Fibre Channel SAN Security

team lib

Like so many terms in the networking industry, "Storage Area Network" (SAN) boasts a bevy of definitions. Semantics aside, whatever form of SAN you construct must be secure enough to avoid the risk of losing or compromising critical data.

Here, "SAN" refers to a network of devices (typically storage devices and servers) that communicate using a serial SCSI protocol such as Fibre Channel or iSCSI. This article focuses on Fibre Channel-based SAN security.

In their brief history, Fibre Channel SANs have been perceived by many as inherently secure compared to more traditional storage technologies. This is partially due to the fact that SANs are dedicated networks typically devoted to enabling communication between storage devices and computers. This has contributed to the Fibre Channel SAN's image of being less vulnerable to security breaches on the enterprise network. In addition, Fibre Channel SANs are based on optical fiber, which is more resistant to sniffing than copper cabling. And many would argue that traditional Fibre Channel SANs that aren't linked to the Internet are less likely to be compromised than IP-based (read: Internet-connected) networked storage systems.

But as Fibre Channel SANs become larger and more complex, ensuring the security of the data they contain becomes more difficult. The more devices, servers, data, and users become intertwined, the greater the possibility of a security glitch. In addition, there are relatively few standards pertaining to the security of Fibre Channel SANs. (For more information on this topic, see Resources.)

Members Only

The primary problem is the potential for unauthorized access. For example, while a hacker may not have a direct line into a Fibre Channel SAN, he or she might be able to compromise a server that has access to that SANperhaps by gaining administrator rights to the system. From this standpoint, the SAN is potentially subject to security problems stemming from servers attached to it. Once the SAN is compromised, an unauthorized user from, for example, the engineering department might obtain access to sensitive information in the form of HR, accounting, or marketing department files that he or she doesn't have rights to view. An even worse scenario could occur if the user were able to obtain rights to alter that data, or if the user decided to confiscate competitive corporate data and sell it to the highest bidder.

A less likely, but certainly possible, development would be a Denial of Service (DoS) attack that bombards the SAN with so many requests that it basically goes out of commission. To accomplish such a feat, the hacker would require fairly sophisticated capabilities in terms of generating detailed device driver code. There simply aren't that many individuals with this level of skill now, butas with death and taxesit's just a matter of time.

For these reasons, the SAN must be designed so that only authorized users or systems can access storage resources. Ensuring proper execution of access rights and authorization procedures is critical to protecting the Fibre Channel SAN.

Lines Of Defense

There are many layers of security within a SAN. Firewalls, Intrusion Detection Systems (IDSs), and other basic security mechanisms on the network serve as the first line of defense. An additional layer of security lies in the OS software, which should (among other things) help secure servers attached to the SAN. But these are far from bulletproof; security must be implemented at much deeper, more granular levels within the SAN to make the storage network as airtight as possible.

Although it's far from a panacea, well designed and properly used storage management software can go a long way toward ensuring Fibre Channel SAN security. Unfortunately, the management interface itself can pose a security risk: If an unauthorized user with ill intent were to breach the system, he or she could use the management interface to manipulate a number of variables , and could then reassign storage resources, redefine policies, or otherwise compromise the security and integrity of the data on the SAN.

Because of the amount of damage that could occur if an unauthorized user were to gain control of the management software, access rights to such software should be carefully controlled through mechanisms such as strictly enforced use of user IDs and passwords (preferably encrypted) for login. Using Secure Sockets Layer (SSL) or comparable encryption methods for communication across the network is also helpful.

Divide And Conquer

One of the primary ways to help ensure Fibre Channel SAN security is to segment, or partition, storage resources so that only authorized users or departments can view them. You can start by separating sensitive information from less critical data on the SAN.

There are more granular methods of partitioning storage resources as well. Zoning is one way to limit the visibility of storage resources to specific users or departments. Zoning can be implemented in a variety of ways, one of which is switch zoning. This approach is divided into two subcategories : hard zoning and soft zoning. A zone can be relatively small, or it can encompass multiple switches in a SAN fabric. Servers and storage systems can be members of multiple zones, depending on the configuration.

In hard (or port) zoning, zones are defined on the basis of the Fibre Channel switch's ports. These zones typically include components such as servers, storage devices, subsystems, and Host Bus Adapters (HBAs). In this case, the zones are based on the physical port attachment of the devices to the switch. Members of individual zones are only allowed to communicate with other systems within the same zone (see figure).

click to expand
Zoned Out. In Fibre Channel SANs, one way to partition storage resources for additional security is through zoning. Switch zoning involves dividing systems such as servers, storage devices, subsystems, and host bus adapters into groups, or zones. These zones can be based on switch port connectivity (hard zoning), or the switch can read incoming frames to ensure that source and destination addresses are within the same zone (soft zoning).

As the name implies, hard zoning occurs within the switch's hardware ( specifically , within its circuitry ), which reads the destination address of frames entering the system to determine which output port they should be sent to. The switch contains a table of port addresses that are allowed to communicate with each other. If a port tries to communicate with a port in a different zone, the frames from the nonauthorized port are dropped, and no communication can occur.

Because it's based on hardware, hard zoning is more secure than its software-based counterpart . It also doesn't have the performance hit that soft zoning entails (more on this later). However, hard zoning is less flexible than soft zoning. Because the zone assignment remains with the port as opposed to the device, keeping track of configuration changes is more difficult. If a device is moved from one port to another, the network manager or administrator must reconfigure the zone assignment, which can result in a significant amount of overhead. This approach can be particularly cumbersome in dynamic environments in which frequent configuration changes are required.

Soft zoning is based on the use of World Wide Names (WWNs). A WWN is a unique identifier assigned to each Fibre Channel device. In soft zoning, the switch reads incoming frames and ensures that the source and destination addresses (WWNs) have been assigned to the same zone. If these addresses don't correspond , the switch discards the offending frame.

A major benefit of soft zoning is flexibility. If a device needs to be moved from one switch port to another, its current zone membership(s) isn't altered . This can save a lot of administrative time in SANs that have frequent configuration changes involving devices such as servers and storage subsystems.

But while soft zoning is more flexible, it's also less secure than hard zoning. With soft zoning, a hacker could pull off address spoofing by altering frame headers and making his or her way into a switch zone that's off limits. Another downside is that soft zoning can introduce latency and thus impair a Fibre Channel switch's throughput.

It's Only Logical

Another SAN security mechanism is Logical Unit Number (LUN) masking. This technique accomplishes a similar goal to zoning, but in a different way. To understand this process, you must know that an initiator (typically a server or workstation) begins a transaction with a target (typically a storage device such as a tape or disk array) by generating an I/O command. A logical unit in the SCSI-based target executes the I/O commands. A LUN, then, is a SCSI identifier for the logical unit within a target. In Fibre Channel SANs, LUNs are assigned based on the WWNs of the devices and components. LUNs represent physical storage components, including disks and tape drives .

In LUN masking, LUNs are assigned to host servers; the server can see only the LUNs that have been assigned to it. If multiple servers or departments are accessing a single storage device, LUN masking enables the network manager or administrator to limit the visibility of these servers or departments to a specific LUN (or LUNs) to help ensure security.

LUN masking can be implemented at various locations within the SAN, including storage arrays, bridges and routers, and HBAs.

When LUN masking is implemented in an HBA, software on the server and firmware in the HBA limit the addresses from which commands are accepted. The HBA device driver can be configured to restrict visibility to specific LUNs. One characteristic of this technique is that its boundaries are essentially limited to the server in which the HBA resides.

LUN masking can also be implemented in a RAID subsystemtypically a disk controller(s) that orchestrates the operation of a set of disk drives. In this scenario, the subsystem maintains a table of port addresses via the RAID subsystem controller. This table indicates which addresses are allowed to issue commands to specific LUNs; certain LUNs are masked out so specific storage controllers can't show them. This form of LUN masking extends to the subsystem in which the mapping is executed.

If a RAID doesn't support LUN masking, you can implement this functionality via a bridge or router placed between the servers and the storage devices and sub-systems. In this case, you can configure the system so that only specific servers are allowed to see certain LUNs.

A Moving Target?

The techniques described in this tutorial represent the primary means of securing a Fibre Channel SAN, but there are additional approaches (see Resources). It's important to keep in mind that none of the security measures described here are bulletproof. Whenever possible, multiple techniques should be used to obtain the highest level of security achievable for a SAN given the characteristics of the network, availability requirements, the level of flexibility needed, and so on.

The security of Fibre Channel SANs will continue to evolve out of necessity. Vendors are working on storage processors that encrypt and compress data on storage networks, and storage security appliances that can perform authentication and encryption, and access data across Fibre Channel SANs at wire speed. But regardless of the possibilities such devices might hold, nothing obviates the need to observe the less exciting but time- tested security practices for Fibre Channel SANs.

Resources

For a free white paper titled "SANs Heighten Storage Security Requirements," by James Bannister and Dennis Martin of the Evaluator Group , go to www.evaluatorgroup.com.

Information on Fibre Channel technologies and standards can be found at: The Fibre Channel Industry Association www.fibrechannel.com. Storage Networking Industry Association (SNIA) www.snia.org. Technical Committee T1 www.t11.org/index.htm

This tutorial, number 170, by Elizabeth Clark, was originally published in the September 2002 issue of Network Magazine.

 
team lib


Network Tutorial
Lan Tutorial With Glossary of Terms: A Complete Introduction to Local Area Networks (Lan Networking Library)
ISBN: 0879303794
EAN: 2147483647
Year: 2003
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net