RE: SAN Vulnerabilities

[Dan Lynch <DLynch () placer ca gov>]

Can you expand on (1) what sort of misconfiguration, and (2) what sort of risk? 


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: William Reyor [mailto:opticfiber () gmail com] 
> Sent: Friday, December 17, 2010 10:25 AM
> To: Dan Lynch
> Cc: mjd; security-basics () securityfocus com
> Subject: Re: SAN Vulnerabilities
>
> A misconfuguration on the SAN can put your data at risk. I'd 
> avoid it if possible. 
>
> Sent from my ATmega128
>
> On Dec 17, 2010, at 12:58 PM, Dan Lynch <DLynch () placer ca gov> wrote:
>
> > I'm very interested in this line of analysis as well. 
> High-value / high-risk segregation issues come up here all 
> the time. I'm not a SAN expert either, but this same question 
> has come up in security evaluations. As I've understood (and 
> I could be very wrong here), much of the risk is associated 
> with IP-based transport. But using fibre-channel HBAs for 
> transport represents less risk. Could anyone with more 
> experience speak to this issue?
> > Thanks
> >
> > Dan Lynch, CISSP
> > Information Technology Analyst
> > County of Placer
> > Auburn, CA
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com 
> > > [mailto:listbounce () securityfocus com] On Behalf Of mjd
> > > Sent: Thursday, December 16, 2010 4:23 PM
> > > To: security-basics () securityfocus com
> > > Subject: SAN Vulnerabilities
> > >
> > > We are evaluating a proposal wherein our Web Server Admins 
> would like
> > > to use our internal SAN to host data for our external 
> websites.  Our
> > > external websites are on our outfacing DMZ which means 
> they could be
> > > subject to all sorts of attack.  Our internal SAN hosts some very
> > > sensitive health care data so I'm reluctant to allow this since it
> > > puts our most protected data physically very close to our most
> > > vulnerable segment.
> > >
> > > They have given me assurance that they have locked down 
> the SAN to the
> > > point wherein one server accessing cannot access any other 
> disk unless
> > > it is explicitly mounted.  I do not have heavy experience 
> with SANS,
> > > but based on their explanation, the SAN switch can be likened to a
> > > firewall in that it blocks any communication not 
> explicitly allowed.
> > > When drawing this out on a board, it just doesn't look 
> right.  We're
> > > physically connecting servers in our External DMZ to our SAN which
> > > hosts very sensitive data.
> > >
> > > Any advice on this situation?  Are we overreacting to this 
> and should
> > > we trust in the security boundaries created by the SAN
> > > switch/controller?  Are there vulnerabilities out there 
> that allow an
> > > attacker to take control of the whole SAN?
> > >
> > > Thanks in advance!
> > > mjd
> > >
> > > --------------------------------------------------------------
> > > ----------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who 
> > > needs an SSL certificate.  We look at how SSL works, how it 
> > > benefits your company and how your customers can tell if a 
> > > site is secure. You will find out how to test, purchase, 
> > > install and use a thawte Digital Certificate on your Apache 
> > > web server. Throughout, best practices for set-up are 
> > > highlighted to help you ensure efficient ongoing management 
> > > of your encryption keys and digital certificates.
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> > > e13b6be442f727d1
> > > --------------------------------------------------------------
> > > ----------
> --------------------------------------------------------------
> ----------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and 
> who needs an SSL certificate.  We look at how SSL works, how 
> it benefits your company and how your customers can tell if a 
> site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache 
> web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management 
> of your encryption keys and digital certificates.
> >
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> e13b6be442f727d1
> >
> --------------------------------------------------------------
> ----------
> >
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------