Storage area network security: the human factor.
SANs used to be exclusively defined as Fibre Channel storage area networks. These SANs were largely insulated from outside attack with no Internet-bound pipes, limited network connections, and small-scale workgroup deployments. Under these protected conditions, security was not a huge issue.
Then everything changed.
Consolidation. IP SANs. NAS (1) See network access server.
(2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular . Remote connections. Multiple ports. Any-to-any connectivity. All of these evolutions meant that storage networks were becoming more and more vulnerable to attack and more at risk for security breaches.
With Malice Aforethought A predetermination to commit an act without legal justification or excuse. A malicious design to
injure. An intent, at the time of a killing, willfully to take the life of a human being, or an intent willfully to act in callous and wanton disregard of the consequences to
The growth in IP-based SANs has made online storage more vulnerable to the same attacks that IP networks have fought for years. In 2005, the FBI surveyed more than 2000 private and public organizations to get some idea of the scope of cyber-crime. A whopping 90% of the surveyed companies reported that they had suffered attacks that year and had scrambled to increase computer security. Computer viruses and worms ranked the highest for sheer number of attacks, followed by DoS (denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. ) attacks. All three can be devastating dev·as·tate
tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates
1. To lay waste; destroy.
2. To overwhelm; confound; stun: was devastated by the rude remark. to IP-based storage networks. Take distributed denial-of-service (DDoS) and distributed reflection denial-of-service (DRDoS) attacks, which flood IP networks with bogus traffic, usurping bandwidth and overtaxing web servers to prevent legitimate traffic from getting through. Hosting providers, eCommerce companies, financial institutions, broadband Internet See broadband. operators, government--any enterprise using IP-based services including IP SANs--are vulnerable to this type of attack.
Even well protected Fibre Channel SANs are vulnerable to the most omnipresent om·ni·pres·ent
Present everywhere simultaneously.
[Medieval Latin omnipres human threat out there--employees. When a human being presents a threat, most people immediately picture shadowy outlaw hackers. However, company employees present much greater threats than outsiders. Many a SAN has been damaged by inexperienced or overtired storage administrators, and the FBI claims that 75% of losses from security breaches are from internal sources. Yet in spite of real security threats rising from either ignorance or malice, Fibre Channel networks can be vulnerable to the insider. And a malicious or mistaken staffer or consultant can open the network to external intrusion.
Fortunately, even inside attacks can be foiled with the proper security approaches. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. protocols are key in this respect, especially because Fibre Channel depends heavily on name-based servers. Authentication schemes use ANSI (American National Standards Institute, New York, www.ansi.org) A membership organization founded in 1918 that coordinates the development of U.S. voluntary national standards in both the private and public sectors. It is the U.S. member body to ISO and IEC. standards to define access control to each server using ANSI-specified client interfaces. If a service request lacks the security header--for example, a spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. with an authentic login but no accompanying header--it will be denied. Authentication has taken longer to develop in the Fibre Channel SAN world than in the IP network, with SAN administrators assuming that authentication already took place at the network perimeter, and possibly at the database and application levels. However, this bad security habit opened up the Fibre Channel SAN to unacceptable levels of risk. Authentication protocols for Fibre Channel are becoming more common, including Fibre Channel Authentication Protocol (FCAP FCAP
Fellow of the College of American Pathologists ), DH-CHAP DH-CHAP Diffie-Hellman Challenge Handshake Authentication Protocol (IETF) (Diffie-Hellman CHAP), and Fibre Channel Security Protocol (FC-SP).
Perimeter-based security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security and protocols work against hackers, whose attacks largely consist of denial-of-service, man-in-the-middle, spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing.
(2) Creating fake responses or signals in order to keep a session active and prevent timeouts. and hijacking hijacking
Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when . DoS attacks prevent authorized users from getting to their data, and can include such activities as issuing repeated login requests, destroying or degrading network paths by changing fabric topology, and overloading resource maps. Hackers also use man-in-the-middle attacks to present an address as an existing legitimate switch. As soon as data starts to flow to the "switch," the attacker can read, download or change the forwarded data. He then sends the data on to the real switch. Spoofing uses a legitimate login to request services and data from the storage network. Hackers can gain access to logins through previous unauthorized entry, through automated login search functions, or through old-fashioned user laziness--even many network administrators never change their login of freely share it. Hijacking is a version of spoofing where the hacker can commandeer com·man·deer
tr.v. com·man·deered, com·man·deer·ing, com·man·deers
1. To force into military service.
2. To seize for military use; confiscate.
3. To take arbitrarily or by force. and control an existing authentic session.
According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. Hitachi Data Systems See HDS. , attackers can launch any of the above attacks on different storage network configurations, including server or storage array to network connections, switch to switch, switch to storage array, or management interfaces.
* Server or Storage Array to Storage Network Connection. A hacker uses a network connection to attach to a SAN server or array and directly downloads sensitive data. He can also hijack legal addresses and collect data by spoofing or issuing denial-of-service attacks by flooding the network with login requests or jamming a switch.
* Switch to Switch. Operating on the physical network, or from a remote management interface, the attacker uses an illegal switch if she wants to "make changes to" fabric topologies. This results in mangled paths and subsequent DoS attacks.
* Server to Storage Array. An attacker sets up a private link that allows a server to send to a storage device not in its zone, possibly overwriting Overwriting
An options strategy that involves the sale of call or put options on stocks that are believed to be overpriced or underpriced. The options are not expected to be exercised.
Also referred to as overriding. protected data on zoned devices. Attackers can also introduce viruses into a server to damage its communication with its available arrays, and can also issue DoS attacks using this route.
* Management Interface. This type of attack is high risk because it is potentially devastating to a zone or an entire SAN. According to HDS (Hitachi Data Systems, Santa Clara, CA, www.hds.com) A leading provider of high-end storage hardware, software and services. Part of the Information Systems & Telecommunications Division of Hitachi Ltd. , management interface attacks can disrupt network connections, add illegal accounts, copy data to an illegal recipient, and--worst of all--destroy data. An attacker who has gained access to a SAN can install illegal management interfaces unless there is a strong authentication requirement installed.
Security developers have come a long way with Fibre Channel SAN security in the last few years. They are focusing new security development around increasing comprehensive security against intrusion as well as simplifying procedures to cut down on internal storage management mistakes.
Mitigating Internal Threats
Malicious insider threats typically involve disgruntled dis·grun·tle
tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles
To make discontented.
[dis- + gruntle, to grumble (from Middle English gruntelen; see employees or contractors. These people have legitimate access and privileges to storage systems and can wreak havoc if not stopped. According to Brocade, companies can foil inside attacks and errors by building security-conscious networks, including dividing responsibilities between administrators, auditing and tracking network changes, separating secure storage areas, and training employees to be security compliant.
It's important to divide responsibilities between administrators so no one individual can do serious damage to the entire storage network. Even though most storage administrators wouldn't dream of deliberately damaging their networks, human error is an extremely common cause of SAN disruptions. Incomplete knowledge and training, lack of operational procedures The detailed methods by which headquarters and units carry out their operational tasks. , ignoring procedures, fatigue--all of these factors play their parts in threats to the SAN. To allay internal threats, develop solid operational procedures, audit for compliance, carefully assign administrator privileges, and do not trust any one person with immediate authority over the entire SAN.
Even in this day of rapid consolidation, it's a good idea to physically separate highly sensitive Adj. 1. highly sensitive - readily affected by various agents; "a highly sensitive explosive is easily exploded by a shock"; "a sensitive colloid is readily coagulated" networks. It's not necessary to split the networks geographically, although you can. Isolating SAN fabrics with switches is a good way to accomplish separation within a single physical data center while still being able to share resources as needed as needed prn. See prn order. . Less secure but still useful approaches include zoning, partitioning, and other methods to protect SAN domains against deliberate attacks and errors such as accidental overwriting.
It's also important to audit for compliance with security measures. This helps the corporation to protect against attack and to track activities and individuals who might attempt to launch an attack. (Or who are simply not well trained enough for their responsibilities.) In fact, compliance auditing is an excellent component to building a security-conscious corporate culture. When a corporation builds systems, audits, and training around security, employees will a) learn to manage security better, and b) avoid doing deliberate damage since they'll be caught. Since the majority of employee-caused damage is sheer human error, training and attention will mitigate most storage security meltdowns.
Christine Taylor is a freelance writer and journalist.
Authentication Authentication procedures test and accept/reject user and system identities. New storage-specific standards and protocols such as Diffie-Hellman CHAP are emerging for the storage infrastructure. In the past, storage administrators depended on outside authentication from the IP network and file/application levels, but this is no longer adequate to protect storage networks from attack. Access control Access control limits the ability of the user or system to access data. Within the storage infrastructure, which server access to data is controlled by zoning and LUN mapping. Access control protects not only against malicious attacks but also against accidental overwriting caused by a server's operating system. Encryption Encryption scrambles data to prevent unauthorized persons from reading it. Two primary components make up the encryption process: the encryption algorithm and the key. Encryption is particularly important for data in transit, whether digital or physical. Table: The Three Components of Securing Storage (NeoScale)