Securing Your SAN

Introduction to security

The most important thing to run an IT business is to protect their information from
malicious attackers who wants to use it for personal purpose or with evil intent.
These attackers may be within the organization or the hackers or the competitors.
Most of the people think that IT security team is responsible for protecting the data
or information but it is the responsibility of an every individual in an organization.
The responsibility of security team is not only protecting data from an outsider but
also making everyone in organization aware of what is expected from their side. The
basic objectives of security are

• Reliability
• Confidentiality
• Integrity
• Authentication
• Availability
• Access control.

Now we will discuss each of these objectives-

Reliability
Reliability refers to making sure that anytime you access your data, it is what you
had ended up with, after the last modification. Reliability is implicit requirement from
any security policy.

Confidentiality
Confidentiality deals with protecting the disclosure of information to an unauthorized
person. This information may be business secrets or any copyrighted material. We
can achieve this by using an encryption/decryption algorithm that can be understood
by only the intended senders and recipients.

Integrity
Integrity deals with verifying whether the data is same on both the sending and
receiving ends or not. Integrity ensures data is not corrupted. This maintains the
uniformity of the data on both sides. Integrity can be achieved by adding some extra
information to the original, which can represent the actual data.

Authentication
Authentication is validating the sender and receiver. This helps both sender and
receiver to trust each other. Authentication can be done by using digital signatures,
passwords etc.,

Availability
It is very important for any organization to have their data available anytime and
anywhere for an authorized user. The downtime for an organization is very costly
and may drive business into losses. Fixing the patches and preventing hackers to
peep through the network can ensure availability.

1
Access control
Access Control refers to making sure that people get exposed to only the information
they are supposed to access. Making the right kind of information accessible to the
right person only, is a major aim of security.

A good security solution should protect all the objectives. A good security solution
needs proper planning and this plan can be called as a security policy.

What is a security policy?

A security policy defines the procedures, guidelines and practices for

configuring and managing security in an organization. Every organization should
have a security policy and it to be implemented by higher-level officials. As we aim
for higher level of security the more investment is needed to implement. Hence an
analysis is needed before formulating a security policy. Qualitative Risk-Assessment
& Cost benefit analysis are the most important types of analysis.

Qualitative Risk Assessment

Because of the uncertainty associated with the risks in the IT business it is not easy
to calculate risk level. So several techniques are developed for finding them like
multiplying the threat frequency with the risk associated with it. All the risks are
considered such as those of assets, information etc., while calculating the overall
risk.

Cost benefit analysis

Cost benefit analysis gives an estimate of the monetary losses if the data is lost. So
cost benefit analysis is used for calculating a break-even point. Break-even point is
the point at which both the security implementation investment and monetary losses
are same. In this analysis risk is not taken into consideration. For example it is not a
wise decision to implement a security with 10000 bucks for information worth 1000
bucks.

This analysis acts like a baseline for creating a security policy. Formulation of the
security policy needs higher officials from all the departments and domain experts.

The following steps are to be followed while creating security policies

1. Determining the need of the policy
2. Discussing with department heads and determining which are to be protected
like assets, clientele list etc.,
3. Reviewing government rules and regulations so that it can protect if any
discrepancies occur and modify it.
4. Creating a policy satisfying the above three steps
5. Reviewing the policy with higher officials and modifying the policy if any
changes are needed.
6. Approving the policy and training all the associates.
7. Having a review of the policy quarterly or half-yearly and modifying it if
needed.

2
 Determine the need for policy

Discuss with workgroups

Modify if
Check for legal issue needed
Review/Update and modify if needed
For every three or six months

Formulate policy

Modify if
needed
Higher officials Approval/Review

Implementation

Flow of events for formulating security policy

Security in SAN

The concept of a centralized data storage running on dedicated high-speed

backend network that can be accessed by the servers connected to it is called
Storage Area Network (SAN). According to SAN theory any host on the network can
access any of the data in the network, but when we look at this from a security point
of view it’s a security threat. For example imagine a scenario where hacker hacks the
server, which means he can access the whole data on the network, and in some
circumstances he can even modify also which is not desirable in an enterprise
storage environment. Most of the SAN’s deployed today runs on FCP (Fibre channel
protocol). FCP is designed by keeping in mind speed as a primary factor as a result it
lacks authentication. Authentication is the most important factor in security when we
talk about networked storage, so we need to have a good security policy, which can
at least fulfill the lack of authentication in the Fibre channel protocol. Before
formulating a security policy we need to find out the loopholes, vulnerabilities and
type of attacks that are possible.

Some of the possible attacks against SAN are

• Spoofing the ports.

• Spoofing the FC-AL.
• DoS (Denial of Service) attack.
So we need to have a security policy, which can address all these problems. First of
all we need to define the security needs by identifying the domains. These domains
typically define different categories of communications that must be protected by the
in a storage area network. These domains include:

3
 • Administrator-to-security management domain: Between administrators
and their management applications.
• Host-to-switch domain: Between host servers, Host Bus Adapters (HBAs),
and the connected switches.
• Security management-to-fabric domain: Between management
applications and the switch fabric.
• Switch-to-switch domain: Between interconnected switches.

Administrator-to-Security Management Domain

Administrator access controls work in conjunction with security management

functions. Because security management impacts the security policy and
configuration of the entire SAN fabric, administrator-level fabric password access
provides primary control over security configurations.

Host-to-Switch Domain

Individual device ports are bound to a set of one or more switch ports using access
control lists (ACLs) in host-to-switch communications. Device ports are specified by
worldwide name (WWN) spoofing, which typically represent HBA’s.

Security Management-to-Fabric Domain

A security management function should encrypt appropriate data elements with the
switch's public key. The switch then decrypts the data element with its private key.

Switch-to-Switch Domain

The switches should enforce the security policy in secure switch-to-switch

communications. By using digital certificates and ACLs, the security management
function initializes switches. Switches exchange these credentials during mutual
authentication, prior to establishing any communications. This practice ensures that
only authenticated and authorized switches can join as members of the SAN fabric or
a specific fabric zone. Furthermore, this authentication process prevents an
unauthorized switch from attaching to the fabric through a port.

The common methodologies used to provide security in SAN are

• Zoning

• LUN masking

• Binding ports with servers.

Zoning

Zoning is the method of logical separation and isolation of the fabric connected
devices into logical groups. These devices may include servers, switches, and storage
disk arrays. Only the member of a zone can access the devices in that zone only. The
figure below describes the zoning. Only the members of zone A (Server A, Server B

4
and disk1) can access only the members of zone A and members of Zone B cannot
access members of Zone A unless he is a member of Zone A

Server C Server D
Server
Server A
B

SAN
Switch

StorageDisks1 StorageDisks Storage Disks3

2

Zone Zone B
A

Zoning

There are two types of zoning

• Soft Zoning

• Hard Zoning
Soft Zoning
Soft zoning uses the WWN (World Wide Name) of the nodes connected to the fabric.
WWN’s are in hexadecimal format. A WWN may look like 12:12:23:34:1a:ab: e3:
27.This WWN uniquely identifies the devices connected to the SAN. If the WWN of
the node is assigned to a particular zone then all the ports associated with that node
are also in the same zone.

Hard Zoning

Hard zoning uses port number instead of WWN’s as in soft zoning. If a port number
is assigned to a particular zone also the ports associated with that port would not be
in that zone. So we need to configure for each and every port, which helps in
improving the security. Though hard zoning is hard to configure for the dynamic
environments it is the one that can improve the security.

5
LUN Masking

LUN Masking, or address masking, is a method of assigning LUN to be exclusively

accessed by a particular hosts. By using LUN masking it is possible to assign a single
LUN to single host. This allocation of a LUN to host is made by hiding the rest of the
LUN’s in the network. LUN doesn’t use any special connection it just hides the other
devices. It is like an unlisted phone number, which is very hard to guess. In the
figure below the LUN address 2,5,8 are blocked (hidden) and only LUN address 11 is
visible for the host I/O controller.

SERVE
R

Address 2-Blocked
Address 5-Blocked
Address 8-Blocked
Address 11-visible
Host I/O Controller

LUN
masking

LUN masking can be implemented in three places

1. Storage disk arrays

2. Servers
3. SAN.

LUN masking in storage

LUN masking in storage is implemented by configuring RAID controller. This method

reduces the job of configuring the hosts independently. This method is attractive
because the masking is done at storage level and servers or hosts cannot see the
hidden LUN’s. One more advantage of LUN masking is no need to configure the
servers also. It is suitable for an environment having large number of servers.

LUN masking in servers

LUN masking in servers is very easy to implement. To implement this servers are
configured to ignore all the LUN’s, which are not assigned to them. The problem with
implementing at server level is it actually sees all the LUN’s but it ignores which are
not assigned. This is not what we want to have in a good secured environment.

6
LUN masking in SAN

In many ways we can implement LUN masking in SAN, like using special devices,
configuring switches etc

There are many devices available which performs the function of LUN masking. This
device sits between the SAN and Storage devices. This is very attractive because it is
independent of hosts, servers and storage devices. This also provides interoperability
among vendors. The problem with this method is it needs an extra host to manage
the device.

The other method is configuring the switch itself using a look up table. Still research
is going on this method because of memory constraints on FC switch. Some vendors
are planning to release switches, which support LUN masking.

Binding ports with servers

It’s a method of defining which servers will access which ports like windows server
will access port 1 to port 5 etc., this provides a way to separate heterogeneous
servers and maintain them very easily.

These are the common methods available today to improve the security in an SAN
environment. Based on the organization requirements we need to decide which
method to be used and in what way. Hard Zoning along with LUN masking in SAN
and port binding gives higher level of security.

When SAN emerged as a new-networked storage technology no one thought of its

security but due to the increasing concerns for security many people are working on
it as a result many protocols and products are developed some of them are FCAP
(Fibre Channel Authentication Protocol), FCPAP (Fibre Channel Password
Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol).
Management software’s, which can improve security, is also available. New kinds of
switches are also being developed to improve the security, which can support LUN
zoning also.

Conclusion

SAN is used in an organization where data needs to be highly available, reliable and
serviceable. Implementation of SAN will not only address these but we also need to
protect our SAN from various attackers like hackers, competitors etc., and make our
data secure in SAN environment. To secure SAN we need to formulate a security
policy matching all the organization requirements, implemented by higher officials
and also creating awareness among associates in the organization. This security
policy should be reviewed quarterly or half yearly and modified as needed to meet
the organization requirements.

7
Glossary

1. ACL-Access Control List

2. CHAP- Challenge Handshake Authentication Protocol
3. DoS-Denial of Service
4. FCAP –Fibre Channel Authentication Protocol
5. FCP – Fibre Channel Protocol
6. FCPAP- Fibre Channel Password Authentication Protocol

7. IP – Internet Protocol
8. LAN – Local Area Network
9. LUN-Logical Unit Number
10. SAN – Storage Area Network
11. SCSI – Small Computer System Interface
12. SNIA – Storage Networking Industry Association
13. WWN-World Wide Name

References

• Basic Concepts and a Security Glossary by Bill Ayen,Ph.D. –SNIA

• Basics of SAN security by John Vacca
http://www.enterprisestorageforum.com/sans/ features/article.php/1431341
• Building Storage Networks - 2nd Edition by Marc Farley (Storage
Networking Industry Association)
• www.snia.org/ssif/home
• www.sans.org
• http://www.brocade.com/security