Conceptual Underpinnings of Storage Network Security


Security can mean many things to many people. In the world of data communications, security is concerned primarily with the protection of in-flight data (as opposed to data-at-rest) and device access. Many services are required to provide a complete security solution. The major services related to in-flight data include the following:

  • Data origin authentication is the service that verifies that each message actually originated from the source claimed in the header.

  • Data integrity is the service that detects modifications made to data while in flight. Data integrity can be implemented as connectionless or connection-oriented.

  • Anti-replay protection is the service that detects the arrival of duplicate packets within a given window of packets or a bounded timeframe.

  • Data confidentiality is the service that prevents exposure of application data to unauthorized parties while the data is in flight.

  • Traffic flow confidentiality is the service that prevents exposure of communication parameters (such as original source and destination addresses) to unauthorized parties.

In many computing environments, multiple administrators are granted access to production systems for the purpose of management. Additionally, management responsibilities are sometimes divided among different teams or departments in large organizations. To facilitate shared management responsibilities in a scalable manner with minimal complexity, the concept of Role Based Access Control (RBAC) was introduced in 1992. RBAC simplifies multi-access security administration in large-scale environments. Consequently, RBAC has emerged as the preferred solution for multi-access security control. The RBAC model was standardized by ANSI INCITS in 2004 via the 359-2004 standard. The 359-2004 standard defines the RBAC reference model and provides the RBAC functional specification. The RBAC reference model is composed of five basic elements: users, roles, permissions, operations, and objects. The RBAC functional specification defines the requisite features of an RBAC implementation. In 2005, ANSI INCITS formed the Cyber Security (CS1) subcommittee to continue work on RBAC and other security initiatives. Although the reference model and functional specification defined in the 359-2004 standard are broadly applicable to many environments, various organizations outside of ANSI are working on RBAC standards for specific environments that have specialized requirements. Today, most information technology vendors support RBAC in their products.

RBAC is complemented by a set of technologies called authentication, authorization, and accounting (AAA). AAA implemented as a client/server model in which all security information is centrally stored and managed on an AAA server. The devices under management act as clients to the AAA server by relaying user credentials and access requests to the AAA server. The AAA server replies authoritatively to the managed devices. The user is granted or denied access based on the AAA server's reply. The traditional alternate is to create, store, and manage user identification and password information on each managed device (a distributed model). The AAA model requires significantly less administration than the distributed model. AAA is also inherently more secure because the central database can be protected by physical security measures that are not practical to implement in most distributed environments. Consequently, AAA is currently deployed in most large organizations. Many AAA products are available as software-only solutions that run on every major operating system. As its name suggests, AAA provides three services. The authentication service verifies the identification of each user or device. The authorization service dynamically grants access to network and compute resources based on a preconfigured access list associated with the user's credentials. This enables granular control of who can do what rather than granting each authenticated user full access to all resources. Authorization is handled transparently, so the user experience is not tedious. The accounting service logs actions taken by users and devices. Some AAA servers also support the syslog protocol and integrate syslog messages into the accounting log for consolidated logging. The accounting service can log various data including the user's ID, the source IP address, protocol numbers, TCP and UDP port numbers, time and date of access, the commands executed and services accessed, the result of each attempt (permitted or denied), and the location of access. The accounting service enables many applications such as customer billing, suspicious activity tracing, utilization trending, and root cause analysis.




Storage Networking Protocol Fundamentals
Storage Networking Protocol Fundamentals (Vol 2)
ISBN: 1587051605
EAN: 2147483647
Year: 2007
Pages: 196
Authors: James Long

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net