New Security Requirements for IP Management Ports in Storage Networks Announced by the SNIA SSIF
New best practices aim to lower threat levels of networked storage
PHOENIX, AZ (April 7, 2004) – The Storage Networking Industry Association (SNIA) Storage Security Industry Forum (SSIF) today announced new best practices for securing IP management ports in storage networks for end users.
Developed in cooperation with the SANS Institute, the “Minimum Security Requirements and Best Practices for IP Management Ports in Storage Networks” technical note outlines critical features end users should request from their storage network suppliers to ensure the products purchased are designed to minimize security vulnerabilities and threats from common IP network sources. These vulnerabilities and threats include the hacking or hijacking of IP ports, unauthorized access, operating system vulnerabilities, viruses and spoofing, among others.
“As storage area networks scale in size and reach, end users unknowingly open up their data center to more vulnerabilities and threats more than they may have fully understood to date,” stated Mike Alvarado, chair, SNIA SSIF. “Many end users have used separate data center management networks that are not connected to the corporate network, which has been a reasonable solution. What has changed is that this separation has become less effective as more storage networks and devices are directly connected to global data networks.
To address this issue, the SSIF has generated a technical note which applies to current best practices from the IP security arena to storage networking devices for the purpose of improving infrastructure security.”
Specific recommendations for user requirements include:
Require RFQ’s to describe how storage products are hardened to remove vulnerabilities from IP-based threats.
Ask vendors to provide a statement regarding if and when their products will comply with industry security recommendations.
Ask the vendor about their certification process to validate that their products do not have IP security vulnerabilities.
The new technical note also includes recommendations for testing methodology for both vendors who are designing and testing new products, and independent third-party companies with expertise in IP port testing and product certification.
To access the new SNIA SSIF technical note, visit http://www.snia.org/ssif.
About the SNIA SSIF
Formed in July 2002 in response to member and end user requests, the SSIF is a customer- and market-focused vendor consortium dedicated to increasing the availability of robust storage security solutions. The Forum will fulfill its mission by working closely with end users and vendors to identify the best practices on how to build secure storage networks and promote these standards-based solutions throughout the industry. For more information, visit the SNIA SSIF Web site at http://www.snia.org/ssif.
About the SNIA
The Storage Networking Industry Association (SNIA) is a not-for-profit organization, made up of more than 300 companies and individuals spanning virtually the entire storage industry. SNIA members share a common goal, to advance the adoption of storage networks as complete and trusted solutions. To this end, the SNIA is uniquely committed to delivering standards, education and services that will propel open storage networking solutions into the broader market. For information, visit the SNIA Web site at http://www.snia.org.