Implementing SAN Security Techniques

With the ever-increasing importance of data storage in enterprise environments, we must also be concerned about securing this data—as it resides on the disk and when it is in transit on the network. This section explores a number of technologies you can use to secure your SAN environment to better protect your valuable data.

Using LUN Masking to Defend Against Attacks

A Logical Unit Number (LUN) is an address for an individual disk drive and, by extension, the disk device itself. The SCSI protocol uses the term LUN as a way to differentiate the individual disk drives that comprise a common SCSI target device, such as a SCSI disk array.

To defend against attacks, LUN masking may be employed. In this authorization process, a LUN is made available to some hosts and unavailable to other hosts. Generally, this technique of LUN masking is implemented at the host bus adapter (HBA) level. Unfortunately, when LUN masking is implemented at this level, it is vulnerable to any attack that compromises the HBA.

Benefits, with regard to security, are limited with the implementation of LUN masking. This is because with many HBAs it is possible for an attacker to forge source addresses. For this reason, LUN masking is implemented mainly as a way to protect against malfunctioning servers corrupting disks belonging to other servers.

An example of where LUN masking might be useful is in the case of Windows servers attached to a SAN. In some instances these corrupt non-Windows volumes by attempting to write Windows volume labels to them. In these cases, hiding the LUNs of the nonWindows volumes from the Windows server can prevent this behavior. With the LUNs masked, the Windows server is unaware of the non-Windows volumes and thereby makes no attempt to write Windows volume labels to them. In today's implementations, typically LUNs are not individual disk drives but rather virtual partitions (or volumes) within a RAID array.

Examining SAN Zoning Strategies

It is not uncommon for a SAN to contain a number of different storage devices. In these instances, for security purposes, one device should not necessarily be allowed to interact with all other devices in the SAN. To prevent this behavior, Fibre Channel zoning may be employed. Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets. Figure 8-4 shows an example of Fibre Channel zoning.

..■•— Figure 8-4 Fibre Channel Fabric Zoning Key

Examining Soft and Hard Zoning

Although both zoning and LUN masking have the same objectives, zoning is implemented on fabric switches, and LUN masking is performed on endpoint devices. Because zoning is implemented at the switch level, rather than on the individual endpoints, when compared with LUN masking, zoning may also be a more secure measure. The Cisco MDS 9100 series fabric switch, shown in Figure 8-5, represents a cost-effective, intelligent SAN solution that allows for the implementation of zoning.

Figure 8-5 Cisco MDS 9100 Series Fabric Switch

Cisco MDS 9124

Figure 8-5 Cisco MDS 9100 Series Fabric Switch

Cisco MDS 9124

The two main zoning methods are hard zoning and soft zoning. With soft zoning, you restrict only the fabric name services. In other words, soft zoning shows a device only an allowed subset of devices. So, with soft zoning in place, when a server looks at the fabric's content, it sees only the devices it is allowed to see. However, this does not prevent the fact that any server can attempt to contact other devices based on their addresses.

Compared to soft zoning, hard zoning truly restricts communication across a fabric by using access control lists (ACL) that are applied by the switch port ASIC to every Fibre Channel frame that is switched. This approach is more secure than soft zoning and is more commonly used. Whether you choose to apply hard or soft zoning, be aware that these security measures apply only to the switched fabric topology.

Understanding World Wide Names

Fibre Channel networks use 64-bit addresses known as World Wide Names (WWN) to uniquely identify each element in a Fibre Channel network. These WWNs may be used in zoning to assign security permissions.

Figure 8-6 shows a Cisco MDS 9100 series switch with a sample WWN assigned.

Figure 8-6 World Wide Name

16:8A:EE:31:9D:54:8C:FF WWN

Key Topic

Figure 8-6 World Wide Name

16:8A:EE:31:9D:54:8C:FF WWN

Cisco MDS 9124

Name servers in the switches may also be used to either allow or block access to particular WWNs in the fabric. However, using WWNs for security purposes is inadvisable. WWNs are inherently insecure because a device's WWN is a user-configurable parameter. Using WWNs for zoning is susceptible to unauthorized access, because the zone can be bypassed through an attacker spoofing the WWN of an authorized HBA.

Defining Virtual SANs

In addition to traditional SANs, you may create a virtual storage-area network (VSAN). VSANs were originally invented by Cisco, but they are now an ANSI standard. Figure 8-7 shows the construction of a VSAN.

Key Topic

Figure 8-7 Constructing VSANs

Cisco MDS 9000 Family with VSAN Service

Cisco MDS 9000 Family with VSAN Service

Physical SAN islands are virtualized onto a common SAN infrastructure.

Physical SAN Islands

Physical SAN Islands

A VSAN is created from a collection of ports that are part of a set of connected Fibre Channel switches. These ports together form a virtual fabric. Ports within a single switch can be partitioned to form multiple VSANs if you like. Conversely, you can use multiple switches together and join any number of their ports to form a single VSAN. If this sounds familiar, VSANs when put together in this manner strongly resemble VLANs. Like

VLANs, all traffic is tagged as it crosses interswitch links with the VSAN ID. Another commonality with VLANs is that through the construction of VSANs we can add a layer of security at the port level.

Combining VSANs and Zones

Combining VSANs and zones is an effective means of providing security control for your VSAN. To combine these complementary protocols, you first must associate the physical ports with a VSAN. This step is quite similar to associating switch ports with VLANs. Next you need to logically divide the VSANs into zones. With these actions complete, you can effectively provide a security control for your VSAN. Figure 8-8 shows how VSANs work with zones.

Figure 8-8 Relating VSANs to Zones

Figure 8-8 Relating VSANs to Zones

Identifying Port Authentication Protocols

You need to be aware of two primary port authentication protocols when working with VSANs:

.— ■ Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP)

Key "

Topic

■ Challenge Handshake Authentication Protocol (CHAP)

Understanding DHCHAP

DHCHAP may be used to authenticate devices connecting to a Fibre Channel switch. By using Fibre Channel authentication, you allow only trusted devices to be added to a fabric. This prevents unauthorized devices from accessing the Fibre Channel switch.

DHCHAP supports both switch-to-switch and host-to-switch authentication. It's a mandatory password-based, key-exchange authentication protocol. Before any authentication may be performed, DHCHAP negotiates hash algorithms and Diffie-Hellman (DH) groups. In addition, it supports Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1)-based authentication.

CHAP in Securing SAN Devices

CHAP is the mandatory protocol for iSCCI, as chosen by the Internet Engineering Task Force (IETF). CHAP has been around for quite some time and is based on shared secrets. To strengthen CHAP, DHCHAP adds a DH exchange that both strengthens CHAP and provides an agreed-upon secret key. The goal of DHCHAP is to be a simple, easy-to-implement protocol.

Working with Fibre Channel Authentication Protocol

If your organization needs a stronger means of securing the SAN than the password-based mechanism used in CHAP, Fibre Channel Authentication Protocol (FCAP) is available. FCAP, shown in Figure 8-9, was born from Switch Link Authentication Protocol (SLAP), the first authentication protocol proposed for Fibre Channel. With changes over time, this protocol was generalized and renamed FCAP. This optional authentication mechanism may be employed between any two devices or entities on a Fibre Channel network. It uses certificates or optional keys to provide a stronger level of security.

Figure 8-9 Fibre Channel Authentication Protocol

Application of Fibre Channel Authentication Protocol

Key Topic

Figure 8-9 Fibre Channel Authentication Protocol

Application of Fibre Channel Authentication Protocol

• FCAP is an optional authentication mechanism.

• Works with certificates or optional keys.

• FCAP is an optional authentication mechanism.

• Works with certificates or optional keys.

FCAP relies on an underlying public key infrastructure (PKI) to provide enterprise-class security. By using PKI, often present in more security-conscious organizations, as a foundational element, along with a certificate-based protocol, FCAP provides numerous advantages. Central among these are strong authentication and management data integrity. For some organizations, the complexities associated with a PKI can be daunting. This is the only significant argument against FCAP.

Understanding Fibre Channel Password Authentication Protocol

Fibre Channel Password Authentication Protocol (FCPAP) is an optional password-based authentication key-exchange protocol. It may be used in Fibre Channel networks to provide mutual authentication between Fibre Channel ports. FCPAP, which is based on passwords, was proposed as an alternative to FCAP. It has its roots in another protocol called Secure Remote Password (SRP).

As compared to FCAP, FCPAP does not require a PKI to operate. This was one of the main drivers behind its proposal. Although FCPAP does not require PKI, complexities are still associated with managing the passwords and other aspects of FCPAP.

Assuring Data Confidentiality in SANs

SANs provide an effective way for organizations to meet the ever-expanding need to store data. Because organizations store everything from social security records to client records to proprietary information on SANs, it is extremely important that this storage medium be secure and that the data be secure while in transit. This section examines the benefits of incorporating Encapsulating Security Payload (ESP) in your SAN solution. As an Internet standard, ESP can provide both encryption and authentication to further secure an organization's crucial data. We will also discuss the use of Fibre Channel Security Protocol (FC-SP) to provide both host-to-switch and switch-to-switch authentication to further secure enterprise-wide fabrics.

Incorporating Encapsulating Security Payload (ESP)

SANs are designed to provide fast access and expandable storage for your data needs. However, that access must also be secure. ESP represents a means of providing this security. ESP is an Internet standard that allows IP packets to be authenticated and encrypted.

ESP is a common security standard in many IP networks, but it also has been adapted for use in Fibre Channel networks. In fact, the IETF iSCSI proposal specifies ESP link authentication and optional encryption. ESP over Fibre Channel provides a means of protecting data in transit throughout the Fibre Channel network. Although ESP over Fibre Channel is an effective means to secure data while it is in transit, it does not address the need to secure data while it is stored on the Fibre Channel network.

Providing Security with Fibre Channel Security Protocol

FC-SP is designed to overcome the security challenges for enterprise-wide fabrics by providing switch-to-switch and host-to-switch authentication. FC-SP is a project of Technical Committee T11 of the International Committee for Information Technology Standards (INCITS). It focuses on protecting data in transit throughout the Fibre Channel network. Much like ESP, FC-SP does not address the security of data stored on the Fibre Channel network.

FC-SP is a security framework that includes a number of protocols to enhance Fibre Channel security in several areas. For instance, FC-SP addresses the authentication of Fibre Channel devices. It also provides cryptographically secure key exchange and cryptographically secure communication between Fibre Channel devices.

0 0

Post a comment