This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."
Download it now to read this article plus other related content.
|NAS vs. Fibre Channel SAN security|
It may be surprising, but security is a bigger issue for SANs than it is for NAS. As NAS is accessed via file-system protocols, it can rely on the system security inherent to CIFS and NFS, including authentication authorization. As long as users have strong passwords and access is properly granted, data on the NAS is relatively well protected. However, there's an abundance of threats against CIFS and NFS, from hacking attacks that try to guess user credentials, snooping attacks that attempt to steal logins and passwords, to denial of service attacks that attempt to overwhelm systems and gain access through system failure vulnerabilities.
managed from the LAN vs. from a dedicated management network.
For an intruder or malicious software to get access to NAS, network access is required. The more you can limit NAS access to legitimate users, the less likely a security breach will occur.
Securing network access starts with the corporate firewall that keeps outsiders from penetrating the LAN and NAS and, until a few years ago, this was all firewalls did. An increasing number of security incidents prompted security vendors such as Check Point Software Technologies Ltd., Cisco Systems Inc., Juniper Networks Inc. and SonicWall Inc. to add intrusion-detection systems (IDSs) and intrusion-prevention systems (IPSs) to their portfolios. Today, network security systems combine firewall and intrusion-detection functions with complex Layer-4 through Layer-7 capabilities that detect and avert malicious behavior within a single device.
While strong perimeter security is indispensable, in most cases it's not sufficient to secure network access to NAS storage. To reduce exposure, many storage managers further restrict access to NAS through network isolation techniques like virtual LANs that limit the size of the network broadcast domain the NAS belongs to and confine network access.
This was first published in September 2007