|
| NAS vs. Fibre Channel SAN security
It may be surprising, but security is a bigger issue for SANs than it is for NAS. As NAS is accessed via file-system protocols, it can rely on the system security inherent to CIFS and NFS, including authentication authorization. As long as users have strong passwords and access is properly granted, data on the NAS is relatively well protected. However, there's an abundance of threats against CIFS and NFS, from hacking attacks that try to guess user credentials, snooping attacks that attempt to steal logins and passwords, to denial of service attacks that attempt to overwhelm systems and gain access through system failure vulnerabilities.
Fibre Channel (FC) SANs, on the other hand, have fewer inherent security features. To start with, there's no provision for user logins and passwords in the FC protocol; it's inherently insecure and depends on external methods--mostly zoning and LUN masking--to restrict access. Furthermore, FC switches perform both transport and security functions, so if attackers get access to the switch, they pretty much have access to the data. To make matters worse, the majority of storage administrators use TCP/IP-based methods for managing FC gear. As TCP/IP is solely an auxiliary protocol and an afterthought in a world where the FC protocol reigns, many FC SANs get managed from the LAN vs. from a dedicated management network.
|
Network security
For an intruder or malicious software to get access to NAS, network access is required. The more you can limit NAS access to legitimate users, the less likely a security breach will occur.
Securing network access starts with the corporate firewall that keeps outsiders from penetrating the LAN and NAS and, until a few years ago, this was all firewalls did. An increasing number of security incidents prompted security vendors such as Check Point Software Technologies Ltd., Cisco Systems Inc., Juniper Networks Inc. and SonicWall Inc. to add intrusion-detection systems (IDSs) and intrusion-prevention systems (IPSs) to their portfolios. Today, network security systems combine firewall and intrusion-detection functions with complex Layer-4 through Layer-7 capabilities that detect and avert malicious behavior within a single device.
While strong perimeter security is indispensable, in most cases it's not sufficient to secure network access to NAS storage. To reduce exposure, many storage managers further restrict access to NAS through network isolation techniques like virtual LANs that limit the size of the network broadcast domain the NAS belongs to and confine network access.
|
 |
|
