|
Some storage managers physically or virtually isolate NAS storage, so it's only accessible via a separate network. "Although we have all our systems behind firewalls, to further reduce exposure and risk, we decided to run our NAS on an isolated network," says Vincent Fusca III, operations director, Center for the Evaluative Clinical Sciences at Dartmouth College, Lebanon, NH.
Electronic Data Systems (EDS) Corp., a technology service company in Plano, TX, creates logically isolated environments for its customers. "We put clients into a container, which typically means that their systems are firewalled, preventing one customer from seeing another customer's data, regardless if the customer has a dedicated NAS or if he is on a shared NAS offering," says Tim Bowers, EDS' Storage Services product manager. "Furthermore, we separate management, data and backup networks."
| CIFS and NFS file-system security
Because NAS is accessed via NFS and CIFS file-systems protocols, understanding how these two protocols handle access will help you properly secure files and shares.
In the case of CIFS (Windows), security information for a user is contained in an access token that consists of the user's security identifier (SID) and group identifiers. The NAS gets the token from the domain controller and typically caches it throughout a user session. Information about who can access a file or share is stored as meta data in the file system itself and is contained in the file's security descriptor, which comprises the owner SID, group SID and an access control list (ACL). The ACL can contain several access control entries (ACEs) that specify the users and groups who can access a file/share and the type of access.
Similarly, when NFS clients access a file with Unix security information, the NAS checks the user's credentials against the file's security information to determine whether or not an operation is permissible. The file security information comprises a user ID; group ID; and read, write and execute permissions.
As most non-Windows NAS systems--such as BlueArc Corp.'s Titan, EMC Corp.'s Celerra and Network Appliance Inc.'s filers--support both NFS and CIFS, these multiprotocol NAS systems provide a mapping mechanism that allows NFS clients to access files written with CIFS clients and vice versa (see below).
|
 |
|
 |
|
