CISSP · Question #755
By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
The correct answer is B. opportunity to sniff network traffic exists.. Running SAN storage communications over TCP/IP (iSCSI) introduces standard network-layer security risks, most notably the ability to passively intercept unencrypted storage traffic.
Question
By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
Options
- Aconfidentiality of the traffic is protected.
- Bopportunity to sniff network traffic exists.
- Copportunity for device identity spoofing is eliminated.
- Dstorage devices are protected against availability attacks.
How the community answered
(45 responses)- A4% (2)
- B84% (38)
- C9% (4)
- D2% (1)
Why each option
Running SAN storage communications over TCP/IP (iSCSI) introduces standard network-layer security risks, most notably the ability to passively intercept unencrypted storage traffic.
Running storage communications over TCP/IP does not inherently protect confidentiality; without additional encryption mechanisms like IPsec, the traffic is transmitted in cleartext and is vulnerable to interception.
When SAN traffic travels over standard TCP/IP networks using protocols like iSCSI, it is subject to the same passive interception risks as any other IP-based traffic. Without encryption (such as IPsec or TLS), an attacker with access to the network path can use a packet sniffer to capture raw storage I/O data, including sensitive file contents and credentials, because the traffic is not inherently confidential at the transport layer.
TCP/IP-based SANs are actually more susceptible to identity spoofing attacks (such as iSCSI initiator name spoofing) compared to Fibre Channel SANs that use WWN zoning, so the opportunity for spoofing is not eliminated.
Placing storage communications on TCP/IP networks exposes storage devices to network-based availability attacks such as Denial of Service (DoS), meaning availability protection is not provided and may in fact be reduced compared to isolated SAN fabrics.
Concept tested: IP-based SAN security risks and vulnerabilities
Source: https://csrc.nist.gov/publications/detail/sp/800-209/final
Topics
Community Discussion
No community discussion yet for this question.