Stamp out NAS threats

NAS is open to many of the exploits (viruses, worms, unauthorized access, data tampering, snooping and IP spoofing) that have plagued Windows-based systems. But even though NAS runs on ubiquitous Ethernet and TCP/IP transport protocols, it's fairly easy to protect. The hard part is selecting the right level of protection.

This article can also be found in the Premium Editorial Download: Storage magazine: New rules change data retention game:

There are numerous threats to NAS data and many different ways to protect it. The trick is to find the right level of protection for the perceived risk.

NAS is vulnerable to many of the exploits that plague Windows-based systems: viruses, worms, unauthorized access, data tampering, snooping and IP spoofing. But even though NAS runs on ubiquitous Ethernet and TCP/IP transport protocols, it's fairly easy to protect. The tough part is finding the right level of protection.

Any good security framework contains multiple security layers. If one layer is compromised, the target of the attack is still protected by other layers. In the case of NAS, network perimeter security is the outermost shield that keeps unauthorized people out of your LAN and storage network. If an attacker penetrates your perimeter security, authentication and file-access authorization will prevent access to files and folders on the NAS; and unless an attacker can guess an authorized account and its password, your data will still be protected.

Prioritization and fortification of those areas with the highest risk is another guiding principle. It's important to secure each area appropriate to its risk by finding a balance between what's required and what's overkill. For example, while multifactor authentication using a password and token or biometric identification may be a requirement for financial firms, password authentication harnessing Active Directory with a strong password policy is probably sufficient for most firms.

Audits are an often-neglected aspect of security. It's only through testing that you can ensure the security measures in place actually work. These NAS security areas need to be addressed:

  • Network security
  • Access control
  • Security updates
  • Malware
  • Encryption
  • Audit trails and security logs
  • NAS management

NAS vs. Fibre Channel SAN security

It may be surprising, but security is a bigger issue for SANs than it is for NAS. As NAS is accessed via file-system protocols, it can rely on the system security inherent to CIFS and NFS, including authentication authorization. As long as users have strong passwords and access is properly granted, data on the NAS is relatively well protected. However, there's an abundance of threats against CIFS and NFS, from hacking attacks that try to guess user credentials, snooping attacks that attempt to steal logins and passwords, to denial of service attacks that attempt to overwhelm systems and gain access through system failure vulnerabilities.

Fibre Channel (FC) SANs, on the other hand, have fewer inherent security features. To start with, there's no provision for user logins and passwords in the FC protocol; it's inherently insecure and depends on external methods--mostly zoning and LUN masking--to restrict access. Furthermore, FC switches perform both transport and security functions, so if attackers get access to the switch, they pretty much have access to the data. To make matters worse, the majority of storage administrators use TCP/IP-based methods for managing FC gear. As TCP/IP is solely an auxiliary protocol and an afterthought in a world where the FC protocol reigns, many FC SANs get managed from the LAN vs. from a dedicated management network.

Network security
For an intruder or malicious software to get access to NAS, network access is required. The more you can limit NAS access to legitimate users, the less likely a security breach will occur.

Securing network access starts with the corporate firewall that keeps outsiders from penetrating the LAN and NAS and, until a few years ago, this was all firewalls did. An increasing number of security incidents prompted security vendors such as Check Point Software Technologies Ltd., Cisco Systems Inc., Juniper Networks Inc. and SonicWall Inc. to add intrusion-detection systems (IDSs) and intrusion-prevention systems (IPSs) to their portfolios. Today, network security systems combine firewall and intrusion-detection functions with complex Layer-4 through Layer-7 capabilities that detect and avert malicious behavior within a single device.

While strong perimeter security is indispensable, in most cases it's not sufficient to secure network access to NAS storage. To reduce exposure, many storage managers further restrict access to NAS through network isolation techniques like virtual LANs that limit the size of the network broadcast domain the NAS belongs to and confine network access.

Some storage managers physically or virtually isolate NAS storage, so it's only accessible via a separate network. "Although we have all our systems behind firewalls, to further reduce exposure and risk, we decided to run our NAS on an isolated network," says Vincent Fusca III, operations director, Center for the Evaluative Clinical Sciences at Dartmouth College, Lebanon, NH.

Electronic Data Systems (EDS) Corp., a technology service company in Plano, TX, creates logically isolated environments for its customers. "We put clients into a container, which typically means that their systems are firewalled, preventing one customer from seeing another customer's data, regardless if the customer has a dedicated NAS or if he is on a shared NAS offering," says Tim Bowers, EDS' Storage Services product manager. "Furthermore, we separate management, data and backup networks."

CIFS and NFS file-system security

Because NAS is accessed via NFS and CIFS file-systems protocols, understanding how these two protocols handle access will help you properly secure files and shares.

In the case of CIFS (Windows), security information for a user is contained in an access token that consists of the user's security identifier (SID) and group identifiers. The NAS gets the token from the domain controller and typically caches it throughout a user session. Information about who can access a file or share is stored as meta data in the file system itself and is contained in the file's security descriptor, which comprises the owner SID, group SID and an access control list (ACL). The ACL can contain several access control entries (ACEs) that specify the users and groups who can access a file/share and the type of access.

Similarly, when NFS clients access a file with Unix security information, the NAS checks the user's credentials against the file's security information to determine whether or not an operation is permissible. The file security information comprises a user ID; group ID; and read, write and execute permissions.

As most non-Windows NAS systems--such as BlueArc Corp.'s Titan, EMC Corp.'s Celerra and Network Appliance Inc.'s filers--support both NFS and CIFS, these multiprotocol NAS systems provide a mapping mechanism that allows NFS clients to access files written with CIFS clients and vice versa (see below).

Access control
While network security restricts the ability to communicate with the NAS device, authentication and authorization protect files and shares from being accessed and manipulated by unauthorized users. This is no different from protecting regular file servers and, more than in any other area, security policies play an instrumental role in regulating user access and permissions.

Authentication is the process of determining who the user is by verifying user credentials against a central repository that maintains user names, passwords, security identifiers (SIDs) or user ids (UIDs), as well as group membership information. User credentials are akin to keys that open the door to your data, and protecting these keys and reducing the risk of someone guessing passwords is critical. It goes without saying that securing the central repository of user credentials, such as Active Directory, is of utmost importance. Keeping it properly patched, making sure it has up-to-date virus and malware protection, and limiting administrative access to it are all essential practices.

Security risks around authorization are likely to occur because of improper provisioning. Without strong policies and procedures, users may have inappropriate permissions or get access to files they shouldn't see.

A few simple guidelines can prevent your losing control of the data-access provisioning process. Any access grant or change should only be performed after proper approval. Take advantage of security groups and roles; with the exception of user directories, data is typically accessed by more than one user. Don't grant access to specific files; instead assign permissions at a folder or share level. Default permissions should always default to deny rather than permit. "We default to having no access unless explicitly granted, and we try to not default anything to open but to closed," says Bob Lockhart, security portfolio manager, EDS.

You should also periodically conduct information-access audits that require data owners to verify that the current permission grants are correct. These simple steps will not only make access to data on your NAS more secure, they'll be tremendously helpful for regulatory compliance audits like Sarbanes-Oxley.

Keep the NAS up-to-date
System integrity and a process for keeping your NAS up-to-date are crucial to NAS security. Like a regular server, most NAS systems run an OS, such as EMC Corp. Celerra Data Access in Real Time (DART), Network Appliance (NetApp) Inc. Data Ontap or Microsoft Windows in the case of Windows Storage Server (WSS) 2003. Because these OSes are complex, they have flaws that are caused mostly by software errors or bugs. Many of the flaws are never noticed or aren't relevant to security, but the ones that can be used for exploits can make your NAS storage vulnerable.

Although all NAS systems are susceptible to exploits, the widespread use of Windows exposes WSS more than the proprietary OSes of other NAS platforms. Microsoft and WSS OEMs have made concerted efforts to keep Microsoft-based NAS systems secure. To start with, WSS runs a hardened Windows with all unnecessary services disabled, which greatly reduces the risk of exploits. Also, "Windows Storage Server by default is configured to automatically download critical updates via Windows Update Service," says Claude Lorenson, group product manager for storage and branch solutions at Microsoft.

WSS OEMs like Hewlett Packard (HP) Co. provide additional services to keep WSS up-to-date. "On a quarterly basis, we release a service release that rolls up noncritical patches for all our Windows-based NAS offerings as a free service," says Jim Hankins, NAS product marketing manager at HP. EMC offers a secure remote gateway that enables Celerra NAS systems to check and download updates, and both BlueArc Corp. and NetApp provide updates for their respective NAS systems from secure Web sites.

Despite all NAS vendors providing some type of patching mechanism, you must also have a solid patch-management policy to ensure that updates are applied on a regular and systematic basis. Early on, EDS saw the importance of timely patching and established a threat and security team that monitors emerging threats and ranks them by risk. "If the risk level for a threat is above 7.5 on a scale from 1 to 10, immediate patching is required; if it is between 6.5 and 7.5, we'll patch at the next cycle," says EDS' Lockhart.

Keeping malware out of the NAS
Viruses and worms have caused havoc in data centers all over the world in the past few years, and users have learned that virus scanners are vital to keeping computers safe. This simple truth isn't any different for NAS.

Keeping viruses out of NAS can be accomplished in two ways: by having virus scanning software on all clients that connect to the NAS or by putting virus protection on the NAS. Depending solely on virus protection software of NAS clients is risky because it's difficult to ensure that all clients are properly protected at all times, and it takes only one infected NAS client to inflict major damage. Therefore, it's highly recommended to have virus protection on the NAS itself. "We do both NAS engine-based and client-based virus scanning, and all our systems default to CA eTrust [renamed CA Internet Security Suite 2007]," notes Lockhart about EDS' virus protection strategy.

Being Windows Server-based, WSS has an edge over other NAS platforms; virus scanning software can run directly on WSS and it will allow using whatever virus scanning software a company has standardized on.

Conversely, non-Windows platforms need to pass off virus scanning requests to dedicated virus scanning servers from CA, McAfee Inc., Symantec Corp. or Trend Micro Inc. For instance, Trend Micro offers ServerProtect for Network Appliance Filers and Server Protect for EMC Celerra; both are purpose-built products, optimized for the needs of the two respective NAS platforms. The NAS and one or more antivirus scanning servers typically communicate via trusted CIFS connections. The NAS system will initiate scans on files that are created, changed and opened for read-access, and that haven't been marked as scanned since the last virus definition update. The scanning server also informs the NAS platform when new virus definitions are applied.

With new and stricter privacy laws, encryption is playing an increasingly important role in securing storage. When evaluating encryption for NAS, two types of encryption should be considered. If deemed necessary, IPsec encryption is typically employed to obscure the communication between clients and the NAS. The overhead of encryption traffic has caused NAS vendors to offer IPsec accelerator cards, while any of the available IPsec accelerator cards for Windows Server, such as those from Cavium Networks, can be used for WSS.

The second type of encryption is the encryption of the data on the storage itself. This is typically accomplished by deploying an encryption appliance in front of the NAS that encrypts files entering the NAS and decrypts files originating from the NAS. The primary players in this field are Decru's DataFort (Decru is now a NetApp company) and NeoScale Systems Inc.'s CryptoStor. Decru and NeoScale are available as clustered solutions and, besides high performance and scalability, these products work at the protocol level, which makes them usable for both file-based (NAS) and block-based (iSCSI) storage access.

Alternatively, you can use a software-based encryption product that runs on NAS clients, such as Vormetric Inc.'s CoreGuard. The benefit of a client-based encryption product is its ability to encrypt data from the client to the NAS without requiring additional encryption for the network connection itself. On the downside, encryption-key management becomes more challenging vs. an encryption appliance.

"Although we have standardized on NeoScale CryptoStor for network-based encryption, we default more to host-based encryption using Vormetric CoreGuard as it secures the full path from the client to the NAS," explains EDS' Bowers.

Audit trails and security logs
Security logs are the facility through which security devices communicate security events. But security logs can be large and overwhelming, so they're often ignored. At a minimum, proper logging should be enabled on devices to allow detailed analysis if needed. Better yet, security logs should be analyzed and scrutinized periodically, semi- or fully automatically, leveraging reporting and alerting capabilities of security devices or through dedicated security incident and event management (SIEM) tools that aggregate logs from multiple devices.

Log aggregation and analysis tools are available from the likes of ArcSight Inc., EMC and LogLogic Inc. Among these products, EMC enVision (acquired from Network Intelligence) stands out most prominently because of its scalability and performance. While most SIEM vendors depend on relational databases, enVision deploys a proprietary distributed object-based database that scales as sites and devices are added. "We decided early on to not use traditional relational databases as they are ill-suited for collecting a high number of log transactions generated by devices throughout the enterprise and reporting and correlating on them at the same time," says Matt Stevens, CTO of the information and event management group at RSA, the Security Division of EMC.

"Before we deployed enVision, we used a SIEM tool with a relational database and we had to wait 10 days from the time an event was captured to the time it appeared on a report," says EDS' Lockhart. "EDS currently generates about 1 trillion log events per month from all our locations and, thanks to enVision, we are able to report on and correlate logs close to real-time," he says.

Securing NAS management
Tightening security around NAS management is critical. While a strong password policy is recommended for all users, it's an absolute must for administrative accounts. To further reduce the risk of administrator accounts being exposed, some companies, like EDS, are moving toward dual-factor authentication.

Another good practice is to separate the management network from the data network. "All our NAS management stations reside on a separate management network that is inaccessible by regular users," reports EDS' Bowers. Role-based administration, offered by most NAS products, helps further segregate NAS administration.

Partitioning a single physical NAS into several virtual systems that are independently managed takes role-based administration to the next level, a capability available for NetApp NAS filers with the MultiStore feature. "Prior to MultiStore and virtual filers, customers had to buy separate NAS filers to get this level of segregation," says Michael Eisler, technical director at NetApp.

Safe, not sorry
NAS depends on your network, storage and most likely Active Directory, so it's a multidepartment effort to keep it safe. A solid security policy and a risk-based approach to determine the right level of protection are practical guides to implement security for your NAS filers.

This was first published in September 2007

Dig deeper on NAS management



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: