SAN Storage in a DMZ. Ow boy.
In our shop the need arised for the internet facing infrastructure to be renewed.
So we also planned on serving SAN storage to those servers.
In the internet facing infrastructure, requires the highest possible security considerations. Like it does in all shops. I almost instantly started thinking about the security aspects of my SAN on the DMZ servers.
What if someone was able to hack into one of those DMZ servers? What would he be able to do?
Coul'd he furter hack into our shop through the SAN? I almost certainly know that he should be better than Neo, in order to do so! But i don't have the illusion that it can't be done.
We have port zoning in place, and all the N_ports are zoned separately. So no N_port can see another N_port.
We run almost all security features available in the SAN, without telling you which one . The storage systems all do WWPN based LUN mapping. One would tend to think it is pretty safe. But what can an uninvited guest actually do? Can he submit scsi commands into a SAN, in order to gain access to LUN's he shouln'd have access to? Can he do anything in order to compromise a SAN, regardless of the type of SAN or storage one runs in their shop?
These are questions i don't have answers to. I can only kind of guesstimate that the chance it happens is small. But still......
So i formally send these questions to our SAN and Storage vendors. Just to see what their formal statements were....
Guess what. No one has replied yet. I almost seems like they have no idea as well.
If anyone else has any thoughts on this matter, please let me know. I am very curious. I've opened a topic in the forum to discuss this subject.