Does 'storage security' buy you anything?

I sat in on a webinar the other day and reviewed the sponsors' product data-sheets and other product materials. This was a 'storage security solution'. What is a storage security solution?

To sum it up, it's a data encryption solution that secures data at the SAN/NAS storage layer. In other words, it encrypts the data stored within the SAN and also includes access controls to restrict access to certain data within the SAN by certain hosts. Sounds kinda neat, huh? I found it interesting that the vendor was touting that their product addresses the encryption and data security requirements of the PCI (Payment Card Industry) Data Security Standard. I have to completely disagree with this positioning.

The product does encrypt data at rest within the SAN. But this is not really where the threat exists. The solution does nothing in regards to protecting data once a host is authorized to access the data within the SAN. And the threat of someone getting physical access to your SAN in order to attach to an existing volume is, shall we say, not very probable. And, if you are following the other requirements of PCI, you have your SAN and servers secured within a data center with appropriate physical access controls. So the chance of someone walking off with servers and your SAN also has a low probability.

With a solution like this in place, the Oracle database server has complete access to the encryption keys and all of the data in the SAN that it needs in order for the database to operate. And the web application that's connected to this database has access to all of the data it needs in order for the application to operate. So, even with such a solution implemented, you are still completely dependent on the security and access controls (and inadequacies) of those systems to protect the data. If someone can circumvent the controls in the web application or the database access controls, is doesn't really matter if the data is encrypted in the SAN. Implementing a database encryption solution would be a much more effective and secure solution.

But a solution like this isn't all bad. Where I do see value is in highly virtualized environments. Since the data is encrypted with the SAN you will have the capability to restrict access to only authorized hosts. Another great feature of the solution I reviewed is the ability to apply this technology to backup media. This is an area that's fraught with vulnerability, and it's good to see a product that addresses this head-on. What bugs me is when vendors get a little over zealous in their marketing strategy, attempting to position themselves as a solution to problems they don't really solve.

Copyright (c) 2007 Kenneth M. Smith

Network Security Checklist

20 Things That You Should Be Doing (at a minimum) to Protect Your Network From Threats
Kenneth M. Smith CISSP CISA QSA

Nothing can guarantee complete protection from the threats that exist on the Internet. Worms, viruses, malware and other malicious attacks are making this battle more complex every day. But it’s important to make a concerted ‘due-diligence’ effort to protect your information systems. Here is a preliminary checklist of 20 items that can help reduce your exposure to the top Internet threats.

1. Stay informed – Monitor security-related web sites and subscribe to mailing lists so you are aware of the latest threats. You need to know about it before you hear it on the television or radio news. I recommend the following:

SANS Newsletters: There are two weekly Newsletters and one monthly to choose from. The Security Alert Consensus (CAS), for example, lets you customize the content to your environment. You can choose to only receive news that pertains to the operating systems that you use. To subscribe to the SANS Newsletters, visit:

SecurityFocus Mailing lists: There are currently 26 lists to choose from. At a minimum, I would recommend the ‘bugtraq’ mailing list. To subscribe, to the SecurtyFocus lists, visit: This site provides daily updates and alerts on the latest threats, acting as an Internet Storm Center. Here you can access the latest CID Graph, probing statistics, and access the DShield Database. DShield is a system that acts as a central logging and analysis repository for IDS and Firewall logs. For more information, visit

2. Know the SANS/FBI Top 20 List – Using the combined knowledge of dozens of leading security experts, this list was developed to identify the top twenty vulnerabilities that account for the majority of system compromises. The latest version of the list, “The Twenty Most Critical Internet Security Vulnerabilities” can be found at the following URL:

3. Protect your e-mail systems – Use an e-mail content filtering solution to protect your mail systems from malicious messages, SPAM, and malware attachments. It’s preferable that this be a separate system located in a DMZ network. This solution should, at a minimum, allow filtering based on text strings within messages as well as the ability to monitor and restrict attachments. Many systems also provide the ability to block unsolicited commercial email (UCE), a.k.a. SPAM. This system should integrate with an anti-virus product so that all attachments are virus checked, both inbound and outbound.

4. Triple-check your firewall configuration – Your firewall is a critical component of your security strategy. It’s configuration and rule-base should be closely guarded. On a regular basis, a ‘reality check’ should be performed by multiple security administrators or a security consultant. Use the comments field for each rule to indicate what the rule is for, and who requested and authorized the rule. Question any unexplained rules. Verify that your rule-base includes a ‘Stealth Rule’. This is a rule that prevents anyone from talking with your firewall directly. This is usually placed as early in the rule-base as possible.

5. Test for vulnerabilities – Perform frequent vulnerability assessments or penetration tests to identify vulnerabilities that may exist on your systems. Tests should be performed with multiple assessment tools from the Internet as well as from inside the network. As part of this test, run a password-cracking tool to test the strength of user passwords.

6. Test backup systems – You know that feeling you get when you need to restore critical data and find that it hasn’t been backed up in months? Avoid these situations by reviewing backup logs and performing regular test restores. Consider having the system or data ‘owner’ also review the logs for an added measure of confidence. While performing these tests, make note of the restore speed. If it takes many hours to restore a critical system from backup, then it’s probably time to start thinking about a more robust data integrity solution.

7. Keep the operating system and applications current – Have you ever tried to quickly install a security patch, only to find that you needed to install an Operating System Service Pack first? Keep all OS and application revision levels up-to-date. Not only does this usually provide a more stable system, but it also makes it easier to deal with hot-fixes and security patches later.

8. Educate your users – Employees expect that the company will keep their personal information secure. It’s your company’s duty to exercise diligence to make sure that social security numbers, health information, and other personnel information is kept private. You should expect the same level of security from your users when it comes to corporate data. Regular Security Awareness training provides the opportunity to make users aware of best practices, corporate policies, and to review some do’s and don’ts. In addition, it serves as a forum to allow users to ask questions.

9. Monitor your network – Review router, firewall, and host logs on a regular basis. If this task takes too much of your time, then consider an integrated log management and reporting tool. If you have a central syslog logging server, be sure that it’s kept up-to-date and secure. An Intrusion Detection System will let you see and correlate activities that will go unnoticed when using simple logging only. Better yet, and Intrusion Detection and Prevention System can block the malicious traffic. If you have an IDS or IDP system, be sure to keep signatures current. If there is no IDS or IDP in place, you should immediately start looking into something that will meet your requirements.

10. Keep Internet accessible hosts on a DMZ – Any host that can be directly accessed from the Internet should be in a Demilitarized Zone network, not your internal LAN. For example, web, mail, and ftp servers should be on a separate network segment that is connected to the firewall only. Firewall rules are then created to allow access to these systems from the Internet, and to allow these servers to communicate with systems on your LAN.

11. Apply those security patches! – Lately this seems to be a daunting task, keeping up with vendor provided security patches and hot-fixes. Whatever it takes, it must be done. There are some tools available to help manage this process for large numbers of servers. Some OS and application vendors are providing better patch distribution functionality, but for most systems it’s primarily a manual process. You should be keeping current with security-specific patches for all hosts, firewalls, routers, and appliances on your network. Monitor security and vendor web sites and mailing lists for the latest news on security patches.

12. Anti-Virus everywhere – All systems, from notebooks and desktops to mission-critical servers need to be protected from viruses. If you have Anti-Virus software running everywhere, make sure it is configured to properly protect your systems. It should be against corporate security policy for users to disable Anti-Virus protection, unless authorized to do so. Virus signatures should be updated often. In light of the recent barrage of malware, it’s a good idea to check for signature updates on a daily basis.

13. Closely guard modem remote access services – A single host with a modem connected to an analog line can completely circumvent your security strategy. Although it doesn’t get the attention it used to, finding a host running PcAnywhere with a weak or non-existent password will usually result in full access to the companies’ internal network and applications. Systems that must be made available in this manner must be closely monitored, and full auditing and logging capabilities should be enabled. Regular WAR-Dialing exercises should be performed to inventory modem usage, and to identify weak authentication requirements.

14. Harden all production systems – Any system that will be used in a production environment, whether internet-facing or internal, should be hardened. Tests should be performed to assure that baseline security requirements are met before system deployment. After hardening, be sure to also test the applications that the system will run. Once you’ve developed a procedure that meets your requirements, you can automate the process using scripts or third party automation tools.

15. Categorize and segregate systems – Organize systems into categories based on their importance to the organization, and their function. Next, segregate systems into secure ‘zones’ based on these categories. This allows you to provide countermeasures that are better aligned with each systems security requirements. Additionally, more extensive countermeasures will be efficiently deployed, exactly where they are needed the most.

16. Get working on those security policies – If you have written policies that relate to corporate information systems, they probably need to be updated. Many things have changed in a short period of time. If your company has no written policies, first create an Information Security Roadmap that outlines the current risks and how they can be addressed. From this, security policies can be developed for the topics that are pertinent to the environment.

17. Locate and secure wireless networks – If you have wireless access points connected to your corporate LAN, be sure to change the default SSID and require the use of strong encryption. A wireless local area network (a.k.a. WLAN) should be treated as an untrusted network, and secured as a Demilitarized Zone (DMZ). If you don’t think you have wireless in use at your company, running a WLAN scanning tool might surprise you.

18. Provide regular security training for your IT staff – On a regular basis, your IT staff should be exposed to training that will increase their knowledge of information security best-practices. This is one of the best investments a company can make when it comes to protecting their environment. Learning on the fly to deal with a major incident, that could have substantial financial ramifications on your business, just doesn’t make good business sense. The ROI of this type of training is always very high.

19. Implement network time services – Implement a central time management system in your environment. One or more Network Time Protocol (NTP) servers should be installed on your network and configured to pull accurate time from a reliable reference server. At a minimum, all network architecture and security systems on your network should point to your NTP time servers to coordinate time. This will assure consistent timestamping of log data across platforms. This is especially important when researching firewall, router, and intrusion detection and prevention logs while investigating suspicious activity.

20. Be prepared for an incident – If your network were attacked today, would you know what to do? Procedures should be in place to help assure proper identification, containment, eradication and recovery to get your company back in business. If you don’t have a plan in place then a good place to start would be to read the ‘Computer Security Incident Handling Step-by-step Guide’ published by SANS. This 74 page guide is available in printed and electronic PDF format from the SANS Store at: Also, have the phone numbers of important contacts (ISP, Firewall Support Vendor, Company CIO, Human Resources, Legal, etc.) printed out and kept in a safe place just in case.

Copyright (C) 2004 Kenneth M. Smith