Storage security and the firewall DMZ problem

There's a misconception going around in storage circles that as long as storage area network (SAN) and network attached storage (NAS) systems are behind a firewall then everything's protected. This simply isn't true. Like most firewall misunderstandings, relying on this type of protection is dangerous at best and isn't a good long-term solution to keep your storage systems safe and sound. Let me explain.

Most storage environments span across multiple networks. Both private and public network segments are often served simultaneously. Be it external Web servers in the DMZ, internal file servers on the internal LAN -- you name it. Serving up multiple network segments creates a virtual bridge effectively negating any network segmentation and firewall. With this configuration, any vulnerable system can be used as a conduit into the storage environment. This happens when a system, such as a Web server, database server or file server on one network segment, is attacked and a conduit of sorts is created via the storage back end to adjacent network segments, essentially bypassing any firewall protection. This may include:

An email server missing a patch, easily exploitable via one of the n...

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information:

Email Address:

By joining SearchStorage.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchStorage.com

As an existing member of the TechTarget network please activate your SearchStorage.com account 

By joining SearchStorage.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

umerous hacking tools, such as Metasploit, provides the attacker a command prompt and direct access to the attached storage systems or even other internal network systems.

Similar problems can be created when storage systems are in the DMZ. A situation can even be created where authorized internal users are able to snoop around and exploit a vulnerable system to gain access to the DMZ or other protected network segment. The following figure shows these storage bridging weaknesses.

[IMAGE]

Either way, the false sense of security that a firewalled and segmented network brings introduces serious security issues for the storage environment and the network as a whole. Don't get me wrong -- firewalls and firewall DMZs in and of themselves do offer a layer of protection. Especially those with application layer defenses. It's when the human element gets involved for technical reasons, limited budget or for the sake of convenience that the protection offered by firewall segmentation is negated.

Take a step back and draw out your network environment. Can any one system on any one network segment connect to another one if everything fell into place? The answer is' most likely yes. If it is, or if you're unsure, it may be time to reassess your firewall dependence and, instead, rely upon better storage-centric defenses, such as zoning, LUN masking, port locking, etc., for SANs, as well as VLAN isolation and even network and/or host-based intrusion prevention systems for NAS systems. You'll ward off the unwanted and the unexpected much more effectively this way.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin is the creator and producer of Security On Wheels and has written six books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley,) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Data storage management,   Secure data storage,   Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Optimizing enterprise data storage capacity and performance to reduce your data footprint Is data deduplication right for your primary storage infrastructure? Fail-in-place systems: Avoiding hard disk drive failures Data storage resources needed to implement a virtual desktop infrastructure Storage encryption essentials Addressing storage performance bottlenecks in enterprise data storage Data archiving: Three key elements Archiving data to cloud storage: How to choose the right cloud storage provider How to buy a blade server Tips for an effective data deduplication implementation Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.