< Day Day Up > |
There are many hurdles for the system architect who is trying to craft a secure storage system. Foremost of these is a lack of support for security in the products and protocols used to build enterprise storage systems. Fortunately, there are several strategies that can be used to enhance security for storage systems that do not cost very much to implement. As is always the case with system security, none of these practices can guarantee that an intruder won't damage data in a storage system. These strategies will, however, set obstacles in the path of the malicious and the unwitting. Separate Networks for ManagementOne of the best vectors for the malicious or curious is the management interface of a storage system device. Management interfaces must be kept on completely separate networks to ensure that there is no path to the device from anywhere on the main LAN or, especially, the Internet. It is very convenient for a storage administrator to have access from a standard desktop computer to the devices he manages. Unfortunately, this desktop access provides an opportunity for others to see and perhaps even access the devices' management features. At best, this provides an intruder with valuable intelligence. A more likely scenario is that the network connection is used as the basis for an attack. The best defense is to have management interfaces on completely separate networks. This network should also be accessible only from a dedicated workstation. A workstation that has access to both the main network and the management network may itself be used as a platform for an attack on the storage system. IP storage poses a bit of a problem for similar reasons. If the storage devices are accessible from the main network, they may be exposed to attacks from computers on that network. Unlike the management interfaces, though, hosts need to access the IP storage devices. They in turn must be accessible by other hosts, such as desktop computers. The best solution is to have a separate IP network for the storage system that only the hosts can access. Hosts should be double homed (having two Ethernet cards attached to separate networks), and a firewall should be placed between the hosts and the IP storage devices. Hard Zoning in FC NetworksTo begin with, all Fibre Channel SANs should use zoning in some form. It is surprising how often a SAN is put into place without it. That is because there is no default zoning in Fibre Channel. Fibre Channel networks believe all hosts to be trusted and, hence, work under a Default ALLOW posture. Zoning doesn't truly change this, because any host not in a zone has access to any nonzoned resource, but it is better than nothing. Hard zoning is preferred to soft zoning. Soft zoning is susceptible to WWN spoofing and similar host attacks because it is based on the host bus adapter and not the Fibre Channel switch. With soft zoning, hosts don't "see" the resources outside their zone but could still access them given the proper tools. Thus, the hosts themselves represent a vector that can be used to attack the system. On the other hand, hard zoning is based on the switch port. This makes it more difficult for the host to be used for an attack by overcoming zoning restrictions. It also is impervious to WWN spoofing. Tip All ports should be zoned, even unused ports. A zone should be established that contains no resources at all, and empty switch ports must be assigned to that zone. This way, even if someone plugs a host into the switch port, it will remain isolated from the other hosts and resources on the SAN.
Strong Application and Host SecurityIt's hard for intruders to do damage to the storage system if they can't get to them in the first place. Strong host security is as much a part of storage system security as it is of server security. Specifically:
Host security is the "moat" that an attacker needs to cross to get to the storage "keep." It needs to be full of monsters ready to eat intruders. SAN System Management SoftwareAs discussed previously, rogue computers on the SAN are an excellent way for an insider to make mischief with a SAN. This is especially true for Fibre Channel networks, where it is very difficult to get to the network from outside the SAN. Proper SAN management helps detect some of the changes that would indicate that an attack has happened; is in progress; or, better yet, is about to happen. Most SAN management software is capable of discovering hosts (via the host bus adapter) and devices as they enter the network. Unexpected hosts may indicate that an attacker has penetrated the system. Good SAN management software can also note changes in device settings and storage provisioning, and even sudden upswings in network usage to a particular port. All of these, if not expected, may indicate an attack in progress or one about to commence. Finally, SAN management software will usually allow system settings and states to be saved. This feature will allow storage administrators to recover more quickly from attacks if they are successful. Secure SAN Switch Operating SystemsSome SAN switch vendors offer a version of the switch operating system that includes special security features. Some examples of what a secure switch operating system might include are
Security features can also be found in some storage servers. Although most storage servers focus on basic SAN services, such as virtualization, some have also begun to implement security features lacking in switches. Access controls and inline encryption are two examples of security features included in some storage servers. When purchasing a SAN switch or storage server, it is important to consider whether the device supports these features. If security is a major concern, the extra money that these options will cost is worth it. Manage IP ConnectionsIP SANs iSCSI in particular often uses multiple IP connections for the same data stream to get the bandwidth necessary for storage applications. This represents a risk, because it can hide potentially harmful traffic from IDS and firewall devices. In fact, it is better to disallow this capability at the firewall and not rely on it for storage applications. It is also better not to perform block-level storage over a public network. This represents an opportunity for intruders to get at storage resources that were previously hidden. Using VPN helps, in that the data is encrypted, but even encrypted data can carry a malicious payload. No one can look at the traffic, but it may still be dangerous. File-level data is different, because many IDS and firewall programs understand CIFS and NFS and are capable of creating the proper security environment for them. In this case, stick to the use of common protocols supported by security devices. It is not safe to use proprietary solutions. Use LUN Locking in Addition to LUN MaskingLUN masking only hides the storage device from the hosts; it is still accessible. LUN locking, on the other hand, actually disallows hosts from accessing specific LUNs unless they have permission to do so. LUN locking is a function of the storage device and should be taken into account when purchasing disk arrays and tape libraries. Having LUN locking in place does not mean that LUN masking should not be used. By masking the LUN, the attacker is initially denied valuable information about the storage system and will have to work for it. Together, LUN masking and LUN locking are much more powerful than each is alone. Use EncryptionIt must be assumed that, despite best efforts, an intruder will penetrate the defense of a storage system. At this point, one might also assume that the intruder will be able to steal lots of important information before doing whatever other mischief she has in mind. Maybe not. If the data that the attacker gains access to is encrypted, it may not be safe from damage but will not be usable by the attacker. The side benefit of having the data encrypted is that encryption makes it less likely that professional hackers will break in. They won't waste their time stealing data that can't be used or sold. It's like robbing an empty house. A Storage Security ChecklistWhen designing storage systems or buying storage products, system security must be part of the equation. Table 6-1 is a checklist of security practices that should be part of your overall storage system planning.
|
< Day Day Up > |