|
In the early days of storage area network (SAN) deployments, ignorance was our greatest security tool. However, now that system support personnel and would-be hackers have moved up the learning curve, you'll need a more prudent approach.
Unlike direct-attached storage (DAS), SANs allow multiple access points to your data. No longer does a hacker need to bypass the security mechanisms of a host operating system and its layered security applications to gain access to data spinning on disk. Switches, bridges and routers are even closer to the actual data than the host, and therefore impose a new set of practices to prevent and detect intrusion.
Approaching SAN security requires you to examine all of these pathways to ensure both user and administrative data flow within your SAN securely and unencumbered. To date, no storage hardware vendor supplies all of the tools you'll need to completely safeguard your SAN data for free. To do so, you'll need to make full use of your fabric's OS, and add a layered security product on top of your OS for tighter control and increased administrative functionality.
Lock the door
Before you take steps to protect the various weak points, the most basic check you can make is to ensure that access to your SAN gear is limited to authorized personnel only.
Because the Fibre Channel protocol (FCP) enables it, you may be tempted to place interconnect devices (e.g., a departmental switch) further away from the core hardware for management or convenience reasons. There isn't enough that can be said about physically securing such interconnect devices. If a malicious user gained access to this physically isolated switch, its inter-switch links (ISLs) may give them access straight into the data center. Physical security is fundamental, because it's often the last line of defense when countermeasures to software attacks have been circumvented. Therefore, avoid deploying interconnect equipment in unsecured areas.
The second most basic step you can take is to make sure all unused ports on your switches are locked down in a state that doesn't allow the port to initialize to an operational state and requires administrative access to the switch to circumvent this security block. With this measure in place, even if someone did gain physical access to the data center, they won't simply be able to connect their accompanying device to your SAN and perform a fabric login.
After locking the door and barring the windows, now we can develop a SAN security plan to identify the potential weaknesses in your SAN infrastructure. There are four communication paths that can be compromised by an intruder to do their bidding (see "Fighting break-ins on four fronts"):
- device:switch
- switch:switch
- device:device
- user:device
The fortification of one communication path provides strength in numbers to the others, much in the same way that English castles were built in the Middle Ages with multiple walls between them and the enemy.
|
