Data Storage, Data Backup and Storage Virtualization - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Data Storage, Data Backup and Storage Virtualization


How Secure is Your SAN?



 By: David Morgenstern
2003-07-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Data Storage, Data Backup and Storage Virtualization story.


Rate This Article:
Poor Best
Many storage professionals are taking for granted the security of their Fibre Channel storage area networks. However, Storage Supersite Editor David Morgenstern warns that this blind-eye approach may not be equal to today's security needs.



Some managers are taking a rather what-me-worry approach to the security of their storage area networks, according to security experts. That attitude could perhaps be excused, when enterprise storage was tucked away deep inside the corporate network and protected by the arcane architecture of storage networks. Now that storage resources are closer to the surface, however, managers may want to get serious about SAN security.

That will be part of the pitch from storage security consultant Himanshu Dwivedi at this weeks Black Hat USA 2003 conference in Las Vegas. The managing security architect for @stake Inc. will detail the concerns a briefing dubbed: Security Issues with Fibre Channel Storage Networks.

"Less than one of the major indices of security are met in Fibre Channel: theres no authentication, only weak authorization and no encryption," Dwivedi said. "In many ways, a Fibre Channel attack is easier and can get to data a lot more quickly. Now, thats interesting."

In his presentation, Dwivedi will point out the core security problems in Fibre Channel SAN architecture. The protocol simply wasnt designed with security in mind, he said. Consequently, Fibre Channel suffers an inherent weaknesses of frames that make sessions susceptible to hijacking, and the limited authentication available from worldwide naming, which is currently used when zoning a network.

Resource Library:
During an interesting (and alarming) discussion about the issue last week, Dwivedi reminded me that when soft-zoning a SAN or masking LUNs (logical unit numbers), most security controls fall back on the worldwide naming for HBAs and devices. However, those names can easily be changed by the user.

"Spoofing the name is actually a feature of the device driver," he said, pointing out that many vendors provide a tool to customize the name. "Its surprisingly easy to gain access to data you shouldnt, in fact, its a lot easier to use the [FC] fabric than the IP access."

Among other recommendations to boost SAN security, Dwivedi said storage managers should segment SANs using so-called hard zoning instead of soft zoning; to avoid relying upon worldwide names to authenticate nodes; and to beware of exposing Fibre Channel frames to untrusted networks.

Certainly, the discussion surrounding storage security isnt new and Dwivedi pointed to products from Decru Inc. and NeoScale Systems Inc. as well as SSH Communications Security Corp.s QuickSec encryption toolkit for iSCSI developers.

At the same time, data stored on SANs has become more exposed. In the past, Fibre Channel technology was used for backup and dynamic file servers perhaps 4 to 5 levels deep inside an internal network. Nowadays, managers are leveraging their investment, making greater use of their SAN.

"Storage area networks are getting to the perimeter of the network, only one or two levels down," Dwivedi said. "If a file server or a Web server is compromised, thats an attack vector to the SAN. And its common in storage area networks to have several hundred machines with [both] FC and IP connections."

Still, many SAN integrators and customers have taken a wait-and-see approach to SAN security.

"Whether its storage or wireless, people dont believe all the [security] issues up front," Dwivedi said. "A lot of storage professionals think that all the attackers in the world are outside on the Internet, and theyre protected with their VPN, firewalls and encryption, so theres no way attackers can get into the storage area network. Sometimes that can be true, but mostly not."

This complacency has been enabled by the fact that most attackers dont have an understanding of Fibre Channel SAN architecture as well as by the high cost of HBAs. Still, Dwivedi warned that such "security by obscurity doesnt scale in an enterprise architecture."

Instead of being complacent about this lack of education on the part of everyday hackers, storage managers should view this situation as a grace period, letting us get a handle on the security problem. In fact, if you look hard enough, you can find similar quiet times before the widespread understanding of any security vector, including application-side buffer overruns, Internet worm attacks or IP spoofing. In each case, the industry delayed action, underestimating the diligence or perspicacity of the opposition.

Is there a security problem with SANs or not? Are you satisfied with the current state of your SAN security? Let me know what you think!

David Morgenstern is a longtime reporter of the storage industry as well as a veteran of the dotcom boom in the storage-rich fields of professional content creation and digital video.

More from David Morgenstern:



  Reader Comments: How Secure is Your SAN?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Data Storage, Data Backup and Storage Virtualization Articles          >>> More By David Morgenstern
 


x}is㶲*Qމg5ER%uƶ|,LU(S$IyI^r_7nZhdrxjl@74Aș3!9)ٝ0Oo-zIj|ݻPAeFAUM7 JԶO7RM3i /4w7wGlJ{'AT{j" xL5 ΚMH]ٚ7'x2)X $8kzZ'jZ$l(P8 w(ZB; ?*B4m$oqT}:XQ=2rН3ݟXBT Kt/"(?c&s?9;|'Ț_h@Q5w0NK <[8 #5nCUVekF֠}lui!l 1!osݿ!HͤNޤ@d jId::`YTi 1܉\Ї@ڮSVPf̲;o tG oc}uק&[! !$f >v?& QI'6q_F^_3'@8:)|E[5'0m_k|tfs< s~3 CoZe؄j% =y7`JaCzJ&5\_-׉E>7 ؗY͢Aeʆ}sʾVWR\W╻]`[BUzEÝ|c4:~)UUe=,GA GnGkp[I^׵Sq={'r9;{'׼ ;A;YHL~#/@DJ V,MD&-ԁNVP? uΑjQ2[F-_ Kj%ɥ~hY̞o fVҘ 'UUXA[~6t.˫nCӣnlL,!V4*V]?c[ˠjq}Ҿ~^{}rһ"ΧqٝF4pgs Z_Zr\? z?lrK,.iTW%3eLCxY$Y.r{&:CJ ݖEL_*D\KŗG)LY4C! ,2ɌcPu t:C;|sƊNmҔ& )B:%u(5Hr Q@a)#8?S%i8@r5XSl \OFo4'M3XE U >hi,A[T}N}W%M 1F|r+E KH@!}F!8N0Apl/\d~]LãQwWڲ9Q[% kK\M흚"#-+}י4O:ǫN/{~:PqJ"0"- ]evbckꛛZϏRa^TU G&-d`q86acBݤc}nE=aAgIy|FMk>ktI=XC#ʠ:ڴ;\VS4!&- 'pbdx: }# 0f4mLH"AЂMtT8n]`2Z9ܹ ([ hk= `Dy+wMGHb1(=զA{Tg,zC {k6G~[>l0szQN\Qo@m2)%%E24.'H(AH 9[h ]99z|?#!bRN[ T6ݞH:s'PT+esMX)gQY,p[/)Pf%5{~4 cbB|#'&Xr`Y \d+|i)lb 6؛ri:|:ioBg< 08Bdp=[IZ&1C IK,tt?;\ύ!7!q"-%`|fX4Кs=RA\^XPL[Nm)tsf9`ZƔWjP~A-QM;luV<ۢfA8 u k2ZE'6`FTTMZ|!||=Ꭴm[4@W*|zS.z8؍8r!O5kb$`CO ]|:'}=r=Cۮ!r N>+]hp$HhS+}aQu5kaAa ŵAb=?x ҫC~y,gK+Igyaؓ.ZL|r [Qz{=cTf le8l0X:Ŀuosj1&?NՊRRiO9&"_Gƅ Kd^ `O`Tc׶ݻ|̠:L'QZ^-B-g\npb Z*LgAqA04L\y5/ +?wV0\nSOКa+;ЂqNl*IH qNIQ)kMxg9oLI3 iȐ0ցq_HE"}[kppLU.)L0:Jj +,X8:T#;4f6tW߀bIu?I BM!RBs]}=1 2`{t&RZUU+òZP+7cUFQX5`Cw<ꗧ!7~g2-sgeH): g-%㓏.Vp)#Z$ c`ײ. _AX{kOhR9A} l#d; $$MUpnp{E@=F&: pJE Mkm z@zzN{Բ':ӌ0ZLfemB(D(p)~)h? UK*~iϻjoR68F2( #s]QB-Pj O5c Қ9k+4C |3MdhH[+XȎ/ͯ6> s}&nfG{mxC`vfD++13R8Wqom؋W#Cf˴W6i&01"45" ~>tU*`x,4J,BfĜAYo]b+o95=1۠~}R5F70p#=ܓe &sZcd{ WϝiqHYf:al#<6@ea ʋzhBs-v4>eʊt0FyX!6 kq0n"8wDAۭCߊ> P5uRQX\u@VI^A ұg /@C׳@.l̼QXCGVUeH4yģT3# y $6-.wEZЋֶ E5bbbϦ\#2OR(KY,aZp9ЃNIC#,A,B |&nR X'W:Z;L$節e 2(-RV%%f!vI#G.ɢ6A(™)dIH59l)`P(S=T@mZ +ia/ dw!]: PG" cZ,nAYb @Ns/4ڎVõ]2MdX$U gMٸUJӴ%I? O} *Q-ˤӧG׆!oy!3." WP)߱~놺9)xT-kZl[ԪwB!iq]C0 IZW+{) ,%~w9@` |ZUjr22DBZNBq<:N)ItS^1%wXL] tKM$DDOC~Ui&gX&J*6şc1Ήˏ{{=LM_BP` &Ѧ0pmOOt@MEw%]w4{һH'qCrֽH^'K֓!R% p!DN*:f3ڌ6NJ,!zqaxKiWf@ ڝ+N,XKS!}>#mP5õhL٦;+^+[Z\f·߅B!bNgvczȖVBL0B_XH!)$ze*KC>$YZg_{w jEާPZIR"9oũ-xOӆO\(]ax!um q%ӝr*n SAٸEO[ ,4mfSs SѤAgJȄfye5a5R!MLCYOC/ $a;kB6\xs giMO6mn3jto6DrF߳`m\&( q0"E HY)o8-yB>Blb%hղoeW!X>=lj9l01$zB)-!䴨tc~MbԽcsc;QlwR;2x;yZ1?ݾpneyr0jw;t=z;Ojw]Q3L;ݘ~h='s o.hcm:;@TBP$w"B+NQD$=,`*h 5nW8Kot!HG.z:tH09~%H@2onuhCk7yEO>O4D]{'NE Tz7ngm,da}?H+Fis(\O4gvdLg!I )Vz5w7`ʜ9%/+xsr/'C(o9P2tIK Js`ȾqC7׷b8wB!|] {~W]ߣPIݣ뻻~=mҊ(r]ZD ܎qw5U{II5)xu<-r`RTozH^8ڈڽ]cg[D:*t'x||nƄ?m?C4ȥN=t7w6BfX AV1a+ }kMH!q` @(4T8xl?|nwcLRx666y) h4RV`.lf8W ֍N 6V8eQFD5|} rx|Svz7_7c\PF< w *ƒK0K(p!$~8=3q D xQx7e\ڊ]aKn~ Vv/wXh45dnVԌӂljPS Lt4/tc4W, ]ލ㔯h`aġN(vv6>d:p|k"aTSa̎2OA0 CjĦxśEsx:,'1TC(n״3/P*etnMxAǪȨi@-!rw ucL~*gGMٗAÙ?8 h:wrAL66p'vU0CE S.bZratp' aq0?>9+Qx ;-7fd9sNH"*ad dݦ~83I*+s-Lez5%z\3^cfqE;G({=2Y* ؗH oP7_weVNovu2@TtV3TLj,U嬟,mi9FD bGf~3xstZx/t%MQ eEWdbBhwp.FJ8P<@It! =}22՟+qwo%Uٻ^XF )^,ȗ@Jn *a踠uH"E؁TU+Fk~6R|U F{ۿ=MItM"OQ,}ї/ҹ~?ЛmSh7}%T.״'#91$1H=:I8Jp[4V~);K,ݑn3) IdI0~ ھRݯOb$O%1vK9 {qdExz&n{5 R8P<p#(@GKn]H=L%},UeY$m^Wj9E%b q|(4(qSJ%2[Xrk0cLAHzOI+W$vz$ 6 UPދ$hnȬ)^|GMzCUc&uu_Q-J"$HdL0_J(>aŗT,/kg\;,DU<<<<_\=Ήz s^Yd#.,/*!&<,(Ugy@N,}W70M65'T2&3Pnn\uCJ^Ř_:cz#!Z 6'fHK#&@ z%C@7$s~a--LvR`Gp+"3\>|O'>ez C|5_ ԆtZ~ex ˝7z-T{4Cv[=N x$'Bgz-P|Rkpم8"Gy}04Z~j>&9q Vϼ4!Hb $.Q_ Ij> iZ= pJs7%K=QPzpO7Bx#D$ȸ@@5Yօ[7:5BYQז N4raqpy /}ZpY$֞Infi4F&sُp3'Fΐ௅nX{+$ʽOg->-bWldb$@]_ٹt> =gs? >zxX2bv9k `GCߑ?@G/Zm~CRO⺢t@P?»"˖1ueXZC8ܰJ7o8gkH0ג rDLht?\]}aE1p4*pgj9U Kd M 2@: xE ? W>nrS-i`IkBx lx DxmDRRicyx 19ӈ)iY{S{9KqEÿ/ Ĭԁ DjcT:C ]N"@ g o#!)u7SI,G/xa 3 s``EPf00a|Ln?gaظO^F@ 3+f)u n9 :jeOLg>򽉑{:yؽ s)aR;:[Q@<P 4'/#7,Xzoj Bp),f,՚RD&u]Cu]j%@]À YU^&"_[Ӕ\ BI] / (HZ W{}KCHIPu0՝fh]^}&'+"'W<_u/9`oW[u|ܻ|ҽ\^u/&hL晾xQ(X7OGYFuavʜT{͈Ks!Yx9Kxu, /Eyx&0<< L*a^e5DM@+:[ -xec n_u}-[I ;YWG>;ȱkHw r:X)` FQg bc9HShF&5+:r<)r_rʯj}q (Sރ^N9R`}ypCI~CG([hvחwۅfS3݋r7~Ng( m<ϙsyy|y~?99<>ρ>sy"gSN)S~909{s?09׃rˑ?=/r qCeW@?W9Ӈs߇s?_P>'(W3OO9rsڿΡ=>k]T(RhK "S^9,.NrX v;n;+ja5v`g11y^i,)mĤj$lG[wzhLS,fi_cErd9'U ZCQ8ۈ83ϖ=-g5zwC0wOx ; rug+6b?teW .@r"/T3l}] 5ӌO=n9 r bFוF|(pIei/ 1S\ǐ*u~)L nb[>/I>=K}v`"'Sg ?Fπxv.G$lM0 `?94vsL9r H\}L.I5""HH "s{B|%{j9Sn.48rCShx#`AsN[Q=$V*׽d$36'{_ԴI~𫰯-"~J1j+#/r ƨz<RĠ#)b$V3v,=GIkg_5 B3q< Y8T"?6aJm& smqo »L3CY,> V_$v}%B+*π 8H2G$!᳜c9"3>("nty9=|^[zQؗ@1aG'Q5R^v ȥI񿄗zH,刔SAQV+yJ>? T@| %{\6DDRw}B0yNmv89DEPމx37'e-s0ŬBSh<)Ob'[nG\k<>ai$x)fZձMw O 7g}L޴CHPVWݜO Xo|8j.h6AF|'K 9D/7ag} r@c]Lآ\nPTjӟfBPvlRP`OՙَSw>E}2\Hxkyf#%3+~`[t%(5x.[vGLWe؋(| _b[0~X+mKbA<\n2?>%i3Z~@ }( of4`y%K@, qS`p#1tVBR(ctA U1?cm'nFQXƺi#¶u4meѩ&oߩn^SQa[O_<.tc b,ۙF ya1 g'{y{~k#'>fgsx>Y}#s!?²LjHmf^^kti( aa vXc-hw͹!wS׆)񳇹0ϕòD1F(g,1f& wAx& =`#hxj"nh1 Ld'k%I }fBGnԌaB:cv L$FG8 S^߳b+/A,xr&r*]xWI"cXMb0x@t&W.rWbE`?|Ykh YIb λgxH%D}Sw= aFK'O(Uƥ.}:8XQ|;]%`gd /=jxxі6EKB];Y B*Cwj񮞝?`*XE#lMc01B4gr09c֎VMM.3a-dcN_ l9O,