HP StorageWorks sets the bar for iSCSI SAN server security
Our testing of iSCSI SAN servers show they all handle basic functions as advertised. But we had to dig deeper into other enterprise features offered — such as security, high availability, and expandability -- to find bigger differentiations between the products.
We looked for the same level of security management and secure design in iSCSI storage systems as we would for any other critical network component. But we were sorely disappointed.
Don't Miss!Download the latest Network World Executive Guide - Executive Guide: Data Center Decisions
Something as simple as having a strict separation between management and data planes would be basic to these products, we thought, but less than half of the products tested – D-Link's DSN-3200-10, HP's StorageWorks 2012i, NetApp's FAS2050, NexSan's SATABeast and StoneSly's Storage Concentrator – have the ability to completely separate data and management.
How about encrypted management traffic? Most products supported that, although with some, enabling SSL was optional while with others it was very difficult to enable at all. Kano's NetCOR 7500 and Nexsan's SATABeast simply don't support SSL. The SATABeast was even more frightening: it runs, by default, without any username or password required for management.
And in another security faux pas, we found many products listening on Telnet ports that couldn't be disabled.
Our general conclusion is that the storage industry somehow thinks that because its products are sitting inside the corporate firewall that they're safe. They should rethink that point very carefully.
We did run into a few occasional security high points, though, such as delegated levels of system management offered in the Compellent StorageCenter and the NetApp FAS2050. But the only product in our test that easily met basic requirements for control security — a separate control plane, ability to enable/disable management services and encrypted management — was the HP StorageWorks 2012i. Next up was the NetApp FAS2050, which had many of the same features, but made them so difficult to use, that many managing this system would not bother to use them correctly. For example, controlling SSL and Secure Shell access — something HP facilitated with two check boxes within its Network Management GUI screen — takes NetApp 20 pages of documentation to describe.
On the data security side, we — thankfully — had a better experience in spite of the fact that the iSCSI protocol is a particularly dangerous one for most enterprises because of its "discovery" mechanism. This mechanism is a way for an iSCSI initiator to discover all of the virtual disks that an iSCSI target is advertising. Discovery makes it easy for an inattentive administrator to accidentally — or purposefully — attach a server to a virtual disk that they shouldn't, potentially causing data corruption or information leakage. An iSCSI storage system must have a clear security model that makes it easy for the storage administrator to unambiguously apply controls on which systems can connect to which virtual disks.