place interconnect devices (e.g., a departmental switch)

Requires Free Membership to View

further away from the core hardware for management or convenience reasons. There isn't enough that can be said about physically securing such interconnect devices. If a malicious user gained access to this physically isolated switch, its inter-switch links (ISLs) may give them access straight into the data center. Physical security is fundamental, because it's often the last line of defense when countermeasures to software attacks have been circumvented. Therefore, avoid deploying interconnect equipment in unsecured areas.

The second most basic step you can take is to make sure all unused ports on your switches are locked down in a state that doesn't allow the port to initialize to an operational state and requires administrative access to the switch to circumvent this security block. With this measure in place, even if someone did gain physical access to the data center, they won't simply be able to connect their accompanying device to your SAN and perform a fabric login.

After locking the door and barring the windows, now we can develop a SAN security plan to identify the potential weaknesses in your SAN infrastructure. There are four communication paths that can be compromised by an intruder to do their bidding (see "Fighting break-ins on four fronts"):

  • device:switch
  • switch:switch
  • device:device
  • user:device
The fortification of one communication path provides strength in numbers to the others, much in the same way that English castles were built in the Middle Ages with multiple walls between them and the enemy.

This was first published in March 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: