Lock down your SAN

Implementing a storage area network (SAN) is a productive and cost-effective method for off-loading disk space from your servers and centralizing your network file resources. However, securing a SAN is no simple task.

If all of your organization's user data and databases resides on one host, then you must ensure maximum protection for that device. The key to securing your SAN is a mixture of SAN-specific and common security measures.

SAN-specific security methods
Most SANs offer two methods for securing your storage devices: zoning and logical unit number (LUN) masking.

Zoning
Zoning comes in two flavors--hard and soft. The difference between the two is simple: You configure hard zoning in the hardware, and you configure soft zoning using software.

Based on ports, hard zoning limits traffic between a specific attached host adapter and the array attached to the switch port. This method is extremely secure, but it can be administrative-intensive if the network requires reconfiguration.

Using soft zoning or world wide name (WWN) zoning, each element in the fabric receives a WWN for the purpose of identification. The name server in the switch determines which WWNs it will allow to communicate with each defined zone.

Because zones won't change if you reconfigure your network, this provides a more scalable method of zoning. However, WWNs are subject to spoofing, so this shouldn't be your only choice for security.

LUN masking
LUN masking is a method of masking multiple LUNs behind a single fabric connection. You can implement this on the RAID device or the host bus adapter (HBA).

This is a single-threaded method of limiting connections to a LUN, which houses a disk slice or network share. The benefit to LUN masking is that you can limit access to disk space on your SAN through a fabric connection between a server and the SAN.

This configuration provides tight security, and it scales well in large enterprises with multiple fabric switches and failover switch connections.

Common security methods
If your organization's SAN hosts data for its Web server, you should enable the Web sharing protocol for that portion of the SAN and implement an access control list to restrict traffic to that portion of the SAN and the Web server. Then, if someone compromises your organization's Web server, only the documents and files that are accessible via the Web protocol will be vulnerable.

Follow normal access control procedures on all SAN shares, and allow only the SAN administrators remote access to the SAN operating system. Remember: SANs are common storage points, and they should never initiate a connection beyond the borders of your network.

Final thoughts
Organizations must address SAN security at every level across the enterprise. Keep in mind that the methods I've discussed vary in their implementation according to which SAN vendor your organization uses.

If you're not a storage guru, ask your vendor to explain SAN security in-depth for its products. Then, implement a SAN security solution today.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.