Feature

Stamp out NAS threats

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."

Download it now to read this article plus other related content.

NAS vs. Fibre Channel SAN security

It may be surprising, but security is a bigger issue for SANs than it is for NAS. As NAS is accessed via file-system protocols, it can rely on the system security inherent to CIFS and NFS, including authentication authorization. As long as users have strong passwords and access is properly granted, data on the NAS is relatively well protected. However, there's an abundance of threats against CIFS and NFS, from hacking attacks that try to guess user credentials, snooping attacks that attempt to steal logins and passwords, to denial of service attacks that attempt to overwhelm systems and gain access through system failure vulnerabilities.

Fibre Channel (FC) SANs, on the other hand, have fewer inherent security features. To start with, there's no provision for user logins and passwords in the FC protocol; it's inherently insecure and depends on external methods--mostly zoning and LUN masking--to restrict access. Furthermore, FC switches perform both transport and security functions, so if attackers get access to the switch, they pretty much have access to the data. To make matters worse, the majority of storage administrators use TCP/IP-based methods for managing FC gear. As TCP/IP is solely an auxiliary protocol and an afterthought in a world where the FC protocol reigns, many FC SANs get

    Requires Free Membership to View

managed from the LAN vs. from a dedicated management network.

Network security
For an intruder or malicious software to get access to NAS, network access is required. The more you can limit NAS access to legitimate users, the less likely a security breach will occur.

Securing network access starts with the corporate firewall that keeps outsiders from penetrating the LAN and NAS and, until a few years ago, this was all firewalls did. An increasing number of security incidents prompted security vendors such as Check Point Software Technologies Ltd., Cisco Systems Inc., Juniper Networks Inc. and SonicWall Inc. to add intrusion-detection systems (IDSs) and intrusion-prevention systems (IPSs) to their portfolios. Today, network security systems combine firewall and intrusion-detection functions with complex Layer-4 through Layer-7 capabilities that detect and avert malicious behavior within a single device.

While strong perimeter security is indispensable, in most cases it's not sufficient to secure network access to NAS storage. To reduce exposure, many storage managers further restrict access to NAS through network isolation techniques like virtual LANs that limit the size of the network broadcast domain the NAS belongs to and confine network access.

This was first published in September 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: