With ransomware and other threats increasingly targeting NAS appliances, it is more important than ever to make sure that your NAS devices are configured in a way that adheres to established security best practices. This article outlines some of the most important things that you should be doing to secure NAS appliances.
Take a hard (and hard-wired) look at authentication.
The first thing you need to do to secure NAS devices is take a hard look at your system for handling passwords and authentication. At the very least, any privileged accounts that are built into the appliance should be renamed (if possible), and the default password should be changed to something much stronger.
If users, processes or applications need direct access to data that is stored on a NAS appliance, consider using an external directory service to handle the authentication process rather than relying solely on the authentication engine that is built into the NAS appliance. An external directory service is likely to be more secure than any type of authentication engine built directly into an appliance because vendors who produce enterprise-grade directory service software frequently release patches to address newly discovered security vulnerabilities. Appliance vendors also release patches, of course, but far less frequently. Additionally, a software-based directory service can often be configured at a far more granular level than an authentication engine that is integrated into an appliance.
There is one other approach that is sometimes used for handling authentication and access control to secure NAS devices. While this approach has the potential to dramatically strengthen security, issues such as operational requirements, hardware limitations and costs may prevent its use: Rather than allowing a storage appliance to be directly accessible over a network, consider hard-wiring the appliance to a network file server instead. In my own organization, for example, my storage appliances are connected directly to Windows servers rather than being attached to network switches.
WIth this approach to secure NAS devices, the file server acts as a gatekeeper for the storage appliance. Since the appliance is not connected directly to the network, it is not as easily discoverable to hackers and attacks that are designed specifically to target NAS appliances will generally fail because those attacks have no way of directly accessing the appliance.
In addition, placing a storage appliance behind a file server makes it easier to secure the communications going to and from the appliance. Since all communication is going across a dedicated connection using one specific protocol, it becomes very easy to block any other protocols that might be used.
Make accommodations for firmware updates.
As previously mentioned, NAS vendors do periodically release firmware updates, so it is important to make sure you have a system in place for determining when new firmware updates have been released, testing those updates and applying them in a timely manner.
If your organization has adopted the practice of connecting storage appliances directly to file servers rather than linking them to network switches, then you will need to have an architecture in place that will allow you to temporarily link the appliances to an isolated management network whenever firmware updates or other types of maintenance are required. This link can and should be disconnected whenever it is not in use.
Disable unused services.
Another important thing to do to secure NAS devices is to disable any unused services or features that are built into the appliance. This helps to reduce the appliance’s attack surface. For example, some NAS appliances can function as streaming media servers or can be set up to provide remote file access through a built-in Web server. If you don’t need one or both of those features, turn them off.
Take advantage of built-in security features
Finally, be sure to take advantage of any security features that are built into your storage appliance. As a best practice, you should use any available security mechanism, even if it seems unnecessary.
Earlier, I mentioned that some NAS appliances can be directly attached to a file server, thus preventing them from being generally accessible over the network. In my organization, for example, NAS appliances are connected to Windows servers using a pair of 10 Gb Ethernet connections. These connections go directly from the server to the storage appliance, and are not connected to a network switch. Even so, I still make use of the firewall that is built into the NAS appliance. It might not be necessary to use a firewall on a dedicated connection, but there is no harm in leaving it enabled, and it may serve as an extra line of defense in the event that my network ever suffers a serious attack.
Likewise, my NAS devices are configured with strong passwords and are configured to block traffic flowing from any unauthorized IP addresses, even though there is little chance that the appliances will ever be connected to anything other than the file servers to which they are attached.
These are just some of the more important things that you can do to secure NAS appliances. There may be other options depending on the make and model appliance that you are using. For example, higher-end appliances sometimes include mechanisms for creating immutable snapshots, blocking denial of service attacks, or detecting and blocking ransomware.