Fibre Channel security.
Protecting the SAN Against Itself
The very capacities that make SANs ideal for storage--networking--the ability to make any-to-any connections--makes it possible for application servers to see all storage devices on the SAN at the same time, and even to blithely overwrite each other on the same disks. This is generally considered a bad thing, so storage administrators must protect against this all-seeing problem by zoning and LUN masking.
* Provides barriers between devices that use different operating systems. Windows NT, for example, grabs every bit of storage it sees unless it's been zone-restricted.
* Protects confidential data by enabling access rights for specific user groups.
* Segments groups of devices from other devices in the fabric. This allows storage administrators to carry out installations, testing, and upgrades on segmented devices without impacting other zones.
Fabric switches provide hardware- or software-based zoning by segregating nodes by several different categories including address, physical port or name. This leaves zone members with any-to-any connectivity, while leaving non-members in the dark. Hardware-based zoning includes hard zoning, which links ports on the fabric, and soft zoning, which uses the WWN (World Wide Name) of the fabric-connected Fibre Channel devices. (FalconStor asserts that port zoning is easier to implement but not as flexible as WWN zoning, since hard zoning storage administrators must reconfigure a zone whenever a SAN Fibre Channel device changes its switch port.) Soft zoning can follow a Fibre Channel device when it is moved between ports. Software-based zoning may use the switch-based Simple Name Server (SNS), which defines zone members using the World Wide Node Name and World Wide Port Name. In this case, when a host accesses the SAN to request available storage devices, the SNS will return only those devices it is allowed in the zoning table.
Port-type controls ensure that that switches automatic ally sense a connection type when receiving an enabling command. This procedure distinguishes between a generic switch port (G-port), fabric port (F-port), or an E-port, where two switches are connected. A port-type configuration allows the storage administrator to restrict a switch to a particular kind of port, which protects storage ports from inadvertent or malicious misuse--for example, attempting to change a network topology by connecting two G-ports to make an E-port. Port-type controls would disable the commands unless they were accompanied by stringent authentication protocols.
Zoning also protects storage networks from failure during new equipment deployment and testing. Administrators can secure the network by using switches to segment it into zones such as management traffic or testing segments. This ability is particularly helpful to system integrators because it allows them to lock down their customer's fabric against inadvertent changes when installing new network components. It is then a simpler and safer matter to grant access to the integrator installing and testing new equipment on a working SAN.
LUN masking adds a further level of protection against errant hosts attempting to bypass the SNS. LUN masking controls access to individual storage devices on the SAN at the component level; LUN masking could make a host turn a blind eye to a subset of disks on a single array, or to specific tape drives in a tape library. Like zoning, LUN masking can use both hardware- and software-based approaches, working through hardware devices like routers and controllers, or through code residing on hosts. Since LUN masking is labor-intensive, it is most appropriate for smaller SANs.
When a human being presents a threat, most people immediately picture shadowy outlaw hackers. However, company employees present much greater threats than outsiders--many a SAN has been damaged by inexperienced storage administrators, and the FBI claims that 75 percent loss from security breaches are from internal sources. In spite of real security threats from ignorance or malice, Fibre Channel security against external attacks is not as mature as messaging network security. Hoff said, "Security for storage networks is new because most people, three or five years ago, didn't know about them. New networks are hard to hack because you don't know how." As more people find out how to hack into storage networks, they publicize vulnerabilities over the Internet and other hackers attempt to exploit that knowledge. Storage administrators may not have even known about the original intrusion because the hacker left no traces, but suddenly the network is suffering thousands of attempts.
According to Hoff, the good news is that 90 percent of security hacks can be solved with correct security measures. For example, McData's SANtegrity Authentication uses open protocol DH Challenge Handshake Authentication Protocol (CHAP) to enable updated storage networking security features. The Fibre Channel Security Protocol standards group (Fibre Channel-SP) had recommended CHAP for the security standard in Fibre Channel storage networks, and the IETF has mandated it for iSCSI gateways. Authentication protocols are important for Fibre Channel security because the fabric depends heavily on name-based servers. Service requests reach each type of server using ANSI-specified client interfaces. Authentication schemes can use ANSI standards to define access control. For example, CT authentication is based on client interfaces that include security headers in the request. If a request lacks the security header--for example, a spoofing attack with an authentic login but no accompanying header--it will be denied.
Most hacker attacks consist of the following procedures: denial-of-service (DoS), man-in-the-middle, spoofing and hijacking. DoS attacks prevent authorized users from getting to their data, and can include such activities as issuing repeated login requests, destroying or degrading network paths by changing fabric topology, and overloading resource maps. Hackers also use man-in-the-middle attacks to present an address as an existing legitimate switch. As soon as data starts to flow to the "switch," the attacker can read, download or change the forwarded data. He then sends the data on to the real switch. Spoofing uses a legitimate login to request services and data from the storage network. Hackers can gain access to logins through previous unauthorized entry, through automated login search functions, or through old-fashioned user laziness--even many network administrators never change their login and freely share it. Hijacking is a version of spoofing where the hacker can commandeer and control an existing au thentic session.
Attackers can launch any of the above attacks on different storage network configurations, including server or storage array to network connections, switch to switch, switch to storage array, or management interface. Hitachi Data Systems defines a medium risk as an attack confined to individual switches or storage devices and a high risk as potentially compromising an entire zone or SAN. Hitachi ranks the risk to various storage configurations:
* Server or Storage Array to Storage Network Connection. A hacker uses a network connection to attach to a SAN server or array and directly downloads sensitive data. He can also hijack legal addresses and collect data by spoofing or issuing denial-of-service attacks by flooding the network with login requests or jamming a switch.
* Switch to Switch. Operating on the physical network, or from a remote management interface, the attacker uses an illegal switch if she wants to either "make" or "change" or wants to say "make changes to" fabric topologies. This results in mangled paths and subsequent DoS attacks.
* Server to Storage Array. An attacker sets up a private link that allows a server to send to a storage device not in its zone, possibly overwriting protected data on zoned devices. Attackers can also introduce viruses into a server to damage its communication with its available arrays, and can also issue DoS attacks using this route.
* Management Interface. This type of attack is high risk because it is potentially devastating to a zone or an entire SAN. According to HDS, management interface attacks can disrupt network connections, add illegal accounts, copy data to an illegal recipient, and--worst of all--destroy data. An attacker who has gained access to a SAN can install illegal management interfaces unless there is a strong authentication requirement installed. Security developers are attempting to meet a variety of security threats against complex storage area networks. At the same time, most of them report high user frustration with lengthy and complicated security procedures, so much of new security development focuses around increasing comprehensive security against intrusion, as well as providing SAN management tools to simplify zoning in large SANs. The approaches range from open initiatives and security/SAN management from companies such as McData, to security tools specific to secondary systems from companies such as NeoScale . The most promising among them aim to provide more comprehensive and simplified security tools for Fibre Channel networks.
Server or Storage Medium risk Array to Network Connection Switch to Switch Medium risk Server to Storage Medium risk Array Management High risk interface
|Printer friendly Cite/link Email Feedback|
|Author:||Chudnow, Christine Taylor|
|Publication:||Computer Technology Review|
|Date:||Mar 1, 2003|
|Previous Article:||AMPP: combining SMP and MPP to speed database queries.|
|Next Article:||Monitor and manage your existing storage with Auto-Stor.|