Security Best Practices for Using Proxmox with FlashArray over NVMe-TCP

Proxmox

Audience
Public
Source Type
Documentation

This page provides the security best practices for using using Proxmox with FlashArray over NVMe-TCP.

Network Isolation

Best Practices:

  • Never route storage traffic through the management network.
  • Use dedicated VLANs or physical networks for storage.
  • Do not use the default gateway on storage interfaces.
  • Implement firewall rules to restrict storage network access.

Access Control

# Storage array configuration (example)
# - Register only authorized host NQNs
# - Use CHAP authentication if supported
# - Implement IP-based ACLs on storage array

# Verify host NQN is registered
cat /etc/nvme/hostnqn
# Example: nqn.2014-08.org.nvmexpress:uuid:12345678-1234-1234-1234-123456789abc

Access Control Checklist:

  • Only register authorized host NQNs on the storage array.
  • Isolate the storage network isolated from public networks.
  • Implement firewall rules to restrict access to storage ports.
  • Perform a regular audit of authorized hosts.

Security Monitoring

# Monitor for unauthorized connection attempts
journalctl -u nvmf-autoconnect -f

# Check active connections
nvme list-subsys

# Audit network connections
ss -tn | grep :4420