Storage threats

There are many different types of storage that can be used by VMware vSphere; however, for the purposes of this brief explanation of storage threats, we will focus on storage area networks (SAN) and network-attached storage (NAS). From a protocol perspective, Fibre Channel and Internet Small Computer System Interface (iSCSI) will be briefly reviewed in the context of which threats and potential vulnerabilities they bring to the risk equation.

In the past, there was a clear delineation between SAN storage and NAS, but in recent years, high-performing devices have become much more popular for small- and medium-sized businesses. Likewise, most enterprises that historically used Fiber Channel exclusively now tend to have some iSCSI in their storage environment. Both protocols are inherently insecure on their own. In the case of Fiber Channel, sending information in clear text would seem to be the major risk; however, this is mitigated largely due to the physical characteristics of the fiber that the data passes over. That's not to say that Fiber Channel can't be exploited, but the nature of its closed-loop system makes it a lower risk.

iSCSI, on the other hand, uses the same RJ-45 network cables and physical switches that the normal IP traffic utilizes within the network. Without a proper process for securing iSCSI, traffic is very vulnerable to attack and exploit. It's crucial to isolate iSCSI traffic in order to separate switches or by VLAN. Additionally, the use of Challenge Handshake Authentication Protocol (CHAP) authentication will ensure that only approved iSCSI endpoints can communicate with the storage system.