5/04/2012

Securing Storage: A Practical Guide to SAN and NAS Security Review

Securing Storage: A Practical Guide to SAN and NAS Security
Average Reviews:

(More customer reviews)
The theme of this book is that Storage Area Networks and Network Attached Storage have been hitherto neglected with respect to securing their contents against unauthorised use. Dwivedi remarks that most sysadmins focus on maintaining and securing a corporate firewall. Along with regularly patching users' machines plus web servers. A common attitude is that SAN and NAS devices are at the very heart of the corporate network, and often cannot be directly accessed from outside the firewall.
Dwivedi spends the bulk of his book debunking this idea. For one thing, he points out that a SAN or NAS box is a computer that has to run an operating system. Usually linux, unix or Microsoft. A vendor is very unlikely to write a custom operating system from scratch. Too expensive and takes too long to devise. So even if nothing else, you as a sysadmin should regularly patch those boxes if you can, when known bugs are found in their operating systems. These boxes should be no more exempt from patching than your other machines, even those behind the firewall.
Another cause of concern is the sheer mass of data on a SAN or NAS box. Nowadays, likely to be many gigabytes. These are high value targets for an attacker. Whereas a typical user's desktop would have much smaller data sets.
Plus, even with a firewall, there is always the possibility of an employee being an attacker. If she has a machine inside the firewall, then this already gives her a good start. Of course, you might reply that you "lock down" your users' machines, so that they cannot get root access, for example. But the attacker with a Microsoft machine could boot off a Knoppix CD, for example, and go into a linux that sits only in memory, and for which she has root. Suppose now you have a NAS box exporting a file system via NFS to the attacker's machine, which is normally running Microsoft Windows. The author shows how the attacker can from her Knoppix OS mount the NAS file system and by changing her local passwd file, assume any user id and group id that gives her read access (and maybe write access) to any file in the foreign file system.
These are the sort of attacks that you have to guard against. The book offers several chapters at its end describing possible countermeasures. The tone of the book is not alarmist. Rather, Dwivedi matter of factly walks through many attacks; the above being just one case. He shows how using open source code freely available on the net, that an attacker could gleam useful data from your machines.

Click Here to see more reviews about: Securing Storage: A Practical Guide to SAN and NAS Security

The security of data, as shown by several recent high-profile cases, is weak. It is but a question of time before courts begin requiring more thorough steps to be taken--users and courts want data security. This book not only helps IT meet those growing needs, but shows the vendors where they need to improve. Regulations have highlighted an overlying issue of data protection. Data, whether it is financial data, non-public private information, or medical data, needs to be protected from unauthorized external and internal entities at all times. Much valuable data (i.e. customer and patient data) spends most of its lifetime in a storage device--not on computers, servers, or networks. Local failures and outside intruders can change, destroy, or compromise stored data even if the main network is secure: storage requires its own security. This book is a must read for IT personnel responsible for data security and security consultants who perform compliance audits at companies that use storage devices.

Buy NowGet 27% OFF

Click here for more information about Securing Storage: A Practical Guide to SAN and NAS Security

No comments:

Post a Comment