Wanted to do something different, kind of like a repository of useful tips I’ve acquired along the way and put them all in one distilled location.
Below are some pointers around storage:
- Use Hardware RAID when posssible
- Use Out-of-Band storage switches whenever possible
- Make use of CHAP for security
- Shutdown all unused ports
- Control storage with Active/Active uplinks from the storage array into your upstream storage switch but then configured the uplinks into your hypervisors to use them in a flipped manner with each having the active uplink being inverse with the standby link; this way if the primary and secondary storage switch ever goes offline storage never loses data
- Use SSD Caching whenever possible
- For iSCSI use a separate vLAN for iSCSI traffic
- For iSCSI don’t forget to set the uplink ports to a MTU of 9000
- Bouncing off 5 above, ensure multiple paths ot storage and to upstream servers/hypervisors
- Enable AES-256 encryption at-rest whenever possible
- Ensure Complex and long passwords, 20+ character long; usually best to use 6 completely random words with a number and special character
- Use 2FA on storage appliance logins, whenever possible
- Change management to always use HTTPS.
- Change HTTP and HTTP port from the default to an extremely high port
- Ensure storage arrays are hardened as best as possible from factory defaults
- Ensure storage arrays have redundant power
- Ensure power supplies are phased across two different UPS’s whenever possible
- Place clear scotch tape on all drive bay latches to ensure drives haven’t been tampered
- Ensure storage arrays and FC/iSCSI switches are locked at all times in a server cage
- Make use of Tiered storage if possible
- Ensure Storage arrays are patched, but also ensure patched levels work with upstream servers and/or hypervisor current versioning before upgrading firmware; plan for firmware rollbacks in the event of LUN presentation issues
- Take note that iSCSI uses port 3260 by default
- Take note of your IQN name of your LUN’s
- Use 10G when possible for ISCSI, 1G will work for most server loads, but 10G or higher is recommended as of 2/16/20
- Use RAID 10, 50 for virtualization storage arrays
- Use RAID 60 if your using your storage array for Backups only
- Don’t ever use RAID 0 in a storage array, also avoid RAID 5 and RAID 6
- For FC ensure you make use of Soft/Hard Zoning; quickly, this means that you present desired storage arrays Host Bus Adapter (HBA) to be presented to specific servers HBA based on the WWN (World Wide Name) that you want each of them to see. Imagine for a second you place your hand on your left eye, you can only see stuff out of your right eye (pretend); this is kind of how zoning works. Your basically just presenting the storage array you want specific hosts/servers to see. Soft zoning basically places WWN’s in a “soft” security group “zone” without assigning them to a specific switch port, meanwhile Hard zoning is set on the FC switch with “hard” mappings of the WWN to a dedicated security group switch port “zone” hard-coded to specific ports on the FC switch. Zoning in many ways works just like a vLAN does for ports. Zoning can be used by iSCSI (vLAN-based) as-well as FC.
- For FC ensure you make use of LUN Masking; quickly this is slightly different than Zoning, (recap) as Zoning is meant for control from the WWN on the HBA of the storage arrays, thru the FC switch, and into the WWN of the HBA of server/host; LUN Masking is controlled on the storage array itself. Using the same concept of Zoning you can go deeper. LUN Masking allows you to “mask” LUN’s in the storage array to specific WWN’s and allows only those WWN’s to see the masked LUN.
- Please for the love of god, don’t place a management tap from a production network into a Out-of-Band storage fabric. In the event of a network breach you want to ensure storage is isolated from the rest of the network.