Storage area network security: the human factor.
Then everything changed.
Consolidation. IP SANs. NAS. Remote connections. Multiple ports. Any-to-any connectivity. All of these evolutions meant that storage networks were becoming more and more vulnerable to attack and more at risk for security breaches.
With Malice Aforethought
The growth in IP-based SANs has made online storage more vulnerable to the same attacks that IP networks have fought for years. In 2005, the FBI surveyed more than 2000 private and public organizations to get some idea of the scope of cyber-crime. A whopping 90% of the surveyed companies reported that they had suffered attacks that year and had scrambled to increase computer security. Computer viruses and worms ranked the highest for sheer number of attacks, followed by DoS (denial of service) attacks. All three can be devastating to IP-based storage networks. Take distributed denial-of-service (DDoS) and distributed reflection denial-of-service (DRDoS) attacks, which flood IP networks with bogus traffic, usurping bandwidth and overtaxing web servers to prevent legitimate traffic from getting through. Hosting providers, eCommerce companies, financial institutions, broadband Internet operators, government--any enterprise using IP-based services including IP SANs--are vulnerable to this type of attack.
Even well protected Fibre Channel SANs are vulnerable to the most omnipresent human threat out there--employees. When a human being presents a threat, most people immediately picture shadowy outlaw hackers. However, company employees present much greater threats than outsiders. Many a SAN has been damaged by inexperienced or overtired storage administrators, and the FBI claims that 75% of losses from security breaches are from internal sources. Yet in spite of real security threats rising from either ignorance or malice, Fibre Channel networks can be vulnerable to the insider. And a malicious or mistaken staffer or consultant can open the network to external intrusion.
Fortunately, even inside attacks can be foiled with the proper security approaches. Authentication protocols are key in this respect, especially because Fibre Channel depends heavily on name-based servers. Authentication schemes use ANSI standards to define access control to each server using ANSI-specified client interfaces. If a service request lacks the security header--for example, a spoofing attack with an authentic login but no accompanying header--it will be denied. Authentication has taken longer to develop in the Fibre Channel SAN world than in the IP network, with SAN administrators assuming that authentication already took place at the network perimeter, and possibly at the database and application levels. However, this bad security habit opened up the Fibre Channel SAN to unacceptable levels of risk. Authentication protocols for Fibre Channel are becoming more common, including Fibre Channel Authentication Protocol (FCAP), DH-CHAP (Diffie-Hellman CHAP), and Fibre Channel Security Protocol (FC-SP).
Perimeter-based security measures and protocols work against hackers, whose attacks largely consist of denial-of-service, man-in-the-middle, spoofing and hijacking. DoS attacks prevent authorized users from getting to their data, and can include such activities as issuing repeated login requests, destroying or degrading network paths by changing fabric topology, and overloading resource maps. Hackers also use man-in-the-middle attacks to present an address as an existing legitimate switch. As soon as data starts to flow to the "switch," the attacker can read, download or change the forwarded data. He then sends the data on to the real switch. Spoofing uses a legitimate login to request services and data from the storage network. Hackers can gain access to logins through previous unauthorized entry, through automated login search functions, or through old-fashioned user laziness--even many network administrators never change their login of freely share it. Hijacking is a version of spoofing where the hacker can commandeer and control an existing authentic session.
According to Hitachi Data Systems, attackers can launch any of the above attacks on different storage network configurations, including server or storage array to network connections, switch to switch, switch to storage array, or management interfaces.
* Server or Storage Array to Storage Network Connection. A hacker uses a network connection to attach to a SAN server or array and directly downloads sensitive data. He can also hijack legal addresses and collect data by spoofing or issuing denial-of-service attacks by flooding the network with login requests or jamming a switch.
* Switch to Switch. Operating on the physical network, or from a remote management interface, the attacker uses an illegal switch if she wants to "make changes to" fabric topologies. This results in mangled paths and subsequent DoS attacks.
* Server to Storage Array. An attacker sets up a private link that allows a server to send to a storage device not in its zone, possibly overwriting protected data on zoned devices. Attackers can also introduce viruses into a server to damage its communication with its available arrays, and can also issue DoS attacks using this route.
* Management Interface. This type of attack is high risk because it is potentially devastating to a zone or an entire SAN. According to HDS, management interface attacks can disrupt network connections, add illegal accounts, copy data to an illegal recipient, and--worst of all--destroy data. An attacker who has gained access to a SAN can install illegal management interfaces unless there is a strong authentication requirement installed.
Security developers have come a long way with Fibre Channel SAN security in the last few years. They are focusing new security development around increasing comprehensive security against intrusion as well as simplifying procedures to cut down on internal storage management mistakes.
Mitigating Internal Threats
Malicious insider threats typically involve disgruntled employees or contractors. These people have legitimate access and privileges to storage systems and can wreak havoc if not stopped. According to Brocade, companies can foil inside attacks and errors by building security-conscious networks, including dividing responsibilities between administrators, auditing and tracking network changes, separating secure storage areas, and training employees to be security compliant.
It's important to divide responsibilities between administrators so no one individual can do serious damage to the entire storage network. Even though most storage administrators wouldn't dream of deliberately damaging their networks, human error is an extremely common cause of SAN disruptions. Incomplete knowledge and training, lack of operational procedures, ignoring procedures, fatigue--all of these factors play their parts in threats to the SAN. To allay internal threats, develop solid operational procedures, audit for compliance, carefully assign administrator privileges, and do not trust any one person with immediate authority over the entire SAN.
Even in this day of rapid consolidation, it's a good idea to physically separate highly sensitive networks. It's not necessary to split the networks geographically, although you can. Isolating SAN fabrics with switches is a good way to accomplish separation within a single physical data center while still being able to share resources as needed. Less secure but still useful approaches include zoning, partitioning, and other methods to protect SAN domains against deliberate attacks and errors such as accidental overwriting.
It's also important to audit for compliance with security measures. This helps the corporation to protect against attack and to track activities and individuals who might attempt to launch an attack. (Or who are simply not well trained enough for their responsibilities.) In fact, compliance auditing is an excellent component to building a security-conscious corporate culture. When a corporation builds systems, audits, and training around security, employees will a) learn to manage security better, and b) avoid doing deliberate damage since they'll be caught. Since the majority of employee-caused damage is sheer human error, training and attention will mitigate most storage security meltdowns.
Christine Taylor is a freelance writer and journalist.
Authentication Authentication procedures test and accept/reject user and system identities. New storage-specific standards and protocols such as Diffie-Hellman CHAP are emerging for the storage infrastructure. In the past, storage administrators depended on outside authentication from the IP network and file/application levels, but this is no longer adequate to protect storage networks from attack. Access control Access control limits the ability of the user or system to access data. Within the storage infrastructure, which server access to data is controlled by zoning and LUN mapping. Access control protects not only against malicious attacks but also against accidental overwriting caused by a server's operating system. Encryption Encryption scrambles data to prevent unauthorized persons from reading it. Two primary components make up the encryption process: the encryption algorithm and the key. Encryption is particularly important for data in transit, whether digital or physical. Table: The Three Components of Securing Storage (NeoScale)
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Sep 1, 2006|
|Previous Article:||NAS virtualization ready to double in 2006: NAS and NAS virtualization survey results.|
|Next Article:||Building practical data protection strategies.|