|
Although all NAS systems are susceptible to exploits, the widespread use of Windows exposes WSS more than the proprietary OSes of other NAS platforms. Microsoft and WSS OEMs have made concerted efforts to keep Microsoft-based NAS systems secure. To start with, WSS runs a hardened Windows with all unnecessary services disabled, which greatly reduces the risk of exploits. Also, "Windows Storage Server by default is configured to automatically download critical updates via Windows Update Service," says Claude Lorenson, group product manager for storage and branch solutions at Microsoft.
WSS OEMs like Hewlett Packard (HP) Co. provide additional services to keep WSS up-to-date. "On a quarterly basis, we release a service release that rolls up noncritical patches for all our Windows-based NAS offerings as a free service," says Jim Hankins, NAS product marketing manager at HP. EMC offers a secure remote gateway that enables Celerra NAS systems to check and download updates, and both BlueArc Corp. and NetApp provide updates for their respective NAS systems from secure Web sites.
Despite all NAS vendors providing some type of patching mechanism, you must also have a solid patch-management policy to ensure that updates are applied on a regular and systematic basis. Early on, EDS saw the importance of timely patching and established a threat and security team that monitors emerging threats and ranks them by risk. "If the risk level for a threat is above 7.5 on a scale from 1 to 10, immediate patching is required; if it is between 6.5 and 7.5, we'll patch at the next cycle," says EDS' Lockhart.
Keeping malware out of the NAS
Viruses and worms have caused havoc in data centers all over the world in the past few years, and users have learned that virus scanners are vital to keeping computers safe. This simple truth isn't any different for NAS.
Keeping viruses out of NAS can be accomplished in two ways: by having virus scanning software on all clients that connect to the NAS or by putting virus protection on the NAS. Depending solely on virus protection software of NAS clients is risky because it's difficult to ensure that all clients are properly protected at all times, and it takes only one infected NAS client to inflict major damage. Therefore, it's highly recommended to have virus protection on the NAS itself. "We do both NAS engine-based and client-based virus scanning, and all our systems default to CA eTrust [renamed CA Internet Security Suite 2007]," notes Lockhart about EDS' virus protection strategy.
|
