Storage Security

[gbugbear at gmail.com (Tim Mugherini)]

Some of the simplest approaches would be to air gap the storage network
(iSCSI), change password for modem access and use SSH v2 if necessary (i've
seen some major SAN vendors ask to leave the default password for remote
access - WarVOX anyone?), and put mgmt interface on on separate mgmt
network.

Also if any SAN to SAN replication is going to occur consider encryption
between units and separating that traffic as well

Just a quick brain dump from a network standpoint - hope this helps

Tim

On Tue, Aug 11, 2009 at 7:42 PM, Karan Khosla - Sense of Security <
karank at senseofsecurity.com> wrote:

> Yes this for an enterprise environment. I'm new to storage/storage
> security so I'm not sure what you mean when you ask me about the
> application I am looking at deploying. I'm just trying to research
> generic security issues with SAN/NAS technologies. Once I have an
> understanding of what issues exist, I would then look at SAN/NAS
> offerings from Hitachi, NetApp and EMC to see how they address these
> issues.
>
> I've already looked into books like 'Securing Storage by Himanshu
> Dwivedi' and 'Storage Security by John Chirillo', but these books were
> published between 2003-2005 and I was wondering if there are any
> resources that are more current (as I'm not sure if there have been any
> new advancements in this area, or if issues that existed in 2005 have
> now been fixed by vendors), and also if standards/best practices exist
> to address these security issues.
>
> I hope I'm making sense.
>
> Karan.
>
>
> --Previous Messages--
>
> Date: Mon, 10 Aug 2009 09:23:23 -0700
> From: Vincent Lape <vlape at me.com>
> Subject: Re: [Pauldotcom] Storage Security
> To: PaulDotCom Security Weekly Mailing List
>        <pauldotcom at mail.pauldotcom.com>
> Message-ID: <17F43A1A-503B-4104-86A6-5603F5FD9506 at me.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Are you looking to do this in an enterprise environmnt? Explain the
> application you are looking to deploy and we may be able to point you
> toberter resources.
>
> Sent from my iPhone
>
> On Aug 10, 2009, at 2:09 AM, Karan Khosla - Sense of Security
> <karank at senseofsecurity.com
>  > wrote:
>
> > Hi,
> >
> > I am researching storage security (SAN/NAS/DAS). I've conducting
> > most of my research online and came across a couple of books on the
> > subject but nothing published in the recent past (most of them
> > published between 2003-2006).
> >
> > Was wondering if anyone knew of any good online resources or books
> > that shed light on the vulnerabilities and best practices around
> > storage security.
> >
> > Thanks in advance.
> > Karan
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090811/fd45c084/attachment.htm