S 2.357 Setting up an administration network for storage systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The administration and monitoring of resources such as SAN or NAS components on which high security requirements are placed must be implemented appropriately. The design of a separate LAN used solely for administrative purposes is often the clearest, most effective, and most economical way to meet these requirements. PCs are stationed in this administration network that can only be used to administer the critical components.

In general, only secure protocols (ssh instead of telnet, https instead of http) should be used for administration in this network. However, the logical separation, or even the physical separation, of this administration network from production network makes the use of insecure protocols, especially of the SNMP Version 1 protocol still almost unavoidable in many production environments, tolerable.

Conception/planning

• A very simple design of such a network can begin by putting a separate switch into operation.
• All clients of the administrators are connected to the administration network through their own network connection.
• All servers and systems with high security requirements (active network components, storage systems) are equipped with an additional network connection and are thus connected to the administration network.
• Whenever possible, administration access to the operational and application software on the servers should be linked exclusively to the network address in the administration network.

Private addresses (as described in RFC Standard 1918) should be used in the administration network. Such addresses are not routed through "official" networks, which means that a connection to an official network, if such a connection should become necessary, always requires NAT (Network Address Translation) and additional safeguards implemented by a firewall.

In the administration network, the time should be synchronised on all IT components using an NTP server. This makes assessing logs easier and allows you to assess incidents affecting several components at once.

The resources available for the complete installation of a storage system must be determined. This includes both the personnel resources necessary to create and implement a concept and to operate the network, and the financial resources required to accomplish this.

The results must be documented accordingly.

It must also be examined if additional monitoring measures need to be implemented in the administration network. For example, the use of network IDs additionally allows you to monitor the network for unauthorised activities.

Likewise, a central logging instance could be established in such a network so that the central instance, operating as a protocol server, manages the log data from all servers and storage systems. It must be noted that such special measures may need to be coordinated with the personnel representative.

If the design of the administration network is complex, then module S 4.1 Heterogeneous networks should be consulted for the design and testing.

Implementation

It must first be examined how a productive network and the servers and other devices stationed in the network (active network components, storage systems) can be expanded adding an administration network.

You must first go through the safeguards S 2.139 Survey of the existing network environment and S 2.140 Analysis of the existing network environment. After that, the network communication requirements placed on the administration network to be installed must be determined, and the protection requirements of the new network must be defined.

The protection requirements of the administration network are to be derived from the existing IT procedures to be administered over this network.

Operation

When test operations are initiated, a test must be performed which tests the security precautions and which becomes the basis of the operational documentation for this network. Typical questions to be answered by such a test include:

• Is the administration network completely separated from the production network?
• Are secure services (secure shell, https) used wherever possible? Have the insecure versions of these services (telnet, http) been disabled on the devices administered?
• Is it documented and easy to determine where the use of insecure services is unavoidable?
• Have all default IDs and passwords on the PC, servers, and active network components etc. been changed?

Productive operations can be started after that.

Disposal

If PCs or other hardware are removed from the network or just taken off the network for a while for repairs, then it must be ensured that no internal information (passwords, log files, internal documents etc.) is stored on the hardware.

Contingency planning

A contingency plan must be available so that the operation of the productive network is guaranteed even when the administration network fails.

Review questions:

• Does the administration and monitoring of the storage system meet the security requirements of the storage system?
• Is a synchronised time ensured for all components of the administration network?
• Are the security precautions tested during the test operations of the administration network and are the test and the results documented?
• Is a contingency plan available so that the productive network can still be operated if the administration network fails?