Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Your SAN

Your SAN

|Views: 13|Likes:
Published by venkat

More info:

Published by: venkat on Apr 27, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Securing Your SAN
Introduction to security
 The most important thing to run an IT business is to protect their information frommalicious attackers who wants to use it for personal purpose or with evil intent.These attackers may be within the organization or the hackers or the competitors.Most of the people think that IT security team is responsible for protecting the dataor information but it is the responsibility of an every individual in an organization.The responsibility of security team is not only protecting data from an outsider butalso making everyone in organization aware of what is expected from their side. Thebasic objectives of security are
Access control.Now we will discuss each of these objectives-
Reliability refers to making sure that anytime you access your data, it is what youhad ended up with, after the last modification. Reliability is implicit requirement fromany security policy.
Confidentiality deals with protecting the disclosure of information to an unauthorizedperson. This information may be business secrets or any copyrighted material. Wecan achieve this by using an encryption/decryption algorithm that can be understoodby only the intended senders and recipients.
Integrity deals with verifying whether the data is same on both the sending andreceiving ends or not. Integrity ensures data is not corrupted. This maintains theuniformity of the data on both sides. Integrity can be achieved by adding some extrainformation to the original, which can represent the actual data.
Authentication is validating the sender and receiver. This helps both sender andreceiver to trust each other. Authentication can be done by using digital signatures,passwords etc.,
It is very important for any organization to have their data available anytime andanywhere for an authorized user. The downtime for an organization is very costlyand may drive business into losses. Fixing the patches and preventing hackers topeep through the network can ensure availability.
Access control
Access Control refers to making sure that people get exposed to only the informationthey are supposed to access. Making the right kind of information accessible to theright person only, is a major aim of security.A good security solution should protect all the objectives. A good security solutionneeds proper planning and this plan can be called as a security policy.
What is a security policy?
A security policy defines the procedures, guidelines and practices forconfiguring and managing security in an organization. Every organization shouldhave a security policy and it to be implemented by higher-level officials. As we aimfor higher level of security the more investment is needed to implement. Hence ananalysis is needed before formulating a security policy. Qualitative Risk-Assessment& Cost benefit analysis are the most important types of analysis.
Qualitative Risk Assessment
Because of the uncertainty associated with the risks in the IT business it is not easyto calculate risk level. So several techniques are developed for finding them likemultiplying the threat frequency with the risk associated with it. All the risks areconsidered such as those of assets, information etc., while calculating the overallrisk.
Cost benefit analysis
Cost benefit analysis gives an estimate of the monetary losses if the data is lost. Socost benefit analysis is used for calculating a break-even point. Break-even point isthe point at which both the security implementation investment and monetary lossesare same. In this analysis risk is not taken into consideration. For example it is not awise decision to implement a security with 10000 bucks for information worth 1000bucks.This analysis acts like a baseline for creating a security policy. Formulation of thesecurity policy needs higher officials from all the departments and domain experts.The following steps are to be followed while creating security policies1.
Determining the need of the policy2.
Discussing with department heads and determining which are to be protectedlike assets, clientele list etc.,3.
Reviewing government rules and regulations so that it can protect if anydiscrepancies occur and modify it.4.
Creating a policy satisfying the above three steps5.
Reviewing the policy with higher officials and modifying the policy if anychanges are needed.6.
Approving the policy and training all the associates.
Having a review of the policy quarterly or half-yearly and modifying it if needed.
Determine the need for policyDiscuss with workgroupsFormulate policyCheck for legal issueand modify if neededHigher officials Approval/ReviewImplementationReview/UpdateFor every three or six monthsModify if neededModify if needed
Flow of events for formulating security policy
Security in SAN
The concept of a centralized data storage running on dedicated high-speedbackend network that can be accessed by the servers connected to it is calledStorage Area Network (SAN). According to SAN theory any host on the network canaccess any of the data in the network, but when we look at this from a security pointof view it’s a security threat. For example imagine a scenario where hacker hacks theserver, which means he can access the whole data on the network, and in somecircumstances he can even modify also which is not desirable in an enterprisestorage environment. Most of the SAN’s deployed today runs on FCP (Fibre channelprotocol). FCP is designed by keeping in mind speed as a primary factor as a result itlacks authentication. Authentication is the most important factor in security when wetalk about networked storage, so we need to have a good security policy, which canat least fulfill the lack of authentication in the Fibre channel protocol. Beforeformulating a security policy we need to find out the loopholes, vulnerabilities andtype of attacks that are possible.Some of the possible attacks against SAN are
Spoofing the ports.
Spoofing the FC-AL.
DoS (Denial of Service) attack.So we need to have a security policy, which can address all these problems. First of all we need to define the security needs by identifying the domains. These domainstypically define different categories of communications that must be protected by thein a storage area network. These domains include:

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->