Information technology (IT) security has been receiving more attention recently, but, with one exception, that attention has not been directed at storage security. That exception is a well-publicized loss of unencrypted tapes containing confidential information, such as credit card information. Otherwise, the prevailing attitude seems to be that the flaws in storage security, such as in storage area networks (SANs) and network-attached storage (NAS), are not serious. In exposing the serious liabilities in storage security, this book demonstrates clearly that the prevailing attitude is wrong.
Dwivedi points out that storage has been fairly secure so far only because of obscurity, namely, a lack of knowledge of where the storage security gaps lie. The flaws in storage security are often subtle, but that does not make them any less pernicious. The author also points out that pretending to have security through obscurity is not a safe strategy, as eventually the knowledge of the storage security flaws will emerge.
The author defines securing storage as the process of accessing systems, testing networks, identifying gaps, and implementing security solutions. Six key basic principles of security are defined, and are used as the focal point for examining storage security for each type of storage network. In addition to the two prevalent types of storage networks (SANs and NAS), the emerging storage networking technology, Internet small computer system interface (iSCSI), is also covered.
The book attacks the myths that have given a false sense of storage security. For example, SANs are frequently designed with the assumption that they are secure because fiber channel (FC) networks, on which large SANs are typically built, are inaccessible from a security perspective. The book shows this assumption to be false. SANs have a number of weaknesses. Sequence weaknesses can lead to session hijacking, fabric address weaknesses can lead to what are called man-in-the-middle attacks, and host bus adapter (HBA) weaknesses can lead to logical unit number (LUN) masking and worldwide name (WWN) spoofing attacks.
For NAS systems, the exposures in both the common Internet file system (CIFS) for Microsoft Windows environments and the network file system (NFS) for Unix and Linux environments are examined in chapter-level depth. The security issues for iSCSI environments are covered in a separate chapter.
The good news is that, even though a large number of attacks is theoretically possible, only a handful of them are actually likely to be valid, due to the nature of a given network. The book shows how to conduct assessment exercises to help identify potential vulnerabilities. An IT administrator can separate the real exposures from the theoretical exposures for his or her storage network, and thus focus only on the real exposures.
The book is a deep technical dive into the technology of storage security issues. Although the book touches upon these issues in general terms, processes, policies, and procedures for securing storage are outside the scope of this book. Since the book is a handbook for helping to identify and assess storage security issues, the target audience is IT administrators. The question is, what type of IT administrators? A storage administrator has the depth of knowledge in the storage domain, but not in the security domain. A security administrator has the opposite problem. IT management has to recognize that a team approach is necessary, and assign the necessary resources.
Remember that this book is public knowledge. Therefore, now that the veil of obscurity has been thrown off for issues in securing storage, not only the good guys have access to this information. The race between offense and defense in security should now have a new focus on storage security. IT organizations should duly note this and act accordingly, or be prepared to accept the consequences.
