Securing Storage: A Practical Guide to SAN and NAS Security
by Himanshu Dwivedi

Upper Saddle River: Addison-Wesley 2006.
ISBN 0-32-134995-4. $49.99, $38.95

Reviewed by  Richard Austin   01/17/06 

Enterprises are reportedly growing their storage requirements and budgets at double digit rates under the twin whammy of a rapacious appetite for data and looming regulatory mandates. To cope with the burgeoning masses of data and flat or decreasing budgets for personnel, the data is increasingly being migrated to some form of networked storage. Which surprisingly enough brings us to security.

Dwivedi is no stranger to the subject of storage security and has given presentations at the BlackHat conferences on security issues in both fibre channel and iSCSI protocols. This book is a technical security book devoted almost entirely to the technical issues in SANs and their applicable technical controls. Matters of policy and the fit between storage security and the overall information security program are given a miss.

The book covers the trio of current networked storage technologies: Fibre channel SANs NAS (both NFS and CIFS) iSCSI

The book is clearly written for the most part but would have benefited from a good copy editor -- I am still mystified by this sentence at the top of page 346: "It should be noted that if the challenge message does not become stale or if it is reflected across connections, DH-CHAP is a very secure method to perform authentication, especially over WWN authorization security." Grammar issues, spelling mistakes, etc, detract from the quality of the presentation.

Some background on the protocols is required to understand the attacks and defenses -- I found myself reaching for Kembel's "red books" on fibre channel more than once and I earn my bread and cheese doing storage security on a fibre channel network.

Attack scenarios are quite realistic and easy to follow. For example, reconnaissance of a fibre channel SAN is clearly presented using nmap to scan a management network segment to locate on-board web servers for fibre channel switches and then using their web interfaces to retrieve a wealth of information. Common open source tools such as Cain and Abel, Ethereal, etc, are used to demonstrate how management connections can be sniffed and spoofed. Exotic attacks such as man-in-the-middle are illustrated using IP networks and then mapped to fibre channel in discussion. WWN and iQN (for iSCSI) spoofing is presented in a clear and understandable fashion that clearly demonstrates the risks to segregation of data based on zoning.

There are some issues with the presentation, though. In the CIFS section, for example, much use is made of enumeration through "null sessions" which are typically disabled in most hardened Windows deployments.

Protocol experts will take issue with items such as the "vulnerability" of iSCSI to dictionary attacks as the specification itself calls attention to this fact and the necessity for strong secrets (thanks to an iSCSI protocol expert for pointing this out).

Some items of advice in the chapters on hardening devices will be questioned as well such as the advice to disable cut-through switching on Cisco's MDS series switches to preclude an attack on zoning that is actually not possible given how zoning rules are processed (thanks to a Cisco CCIE for giving me this peek under the proverbial kimono).

The chapter on regulatory compliance is good but illustrates the problem of restricting the book to "technical security." That is, without a threat model and overall policy framework, it is difficult to judge or justify the adequacy of any specific control. This being said, the chapter is quite useful in presenting the broad tapestry of considerations that make up compliance in the context of storage security.

In summary, this is an excellent book for introducing the challenges that exist in current implementations of storage networks from a security perspective and offers guidance to security professionals and storage administrators alike in some of the ways such challenges can be met. The important caveat is to assess the presented risks in the light of the specific technological and vendor environment as well as in the context of the overall security posture of the organization before implementing any of the technical controls. Eschew the temptation to treat this book as a "tweak-o-matic" that will somehow make your organization's storage networks secure (whatever that means)!

Richard Austin is a resident curmudgeon at a Fortune 100 company who, for reasons that mystify both him and his therapist, wages a continuing battle with a tottering tower of new security books. He occasionally emerges from the fray, more or less unscathed, to opine upon the latest tome to transit from the "to be read" pile onto the "to be shelved" stack and can be reached at