Security Basics mailing list archives
RE: SAN Vulnerabilities
From: Dan Lynch <DLynch () placer ca gov>
Date: Tue, 28 Dec 2010 09:22:22 -0800
Great topic :-)
SAN Zoning has been compared to the concept of VLANs.
<snip>
When I was presented this argument I was asked to explain how this is any different than using our firewall to segment our trusted and untrusted networks.
A vlan is not a security construct. Neither is a SAN. But a firewall is. A firewall is designed and implemented specifically to permit certain traffic flows between more trusted and less trusted network segments. Configurable rules allow you to restrict traffic to specific protocols, source IP addresses, destination IP addresses, and can allow for some forms of authentication. Often, application-layer protections exist to assure against protocol violations, and mischief like SQL injection. Logging enables auditing of violations. SANs aren't built for this purpose, and don't generally have these capabilities. (I'm no SAN expert, but this is how I presented it here. This also applies to vlans and to segregating high risk and high value guests on VMWare hosts.)
Cost. Does the risk justify the cost of purchasing a whole new SAN unit for our Web segment?
<snip>
But when it comes to enumerating active exploits, we couldn't find anything other than the proof of concept document presented at Black Hat.
Exactly. And what was determined here is that even though the risk is quite low, the cost of recovery (specifically, the political cost) approaches infinity. Therefore, nearly any expense is justified (well, at least justified to those exposed to political risk; I'm not). We built an entirely separate VM cluster to accommodate a half-dozen or so little-used web servers in order to fully segregate them from our high-value internal servers. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- SAN Vulnerabilities mjd (Dec 17)
- RE: SAN Vulnerabilities Dan Lynch (Dec 17)
- Re: SAN Vulnerabilities William Reyor (Dec 17)
- RE: SAN Vulnerabilities Dan Lynch (Dec 17)
- Re: SAN Vulnerabilities William Reyor (Dec 17)
- RE: SAN Vulnerabilities Hahn, Ron (Dec 17)
- <Possible follow-ups>
- Re: SAN Vulnerabilities mjd (Dec 28)
- RE: SAN Vulnerabilities Dan Lynch (Dec 28)
- RE: SAN Vulnerabilities Dan Lynch (Dec 17)