Printer Friendly
The Free Library
14,632,879 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Fibre Channel security.


Until recently, storage area networks have largely served departmental storage needs. This meant that with no outgoing pipes and limited LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used.  connections, these SANs were secure by default: Now companies are increasingly consolidating their departmental SANs into large centralized cen·tral·ize  
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es

v.tr.
1. To draw into or toward a center; consolidate.

2.  storage networks. However, as centralized SANs become more popular, they are more at risk for security breaches, both from humans and from the nature of SANs' any-to-any connectivity. Brandon Hoff, strategic marketing manager for security at McData, commented on consolidation, "To do this we're punching holes in the data center. We're also putting more information using more ports." Security threats against Fibre Channel can be loosely divided into two camps: machine-based and human.

Protecting the SAN Against Itself

The very capacities that make SANs ideal for storage--networking--the ability to make any-to-any connections--makes it possible for application servers to see all storage devices on the SAN at the same time, and even to blithely overwrite (1) A data entry mode that writes over existing characters on screen when new characters are typed in. Contrast with insert mode.

(2) To record new data on top of existing data such as when a disk record or file is updated.  each other on the same disks. This is generally considered a bad thing, so storage administrators must protect against this all-seeing problem by zoning and LUN masking.

Zoning:

* Provides barriers between devices that use different operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. , for example, grabs every bit of storage it sees unless it's been zone-restricted.

* Protects confidential data by enabling access rights for specific user groups.

* Segments groups of devices from other devices in the fabric. This allows storage administrators to carry out installations, testing, and upgrades on segmented devices without impacting other zones.

Fabric switches provide hardware- or software-based zoning by segregating nodes by several different categories including address, physical port or name. This leaves zone members with any-to-any connectivity, while leaving non-members in the dark. Hardware-based zoning includes hard zoning, which links ports on the fabric, and soft zoning, which uses the WWN WWN World Wide Name
WWN Weekly World News
WWN World Wide Network
WWN With Winch
WWN World Wide Net, Inc.
WWN World Webcasting Network
WWN Wizarding Wireless Network
WWN World Wide Number
WWN Workshop Website Network  (World Wide Name) of the fabric-connected Fibre Channel devices. (FalconStor asserts that port zoning is easier to implement but not as flexible as WWN zoning, since hard zoning storage administrators must reconfigure a zone whenever a SAN Fibre Channel device changes its switch port.) Soft zoning can follow a Fibre Channel device when it is moved between ports. Software-based zoning may use the switch-based Simple Name Server (SNS SNS sympathetic nervous system. ), which defines zone members using the World Wide Node Name and World Wide Port Name. In this case, when a host accesses the SAN to request available storage devices, the SNS will return only those devices it is allowed in the zoning table.

Port-type controls ensure that that switches automatic ally sense a connection type when receiving an enabling command. This procedure distinguishes between a generic switch port (G-port), fabric port (F-port), or an E-port, where two switches are connected. A port-type configuration allows the storage administrator to restrict a switch to a particular kind of port, which protects storage ports from inadvertent or malicious misuse--for example, attempting to change a network topology See topology.  by connecting two G-ports to make an E-port. Port-type controls would disable To turn off; deactivate. See disabled.  the commands unless they were accompanied by stringent authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.

(2) Verifying the identity of a user logging into a network.  protocols.

Zoning also protects storage networks from failure during new equipment deployment and testing. Administrators can secure the network by using switches to segment it into zones such as management traffic or testing segments. This ability is particularly helpful to system integrators because it allows them to lock down their customer's fabric against inadvertent changes when installing new network components. It is then a simpler and safer matter to grant access to the integrator installing and testing new equipment on a working SAN.

LUN masking adds a further level of protection against errant hosts attempting to bypass the SNS. LUN masking controls access to individual storage devices on the SAN at the component level; LUN masking could make a host turn a blind eye to a subset of disks on a single array, or to specific tape drives in a tape library. Like zoning, LUN masking can use both hardware- and software-based approaches, working through hardware devices like routers and controllers, or through code residing on hosts. Since LUN masking is labor-intensive, it is most appropriate for smaller SANs.

Human Threats

When a human being presents a threat, most people immediately picture shadowy outlaw hackers. However, company employees present much greater threats than outsiders--many a SAN has been damaged by inexperienced storage administrators, and the FBI claims that 75 percent loss from security breaches are from internal sources. In spite of real security threats from ignorance or malice, Fibre Channel security against external attacks is not as mature as messaging network security. Hoff said, "Security for storage networks is new because most people, three or five years ago, didn't know about them. New networks are hard to hack because you don't know Don't know (DK, DKed)

"Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party.  how." As more people find out how to hack into storage networks, they publicize vulnerabilities over the Internet and other hackers attempt to exploit that knowledge. Storage administrators may not have even known about the original intrusion because the hacker left no traces, but suddenly the network is suffering thousands of attempts.

According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3.  Hoff, the good news is that 90 percent of security hacks can be solved with correct security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security . For example, McData's SANtegrity Authentication uses open protocol DH Challenge Handshake Authentication Protocol (CHAP) to enable updated storage networking security features. The Fibre Channel Security Protocol standards group (Fibre Channel-SP) had recommended CHAP for the security standard in Fibre Channel storage networks, and the IETF See Internet Engineering Task Force.

IETF - Internet Engineering Task Force  has mandated it for iSCSI gateways. Authentication protocols are important for Fibre Channel security because the fabric depends heavily on name-based servers. Service requests reach each type of server using ANSI-specified client interfaces. Authentication schemes can use ANSI (American National Standards Institute, New York, www.ansi.org) A membership organization founded in 1918 that coordinates the development of U.S. voluntary national standards in both the private and public sectors. It is the U.S. member body to ISO and IEC.  standards to define access control. For example, CT authentication is based on client interfaces that include security headers in the request. If a request lacks the security header--for example, a spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.  with an authentic login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on.  but no accompanying header--it will be denied.

Most hacker attacks consist of the following procedures: denial-of-service (DoS), man-in-the-middle, spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing.

(2) Creating fake responses or signals in order to keep a session active and prevent timeouts.  and hijacking hijacking

Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when . DoS attacks prevent authorized users from getting to their data, and can include such activities as issuing repeated login requests, destroying or degrading network paths by changing fabric topology, and overloading resource maps. Hackers also use man-in-the-middle attacks to present an address as an existing legitimate switch. As soon as data starts to flow to the "switch," the attacker can read, download or change the forwarded data. He then sends the data on to the real switch. Spoofing uses a legitimate login to request services and data from the storage network. Hackers can gain access to logins through previous unauthorized entry, through automated login search functions, or through old-fashioned user laziness--even many network administrators never change their login and freely share it. Hijacking is a version of spoofing where the hacker can commandeer com·man·deer  
tr.v. com·man·deered, com·man·deer·ing, com·man·deers
1. To force into military service.

2. To seize for military use; confiscate.

3. To take arbitrarily or by force.  and control an existing au thentic session.

Attackers can launch any of the above attacks on different storage network configurations, including server or storage array to network connections, switch to switch, switch to storage array, or management interface. Hitachi Data Systems See HDS.  defines a medium risk as an attack confined to individual switches or storage devices and a high risk as potentially compromising an entire zone or SAN. Hitachi ranks the risk to various storage configurations:

* Server or Storage Array to Storage Network Connection. A hacker uses a network connection to attach to a SAN server or array and directly downloads sensitive data. He can also hijack legal addresses and collect data by spoofing or issuing denial-of-service attacks by flooding the network with login requests or jamming a switch.

* Switch to Switch. Operating on the physical network, or from a remote management interface, the attacker uses an illegal switch if she wants to either "make" or "change" or wants to say "make changes to" fabric topologies. This results in mangled paths and subsequent DoS attacks.

* Server to Storage Array. An attacker sets up a private link that allows a server to send to a storage device not in its zone, possibly overwriting Overwriting

An options strategy that involves the sale of call or put options on stocks that are believed to be overpriced or underpriced. The options are not expected to be exercised.

Notes:
Also referred to as overriding.  protected data on zoned devices. Attackers can also introduce viruses into a server to damage its communication with its available arrays, and can also issue DoS attacks using this route.

* Management Interface. This type of attack is high risk because it is potentially devastating dev·as·tate  
tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates
1. To lay waste; destroy.

2. To overwhelm; confound; stun: was devastated by the rude remark.  to a zone or an entire SAN. According to HDS (Hitachi Data Systems, Santa Clara, CA, www.hds.com) A leading provider of high-end storage hardware, software and services. Part of the Information Systems & Telecommunications Division of Hitachi Ltd. , management interface attacks can disrupt network connections, add illegal accounts, copy data to an illegal recipient, and--worst of all--destroy data. An attacker who has gained access to a SAN can install illegal management interfaces unless there is a strong authentication requirement installed. Security developers are attempting to meet a variety of security threats against complex storage area networks. At the same time, most of them report high user frustration with lengthy and complicated security procedures, so much of new security development focuses around increasing comprehensive security against intrusion, as well as providing SAN management tools to simplify zoning in large SANs. The approaches range from open initiatives and security/SAN management from companies such as McData, to security tools specific to secondary systems from companies such as NeoScale . The most promising among them aim to provide more comprehensive and simplified security tools for Fibre Channel networks. 
Server or Storage  Medium risk
Array to Network
Connection

Switch to Switch   Medium risk

Server to Storage  Medium risk
Array

Management         High risk
interface


www.falconstor.com

www.hds.com

www.mcdata.com

www.neoscale.com
COPYRIGHT 2003 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Author:Chudnow, Christine Taylor
Publication:Computer Technology Review
Geographic Code:1USA
Date:Mar 1, 2003
Words:1561
Previous Article:AMPP: combining SMP and MPP to speed database queries.
Next Article:Monitor and manage your existing storage with Auto-Stor.
Topics:



Related Articles
FIBRE CHANNEL WORKING SUB-GROUP (FCWSG).(Storage Networking Industry Association's group)(Industry Trend or Event)
UltraSCSI For Storage Lives On Despite The new Fibre Channel Kid On The Block.(Technology Information)
Implementing Fibre Channel Over A Wide Network.(Technology Information)
Storage Networking--Promises, challenges And Coming Convergence.(Technology Information)
Update On IP-based Storage.(Industry Trend or Event)
Peaceful Coexistence Of Fibre Channel And IP Storage.(Technology Information)
Connecting stranded servers.(Storage Management)
Fibre Channel SANs vs. iSCSI.(First in First out)(Storage Area Networks)(Internet Protocol Storage Area Networks (iSCSI). )
FCIA & FCIA-J span the Pacific.(Connectivity)(Fibre Channel Industry Association)(Fibre Channel Industry Association-Japan)(Brief Article)
Storage area network security: the human factor.

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles