Section 24.10. Storage Security

24.10. Storage Security

Although the details of storage security are really beyond the scope of this book, it is important to understand that security is a very important part of data protection. This section gives you an overview of the vulnerabilities in storage systems.

24.10.1. Plain-Text Communication

In a storage network, we refer to communications within the network,such as a host requesting data from a storage device, as in-band. Historically, all of this communication has been in plain text. If someone can view in-band traffic, she might be able to read data she's not supposed to, or to learn something that might assist in an attack. We refer to communications outside the networkperhaps someone managing a storage device via its IP management portas out-of-band. If someone can view out-of-band management information, they could take control over the storage network and give themselves access to information, or conduct denial-of-service (DOS) attacks.

The key to solving both of these problems is encryption. For out-of-band communication, more and more storage vendors are supporting secure communication protocols, such as ssh or https, on their management ports. For in-band support, there are host-based encryption systems and hardware encryption appliances. Only host-based encryption can encrypt data from the point of departure, but encryption software has typically been very CPU-intensive, slowing down the transfer of data by as much as 50 percent. The other in-band choice is an encryption appliance that can go in the storage network and encrypt data as it's stored on the device, preventing readability even if a hacker is able to gain physical access.

24.10.2. Poor Authentication and Authorization Systems

Unix's NFS and Windows' CIFS allow the sharing of files between multiple servers. This is collectively referred to as network-attached storage, or NAS. A major challenge with NFS and CIFS is their simple host-based authentication mechanisms. If your IP address resolves to the appropriate hostname, you are given access to the shared directory. In addition, much of the authentication mechanisms are also sent in plain text, telling a hacker exactly what addresses he needs to spoof. A hacker could easily spoof the appropriate IP address and be given access to the wrong information.

Fibre Channel SANs have authentication and authorization issues as well. Two very insecure, but very common, practices are the use of World Wide Name-based (WWN-based) zoning and soft zoning. (A zone is the Fibre Channel equivalent of a VLAN, with some differences.) Let's first take a look at the authentication issue, then we'll look at the authorization issue.

The authentication issue with Fibre Channel is the common use of WWN-based zones, where zone membership is determined by a host's WWN, which is equivalent to a MAC address. The problem with using WWNs for authentication is that they are easily spoofed. The ability to change the WWN is built right into the driver.

A much more secure, albeit slightly harder to manage, authentication method would be to specify zone membership using the switch port a given host is plugged into. Port binding, a recent advancement in Fibre Channel switches, can also improve WWN-based authentication. Using this authentication method, a WWN is bound to a particular port and is granted access only if it is seen at that port.

There are also authorization problems in Fibre Channel SANs, especially when using soft zoning. With soft zoning, you won't be able to query the name server to get members of a zone if you're not in that zone, but you can still communicate with a device if you have its WWN, which is relatively easy to determine. The opposite of soft zoning is hard zoning. With hard zoning, only members of a zone can access the devices in that zone.

Many people believe that soft zoning and WWN-based zoning are the same, and that hard zoning and port zoning are the same. This comes from the long-standing practice of offering them together. Nonetheless, they are two very different concepts. WWN-based and port-based zoning specify zone membership. Hard zoning and soft zoning specify whether or not zone membership is required to communicate with a member of a zone.

While the solution of using only hard zoning seems simple, it hasn't been that easy. Historically, soft zoning went hand in hand with WWN-based authentication, and many people use WWN-based authentication to make changes more easily. Today's switches are beginning to let you independently choose which authentication and zoning methods you want to use. The most secure combination, of course, would be hard zoning with port-binding-based authentication.

24.10.3. Backup Flaws

Backup systems' most obvious security flaw is the plain-text backup tape. There are many new encryption options for protecting this media. They include host-based filesystem and application encryption, encryption in the backup software, and a number of appliances that sit in the hardware data path and encrypt the data as it is written to tape. (Some of these appliances are now available inside the tape library or tape drive.) These hardware appliances are the most expensive, but they are much easier to implement and maintain than the other options. In addition to encrypting at line speed and providing superior key management, they also support compression. Since encrypted data can't be compressed, some have a compression chip that compresses the data before it's encrypted. This gives these appliances a major advantage over the other solutions, such as application encryption and backup encryption, because their encrypted data is not compressed by the tape drive.

The next security issue with backup systems is that they have typically used hostname-based authentication to authenticate the backup server and client to each other. A hacker with a spoofed IP address could do two things to exploit this vulnerability. First, she could create a rogue backup client and ask the server to restore data for the real client, thus stealing the information. A rogue client could also populate the backup server with bogus versions of backed-up files. A malicious hacker could also create a rogue backup server and back up any client that the server is authorized to back up. This, of course, would be a perfect way to steal or corrupt all kinds of data. Some backup products, including some of the open-source products discussed in this book, have addressed this serious vulnerability with additional levels of authentication beyond the hostname. Unfortunately, the added complexity of such authentication systems has made them less than attractive to backup administrators.

Most backup systems have taken an "all or nothing" approach to administrative authorization. This means that someone can do everything or nothing at all within the backup system. For example, by giving a new administrator the ability to eject tapes from the library, you also give them the ability to delete or change every backup policy, delete all backup history, and overwrite every tape you own with garbage. This presents the possibility of a novice administrator pushing the wrong button, accidentally erasing all the tapes in your tape library. A healthcare company actually had that happen a few years ago. Some backup software products have begun resolving this problem by introducing role-based administration, so you can give each person only the capabilities he needs to do his job.

The introduction of role-based administration in backup software, along with other new functionality to secure stored data, shows that storage vendors are waking up to the importance of security. If your products don't support this kind of secure functionality, put pressure on your vendors so they understand it's critical for the safety of your most precious data.