Re: SAN Vulnerabilities

[William Reyor <opticfiber () gmail com>]

A misconfuguration on the SAN can put your data at risk. I'd avoid it if possible. 

Sent from my ATmega128

On Dec 17, 2010, at 12:58 PM, Dan Lynch <DLynch () placer ca gov> wrote:

> I'm very interested in this line of analysis as well. High-value / high-risk segregation issues come up here all the 
> time. I'm not a SAN expert either, but this same question has come up in security evaluations. As I've understood 
> (and I could be very wrong here), much of the risk is associated with IP-based transport. But using fibre-channel 
> HBAs for transport represents less risk. Could anyone with more experience speak to this issue?
>
> Thanks
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
> > -----Original Message-----
> > From: listbounce () securityfocus com 
> > [mailto:listbounce () securityfocus com] On Behalf Of mjd
> > Sent: Thursday, December 16, 2010 4:23 PM
> > To: security-basics () securityfocus com
> > Subject: SAN Vulnerabilities
> >
> > We are evaluating a proposal wherein our Web Server Admins would like
> > to use our internal SAN to host data for our external websites.  Our
> > external websites are on our outfacing DMZ which means they could be
> > subject to all sorts of attack.  Our internal SAN hosts some very
> > sensitive health care data so I'm reluctant to allow this since it
> > puts our most protected data physically very close to our most
> > vulnerable segment.
> >
> > They have given me assurance that they have locked down the SAN to the
> > point wherein one server accessing cannot access any other disk unless
> > it is explicitly mounted.  I do not have heavy experience with SANS,
> > but based on their explanation, the SAN switch can be likened to a
> > firewall in that it blocks any communication not explicitly allowed.
> >
> > When drawing this out on a board, it just doesn't look right.  We're
> > physically connecting servers in our External DMZ to our SAN which
> > hosts very sensitive data.
> >
> > Any advice on this situation?  Are we overreacting to this and should
> > we trust in the security boundaries created by the SAN
> > switch/controller?  Are there vulnerabilities out there that allow an
> > attacker to take control of the whole SAN?
> >
> > Thanks in advance!
> > mjd
> >
> > --------------------------------------------------------------
> > ----------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who 
> > needs an SSL certificate.  We look at how SSL works, how it 
> > benefits your company and how your customers can tell if a 
> > site is secure. You will find out how to test, purchase, 
> > install and use a thawte Digital Certificate on your Apache 
> > web server. Throughout, best practices for set-up are 
> > highlighted to help you ensure efficient ongoing management 
> > of your encryption keys and digital certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> > e13b6be442f727d1
> > --------------------------------------------------------------
> > ----------
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------