This page provides the security best practices for using using Proxmox with FlashArray over NVMe-TCP.
Network Isolation
Best Practices:
- Never route storage traffic through the management network.
- Use dedicated VLANs or physical networks for storage.
- Do not use the default gateway on storage interfaces.
- Implement firewall rules to restrict storage network access.
Access Control
# Storage array configuration (example)
# - Register only authorized host NQNs
# - Use CHAP authentication if supported
# - Implement IP-based ACLs on storage array
# Verify host NQN is registered
cat /etc/nvme/hostnqn
# Example: nqn.2014-08.org.nvmexpress:uuid:12345678-1234-1234-1234-123456789abc
Access Control Checklist:
- Only register authorized host NQNs on the storage array.
- Isolate the storage network isolated from public networks.
- Implement firewall rules to restrict access to storage ports.
- Perform a regular audit of authorized hosts.
Security Monitoring
# Monitor for unauthorized connection attempts
journalctl -u nvmf-autoconnect -f
# Check active connections
nvme list-subsys
# Audit network connections
ss -tn | grep :4420