Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Storage

    How Secure is Your SAN?

    By
    David Morgenstern
    -
    July 28, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Some managers are taking a rather what-me-worry approach to the security of their storage area networks, according to security experts. That attitude could perhaps be excused, when enterprise storage was tucked away deep inside the corporate network and protected by the arcane architecture of storage networks. Now that storage resources are closer to the surface, however, managers may want to get serious about SAN security.

      That will be part of the pitch from storage security consultant Himanshu Dwivedi at this weeks Black Hat USA 2003 conference in Las Vegas. The managing security architect for @stake Inc. will detail the concerns a briefing dubbed: Security Issues with Fibre Channel Storage Networks.

      “Less than one of the major indices of security are met in Fibre Channel: theres no authentication, only weak authorization and no encryption,” Dwivedi said. “In many ways, a Fibre Channel attack is easier and can get to data a lot more quickly. Now, thats interesting.”

      In his presentation, Dwivedi will point out the core security problems in Fibre Channel SAN architecture. The protocol simply wasnt designed with security in mind, he said. Consequently, Fibre Channel suffers an inherent weaknesses of frames that make sessions susceptible to hijacking, and the limited authentication available from worldwide naming, which is currently used when zoning a network.

      During an interesting (and alarming) discussion about the issue last week, Dwivedi reminded me that when soft-zoning a SAN or masking LUNs (logical unit numbers), most security controls fall back on the worldwide naming for HBAs and devices. However, those names can easily be changed by the user.

      “Spoofing the name is actually a feature of the device driver,” he said, pointing out that many vendors provide a tool to customize the name. “Its surprisingly easy to gain access to data you shouldnt, in fact, its a lot easier to use the [FC] fabric than the IP access.”

      Among other recommendations to boost SAN security, Dwivedi said storage managers should segment SANs using so-called hard zoning instead of soft zoning; to avoid relying upon worldwide names to authenticate nodes; and to beware of exposing Fibre Channel frames to untrusted networks.

      Certainly, the discussion surrounding storage security isnt new and Dwivedi pointed to products from Decru Inc. and NeoScale Systems Inc. as well as SSH Communications Security Corp.s QuickSec encryption toolkit for iSCSI developers.

      At the same time, data stored on SANs has become more exposed. In the past, Fibre Channel technology was used for backup and dynamic file servers perhaps 4 to 5 levels deep inside an internal network. Nowadays, managers are leveraging their investment, making greater use of their SAN.

      “Storage area networks are getting to the perimeter of the network, only one or two levels down,” Dwivedi said. “If a file server or a Web server is compromised, thats an attack vector to the SAN. And its common in storage area networks to have several hundred machines with [both] FC and IP connections.”

      Still, many SAN integrators and customers have taken a wait-and-see approach to SAN security.

      “Whether its storage or wireless, people dont believe all the [security] issues up front,” Dwivedi said. “A lot of storage professionals think that all the attackers in the world are outside on the Internet, and theyre protected with their VPN, firewalls and encryption, so theres no way attackers can get into the storage area network. Sometimes that can be true, but mostly not.”

      This complacency has been enabled by the fact that most attackers dont have an understanding of Fibre Channel SAN architecture as well as by the high cost of HBAs. Still, Dwivedi warned that such “security by obscurity doesnt scale in an enterprise architecture.”

      Instead of being complacent about this lack of education on the part of everyday hackers, storage managers should view this situation as a grace period, letting us get a handle on the security problem. In fact, if you look hard enough, you can find similar quiet times before the widespread understanding of any security vector, including application-side buffer overruns, Internet worm attacks or IP spoofing. In each case, the industry delayed action, underestimating the diligence or perspicacity of the opposition.

      Is there a security problem with SANs or not? Are you satisfied with the current state of your SAN security? Let me know what you think!

      David Morgenstern is a longtime reporter of the storage industry as well as a veteran of the dotcom boom in the storage-rich fields of professional content creation and digital video.

      More from David Morgenstern:

      David Morgenstern
      David Morgenstern is Executive Editor/Special Projects of eWEEK. Previously, he served as the news editor of Ziff Davis Internet and editor for Ziff Davis' Storage Supersite.In 'the days,' he was an award-winning editor with the heralded MacWEEK newsweekly as well as eMediaweekly, a trade publication for managers of professional digital content creation.David has also worked on the vendor side of the industry, including companies offering professional displays and color-calibration technology, and Internet video.He can be reached here.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×