Storage Security

Here is the ultimate storage security handbook from the nation's top security expert, renowned Hack Attacks author John Chirillo. To create a detailed blueprint for protecting vital storage systems, John and coauthor Scott Blaul analyze SANs, DAS, and NAS in detail. They examine strengths and weaknesses, describe architectural security concerns and considerations, and identify ways to implement and design more secure storage systems, protect against security breaches, and develop effective countermeasures in case of attack. If storage security is your responsibility, you simply cannot afford to be without their advice.

You'll learn how to:

• Create and implement sound security policies and procedures for any storage system from any vendor
• Implement physical and logical security
• Use redundancy and protect against both internal and external security breaches
• Protect storage systems from malicious code and attacks
• Detect storage intrusions and implement countermeasures
• Secure distributed versus centralized data
• Architect storage systems that are fundamentally
• Verify the effectiveness of a security plan with vulnerability and penetration testing

1. Storage Evolution
• General Terminology
• Why NAS or SAN?
• From Mainframe to Distributed
• Distributed resources
• NAS and SAN emerge as viable alternatives to DAS
• Riding the Technology Wave
• The rise to the top
• The bottom falls out
• The plan has to work
• Real-world examples
• Example article 1
• Example article 2
• Example article 3
• Too much hype?
• The Ten Domains of Computer Security
• Summary
2. Direct Attached Storage (DAS)
• What Is Direct Attached Storage?
• Understanding DAS Technology
• Serial Storage Architecture
• Universal Serial Bus
• Firewire
• High Performance Parallel Interface/Gigabyte System Network
• Integrated Drive Electronics/Advanced Technology Attachment
• Small Computer System Interface
• Fault Tolerance
• Using Technology Matrix Criteria to Determine DAS Security
• The DAS technology/security matrix
• USB
• IDE/ATA
• Firewire
• SCSI
• Serial Storage Architecture
• High Performance Parallel Interface
• Tallying the results
• Determining Which Storage Technology Meets Your Security Needs
• Providing a Secure DAS Foundation
• Summary
3. Network Attached Storage (NAS)
• What Is Network Attached Storage?
• Understanding NAS technology
• NAS proerties
• File systems
• Limitations
• File sharing or database access
• File sizes
• Network speed
• Network composition
• Features/options
• Security limitations
• Using Technology Matrix Criteria to Determine NAS Security
• NAS topologies
• NAS's strengths and weaknesses
• Using the Technology Security Matrix
• Matrix assessment
• Architecture
• Ethernet
• FDDI
• Token Ring
• Protocol
• AppleTalk
• IPX/SPX
• IP
• OS type
• Embedded
• Off-the-shelf
• File system
• Determining Which Storage Technology Meets Your Security Needs
• Providing a Secure NAS Foundation
• NASD fabric
• Administrator-to-file management system security
• Summary
4. Storage Area Network (SAN)
• What Is Storage Area Network?
• Understanding SAN technology
• SAN proprties
• Limitations
• Functional use
• Host-based file sharing and database access
• Distances
• Complexity
• Device support
• Features/options
• Serially-based
• Determining SAN Security
• SAN topologies
• Other SAN-style technologies
• Using the SAN security matrix
• Providing a Secure SAN Foundation
• Manageability
• Access control management
• Access administration
• Authentication
• Strong passwords
• Password guidelines
• Biometrics
• Tickets
• Tokens
• Custom scalability and flexibility
• Security domain zones
• Host/switch security domain zone
• Administrative/management systems security domain zone
• Management systems/switch security domain zone
• Switch/switch security domain zone
• Security controls overview
• Fabric Configurations Servers
• Management Access Controls
• Secure management communications
• Switch connection controls
• Device connection controls
• Security auditing using a Tiger Box
• Summary
5. Data Availability
• Data Availability Defined
• Keys to data availability
• Capacity planning
• Access methods
• Fault mitigation
• Disaster mitigation
• Duplication
• Management tools
• Proactive monitoring/alerting
• Support plan
• Data protection
• Backup window
• Data availability interdomains
• Infrastructure availability
• Security
• Network access
• Cabling
• Hubs/switches
• Routers
• CAN/MAN/WAN links
• Internet
• Wireless technology
• Dial-in
• Power
• Alternate access
• Hosts/servers
• Host/server standby/failover
• Clustering
• Application availability
• Load balancing cluster
• Application failover cluster
• Data Services
• User/company data
• E-mail
• Databases
• Design
• Types
• Multimedia
• Disk Availability
• RAID systems
• Snap technology
• Overview
• How it works
• Uses
• Security issues
• Clone technologies
• Overview
• How it works
• Uses
• Security issues
• Data replication technologies
• Overview
• How it works
• Uses
• Security issues
• Storage virtualization
• Overview
• How it works
• Uses
• Security issues
• Outsourcing companies
• A Word about Common Data Availability Failure Points
• Summary
6. Data Protection, Backup, and Recovery
• Framework for Protecting Data
• Networked attached secure disk
• Security of Hash and MAC
• Precomputing security with Hash and MAC
• User/administrator-to-system security
• Biometrics
• Tickets
• Tokens
• Data Protection by Viral Defense
• Backup Challenges
• Determining the primary purpose of the backup system
• Backup
• Restore
• Archive
• Backup window
• Integrity of backup
• Verification of backed-up data
• Indexing and cataloging
• Media life
• Redundancy in backups (on-site plus off-site copies)
• Data replication
• Business continuance plan
• Guidelines for contingency plans
• Choosing a secure backup strategy
• Backup device hardware
• Secure backup connection methods
• Backup device placement
• Backup software
• File selection methods
• Full backup
• Incremental backup
• Differential backup
• Derivatives (synthetic full)
• Failure recovery backup
• HSM
• Leveraging clone and snapshot technologies for backups
• Open file and database agents
• Verification/notification options
• No swapping of tapes or other media if possible
• Media availability
• Choosing a secure backup solution
• Data Recovery
• Disaster recovery
• Organizing data
• Single loss expectancy
• Annualized loss expectancy
• Using recovery packets for fault and failure mitigation
• Loss mitigation
• Practical example
• Rollback planning
• Secure recovery methods
• Restore problem scenario 1
• Restore problem scenario 2
• Restore problem scenario 3
• Restore problem scenario 4
• Restore problem scenario 5
• Testing the restoration plan
• Proper disposal of data
• Tape media
• Magnetic diskette media
• Optical media
• Magnetic disk media (hard drives)
• Summary
7. Selecting a Secure Storage Solution
• The Approach
• Infrastructure Needs Analysis
1. Applications
2. Protocols
3. Topology map
4. Network analysis
5. Wide area network analysis
6. Network availability and performance
7. Network reliability and utilization
8. Business strategies
9. Network healthiness
• Infrastructure Selection Guidelines
• Protocol design guidelines
• Workstation client design guidelines for NetWare
• Internetwork Packet Exchange
• IPX encapsulation types
• Service Advertisement Protocol
• Sequenced Packet Exchange
• AppleTalk
• TCP/IP Transport and Network layers
• TCP
• Sequencing and windowing
• Initialization constraints
• Topology design guidelines
• Ethernet design cabling, and adaptors
• Congestion problems
• Benefits and guidelines of Fast Ethernet
• Benefits and guidelines of Gigabit Ethernet
• Scalability constraints
• Routing protocol guidelines
• Key Requirements of a Scalable Network
• Reliability and availability
• Responsiveness
• Efficiency
• Adaptability
• Accessibility and security
• Tackling the Most Common LAN Problems
• TCP/IP problems and troubleshooting techniques
• Using router diagnostic commands
• Diagnostic commands
• Ping
• Traceroute or tracert
• Additional techniques and suggestions
• Local connectivity issues
• General IP troubleshooting suggestions
• Troubleshooting suggestions
• Check for configuration problems
• Check for local connectivity
• Ruling out duplicate IP addresses
• Troubleshooting physical connectivity problems
• Rule out a configuration problem
• Check cable connections
• Check the configuration
• Check the network interface
• Troubleshooting IP connectivity and routing problems
• What's next?
• Storage Solution Component Matrix
• Environment
• Capacity
• Need/use and hardware platform
• Operating systems
• Summary
8. Designing and Implementing a Sound Data (NAS/SAN) Security Program
• Designing the Plan
• Common storage security steps
• Step 1: Classification categories
• Step 2: Combine data classifications
• Step 3: Categorize the data
• Step 4: Define legal obligations for data
• Step 5: Work out from center
• Step 6: Define encryption strategy
• Step 7: Define a connection/technology strategy
• Step 8: Separate/segment storage use
• Step 9: Define configuration identity management
• Step 10: Protocol selection
• Step 11: Device firewalls
• Step 12: Choose operating system access
• Step 13: Access control
• The Take-Grant model
• The Bell-LaPadula model
• Step 14: Select an appropriate secure backup
• Step 15: Create a comprehensive security checklist
• Step 16: Enterprise security plan
• Step 17: Intrusion detection
• Step 18: Incident response planning
• Step 19: Training
• Step 20: Design review
• Step 21: Testing
• Implementing the Plan
• NAS case study
• Step 1: Classify the data
• Step 2: Combine data classifications
• Step 3: Categorize the data
• Step 4: Define legal obligations for data
• Step 5: Work out from center
• Step 6: Define encryption strategy
• Step 7: Define a connection/technology strategy
• Step 8: Separate/segment storage use
• Step 9: Define configuration identity management
• Step 10: Protocol selection
• Step 11: Device firewalls
• Step 12: Choose operating system access
• Step 13: Access control
• Step 14: Select an appropriate secure backup
• Step 15: Create a comprehensive security checklist
• Step 16: Enterprise security plan
• Step 17: Intrusion detection
• Step 18: Incident response planning
• Step 19: Training
• Step 20: Design review
• Step 21: Testing
• SAN case study
• Step 1: Classification categories
• Step 2: Combine data classifications
• Step 3: Categorize the data
• Step 4: Define legal obligations for data
• Step 5: Work out from center
• Step 6: Define encryption strategy
• Step 7: Define a connection/technology strategy
• Step 8: Separate/segment storage use
• Step 9: Define configuration identity management
• Step 10: Protocol selection
• Step 11: Device firewalls
• Step 12: Choose operating system access
• Step 13: Access control
• Step 14: Select an appropriate secure backup
• Step 15: Create a comprehensive security checklist
• Step 16: Enterprise security plan
• Step 17: Intrusion detection
• Step 18: Incident response planning
• Step 19: Training
• Step 20: Design review
• Step 21: Testing
• Answers
• iSCSI case study
• Step 1: Classify the data
• Step 2: Combine data classifications
• Step 3: Categorize the data
• Step 4: Define legal obligations for data
• Step 5: Work out from center
• Step 6: Define encryption strategy
• Step 7: Define a connection/technology strategy
• Step 8: Separate/segment storage use
• Step 9: Define configuration identity management
• Step 10: Protocol selection
• Step 11: Device firewalls
• Step 12: Choose operating system access
• Step 13: Access control
• Step 14: Select an appropriate secure backup
• Step 15: Create a comprehensive security checklist
• Step 16: Enterprise security plan
• Step 17: Intrusion detection
• Step 18: Incident response planning
• Step 19: Training
• Step 20: Design review
• Step 21: Testing
• Final notes on SAN security
• Summary
9. Testing and Monitoring
• Building a Testing System
• Quick Sun Solaris configuration
• Configuration Assistant
• Drivers
• Boot Parameters screen
• Partitioning
• Preinstallation
• Web Start
• Installing the O/S
• Installation completion
• Quick Red Hat Linux configuration
• Welcome
• Language selection
• Keyboard configuration
• Mouse configuration
• Install options
• Disk partitioning
• Network configuration
• Language support
• Time zone
• Account configuration
• Authentication
• Package selection
• X configuration
• Installation
• Monitor configuration
• Installation completion
• Quick Apple Mac OS X/Jaguar configuration
• Welcome screen
• License agreement
• Installing the kernel
• Upgrading to OS X option (optional)
• Welcome screen
• Installing kernel updates
• Installing Developer Tools
• Downloading the software
• Terms and conditions
• Sign-up form
• Account profile
• The software
• Quick auditing software configuration
• Installing Nmap
• Installing Nessus
• Manual installation
• Automatic installation
• Configuring Nessus Security Scanner
• Starting the server daemon
• Additional notes for Linux and Solaris users
• Using Your Testing System
• Plugins
• Scan options
• Target configuration
• Reporting
• Auditing the most common vulnerabilities to storage networks
• Host systems
• WAN links
• Local segment and zones
• Management points
• Simple Network Management Protocol
• Archives
• Other general storage-related insecurities
• Firewalls and Intrusion Detection System Software
• Network monitors
• Custom detection with TigerGuard IDS
• Forms
• Modules
• What's Next
• Summary

• What's on the WebSite
• Matrices
• Advanced Custom Auditing
• TigerGuard IDS Software and Other Devices
• Other IDS devices and services
• Useful Resources
• Access Control and Management
• Encryption
• Firewalling
• Intrusion Detection Systems, Software, and Services
• Magazines and News
• Search Engines
• Storage Network Software
• Virus Control
• White Papers

A very good book that lives up to its promise. It even forewarns you that you will need to have some minimum of experience and knowledge, before trying their recommendations. Refreshingly written, about a subject that could have been extremely boring. Recommended reading.