Storage Security: Protecting SANs, NAS and DAS [Paperback]

John Chirillo (Author), Scott Blaul (Author)

Book Description

ISBN-10: 0764516884 | ISBN-13: 978-0764516887 | Publication Date: January 1, 2003 | Edition: 1

* Storage systems are back-up data centers for vital information and a reliable second line of defense in the event a network is brought down
* Security experts Chirillo and Blaul navigate the challenges of secure storage networks in this invaluable how-to book
* Presents a standard set of secure policies and applications
* Analyzes the strengths and weaknesses of SAN, NAS, and DAS systems, detailing security concerns and considerations
* Discusses how to implement and architect more secure storage systems, focusing on breaches, redundancy, and security strategies
* Takes into consideration protection against internal intruders and tests those plans via vulnerability and penetration testing

Editorial Reviews

From the Back Cover

Your in-depth guide to protecting SANs, NAS, and DAS from attack

Here is the ultimate storage security handbook from the nation's top secu-rity expert, renowned Hack Attacks author John Chirillo. To create a detailed blueprint for protecting vital storage systems, John and coauthor Scott Blaul analyze SANs, DAS, and NAS in detail. They examine strengths and weaknesses, describe architectural security concerns and considerations, and identify ways to implement and design more secure storage systems, protect against security breaches, and develop effective countermeasures in case of attack. If storage security is your responsibility, you simply cannot afford to be without their advice.

You'll learn how to:
* Create and implement sound security policies and procedures for any storage system from any vendor
* Implement physical and logical security
* Use redundancy and protect against both internal and external security breaches
* Protect storage systems from malicious code attacks
* Detect storage intrusions and implement countermeasures
* Secure distributed versus centralized data
* Architect storage systems that are fundamentally secure
* Verify the effectiveness of a secu-rity plan with vulnerability and penetration testing

The companion Web site includes informative articles, evaluation matrices, selection spreadsheets, source code for custom intrusion monitoring of storage networks, and more.

About the Author

JOHN CHIRILLO, CISSP, ASE, CCDA, CCIE, CCNA, CCNP, Master UNIX, is Senior Internetworking Engineer at ValCom. A nationally recognized authority, John has developed security solutions for numerous Fortune 1000 companies. He is the author of Hack Attacks Revealed, Hack Attacks Denied, Hack Attacks Encyclopedia, and Networking Lab Practice Kit.
SCOTT BLAUL, CISSP, ASE, CCIE, CCNA, CCNP, CNE, is Director and General Manager of Profes-sional Services at ValCom. He has authored numerous technical training materials for the U.S. Marine Corps and is highly experienced with SANs, Microsoft products, and security vulnerabilities.

Product Details

• Paperback: 408 pages
• Publisher: Wiley; 1 edition (January 1, 2003)
• Language: English
• ISBN-10: 0764516884
• ISBN-13: 978-0764516887
• Product Dimensions: 9.3 x 7.4 x 0.9 inches
• Shipping Weight: 1.9 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (6 customer reviews)
• Amazon Best Sellers Rank: #1,013,318 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 4 people found the following review helpful:

4.0 out of 5 stars Comprehensive coverage of an oft-overlooked topic, February 10, 2003

By 

David J. Bianco "Hanashi" (Williamsburg, VA United States) - See all my reviews
(REAL NAME)   

This review is from: Storage Security: Protecting SANs, NAS and DAS (Paperback)

What does "Information Security" mean to you? To many, it means firewalls and encryption. To some, it means intrusion detection systems. Chances are the words "file servers" weren't high on your list, but they probably should be. After all, "information security" is about information, and when it's not flying across the network it's got to be stored somewhere, right? In fact, the security of the storage mechanism is often overlooked, which makes it an attractive target for attackers. In their new book, Storage Security, Chirillo and Blaul take a comprehensive look at this often-ignored subject.

Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security. And once the system is selected, you can't stop there. You've got to decide upon appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.

The book's evaluation methodology is particularly valuable. Each type of storage (direct attach, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics. The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the "best" technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.

Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine: since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.

Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may not need this book. If you have a larger network, though, or have significant data storage needs, this deserves a space on your shelf.

3 of 3 people found the following review helpful:

5.0 out of 5 stars Great tool for security planning and implementation, May 28, 2003

By 

"larsenk" (Augusta, GA) - See all my reviews

This review is from: Storage Security: Protecting SANs, NAS and DAS (Paperback)

Prior to this book I was ignorant of a lot of data storage issues. This book opened up areas to me that I had previously overlooked as I always took data storage for granted. The equipment breakdown and analysis was the most concise that I've ever seen. Nearly every page brought me a new item to learn or ponder. The sections on packet breakdown and network latency were fascinating. The information in this book is fully explained and with the author's help, easy to understand. The chapter(8) on designing and implementing a sound data security program almost serves as a blueprint as the steps and procedures are clearly outlined for the reader. This book provides BIG TIME info to the IT professional.

4 of 5 people found the following review helpful:

2.0 out of 5 stars A weak text on storage security, September 28, 2004

By 

Leroy A. Budnik - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: Storage Security: Protecting SANs, NAS and DAS (Paperback)

Securing storage sub-systems is an important, but omitted task. Will this text help you to do what is necessary to secure your storage fabrics? On my third read, the answer remains illusive. Important parts that should be part of standard decision protocol are missing. Will the text help you to understand security as a general topic? Certainly, the text attempts to apply CISSP concepts to the storage security topic.

In Chapter 1, trade articles cite storage pundits on the typical security grind, with a few small customer comments. All neglect in some form the fact that administrative error is the number one risk to availability, and by ISO17799, a security threat. Security is proactive rather than reverse engineered. The listing of security domains is certainly useful as a template for consideration.

Chapter 2 (DAS) discusses at length issues of data protection (RAID), discussion of interface technologies and a useful CISS matrix that is then applied to each interface. Rather than offer mitigation strategies for each interface, security resorts to the traditional CISSP analysis approach, classify, use standards, and build a plan, etc. when people really need situational case studies and risk mitigation. (Certainly, it remains important to do the analysis, but that is part of a CISSP text.)

Chapter 3 (NAS) begins with discussion of the NAS technology and their reasons for values supporting their security evaluation criteria. I found no serious discussion of the relationship of NAS to the outside world (Windows and UNIX) and the risks that this creates (need for authentication, etc.) In addition, one would expect a discussion of NFS flavors, CIFS and active directory, but this too was absent. One nit was a "weakness: NAS may not be good for databases," which with the new locking mechanisms is becoming more popular (although I personally still have a hard time with the idea.) Some protocols discussed are no longer in use. It includes a passable discussion on NASD and key management.

Chapter 4 (SAN) As with the others begins with discussion of technologies in the broad sense of the storage fabric including iSCSI and FC, followed by a SAN security matrix. The discussion of "Manageability" and "Access Control Management" including techniques by title and model remain as definitions without an interpretation within the technology - e.g. The Bell-LaPadula Model includes mandatory access control by determining access rights from different security levels, and discretionary access control by cross-referencing access rights from a matrix. How do we create the matrix in SAN terms, develop security levels, and determine access control rights? When is it appropriate to use this model? Very little discussion of authentication, other than user or administrator rights - techniques were in existence at the time of publication.

I could continue, but my findings remain that this is a book about security, not storage security. It has a lot of potential if the models are given life with real life interpretation.