Fibre Channel Security


Most FC security mechanisms are defined in the Fibre Channel Security Protocols (FC-SP) specification. The FC-SP model is largely based on the IPsec model. The FC-SP specification defines the following security services:

  • Device authentication

  • Device authorization

  • Connectionless data integrity

  • Data confidentiality

  • Cryptographic key management

  • Security policy definition and distribution

Multiple authentication protocols are supported, including Diffie-Hellmann CHAP (DH-CHAP), the Fibre Channel Authentication Protocol (FCAP), and the Fibre Channel Password Authentication Protocol (FCPAP). DH-CHAP uses shared secrets. FCAP leverages the public key infrastructure (PKI). FCPAP is based on SRP. The authorization service enables the following policies:

  • Binding restrictions to control which devices (N_Ports, B_Ports, and so on) may join a fabric, and to which switch(es) a given device may connect

  • Binding restrictions to control which switches may join a fabric and which switch pairs may form an ISL

  • Management access restrictions to control which IP hosts may manage a fabric and which IP protocols may be used by management hosts

The authentication and binding procedures are based on Worldwide Names (WWN). The optional ESP_Header defined in the Fibre Channel Framing and Signaling (FC-FS) specification series provides the data integrity and confidentiality services. Key management is facilitated by an FC-specific variant of IKE.

Perhaps the most known FC security mechanism is the FC zoning service. The FC zoning service is defined in the Fibre Channel Generic Services (FC-GS) specification series. FC zoning restricts which device pairs may communicate. FC zoning traditionally operates in two modes: soft zoning and hard zoning. Soft zoning is a merit system in which certain WWNs are masked during the discovery process. The Fibre Channel Name Server (FCNS) provides each host a list of targets that the host is permitted to access. The list is derived from WWN-based policies defined in the Fibre Channel Zone Server (FCZS). However, no enforcement mechanism is implemented to prevent hosts from accessing all targets. By contrast, hard zoning enforces communication policies that have traditionally been based on switch ports (not WWNs). The line between soft and hard zoning is beginning to blur because newer FC switches support hard zoning based on WWNs.

Virtual Fabrics (VF) can also be used as security mechanisms. By enforcing traffic isolation policies along VF boundaries, FC switches protect the devices in each VF from the devices in other VFs. VF boundaries can also isolate management access in FC switches that support VF-aware RBAC.

Modern storage arrays commonly support another security mechanism called Logical Unit Number (LUN) masking. LUN masking hides certain LUNs from initiators when the storage array responds to the SCSI REPORT LUNS command. Note that LUN masking was developed to ensure data integrity, and the security benefits are inherent side affects. FC switches produced by Cisco Systems support enforcement of LUN masking policies via the FC zoning mechanism (called LUN zoning).




Storage Networking Protocol Fundamentals
Storage Networking Protocol Fundamentals (Vol 2)
ISBN: 1587051605
EAN: 2147483647
Year: 2007
Pages: 196
Authors: James Long

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net