Stamp out NAS threats


This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."

Download it now to read this article plus other related content.

Some storage managers physically or virtually isolate NAS storage, so it's only accessible via a separate network. "Although we have all our systems behind firewalls, to further reduce exposure and risk, we decided to run our NAS on an isolated network," says Vincent Fusca III, operations director, Center for the Evaluative Clinical Sciences at Dartmouth College, Lebanon, NH.

Electronic Data Systems (EDS) Corp., a technology service company in Plano, TX, creates logically isolated environments for its customers. "We put clients into a container, which typically means that their systems are firewalled, preventing one customer from seeing another customer's data, regardless if the customer has a dedicated NAS or if he is on a shared NAS offering," says Tim Bowers, EDS' Storage Services product manager. "Furthermore, we separate management, data and backup networks."

CIFS and NFS file-system security

Because NAS is accessed via NFS and CIFS file-systems protocols, understanding how these two protocols handle access will help you properly secure files and shares.

In the case of CIFS (Windows), security information for a user is contained in an access token that consists of the user's security identifier (SID) and group identifiers. The NAS gets the token from the domain controller and typically caches it throughout

Requires Free Membership to View

a user session. Information about who can access a file or share is stored as meta data in the file system itself and is contained in the file's security descriptor, which comprises the owner SID, group SID and an access control list (ACL). The ACL can contain several access control entries (ACEs) that specify the users and groups who can access a file/share and the type of access.

Similarly, when NFS clients access a file with Unix security information, the NAS checks the user's credentials against the file's security information to determine whether or not an operation is permissible. The file security information comprises a user ID; group ID; and read, write and execute permissions.

As most non-Windows NAS systems--such as BlueArc Corp.'s Titan, EMC Corp.'s Celerra and Network Appliance Inc.'s filers--support both NFS and CIFS, these multiprotocol NAS systems provide a mapping mechanism that allows NFS clients to access files written with CIFS clients and vice versa (see below).

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: