Professional Documents
Culture Documents
Securing Your SAN
Securing Your SAN
Introduction to security
The most important thing to run an IT business is to protect their information from
malicious attackers who wants to use it for personal purpose or with evil intent.
These attackers may be within the organization or the hackers or the competitors.
Most of the people think that IT security team is responsible for protecting the data
or information but it is the responsibility of an every individual in an organization.
The responsibility of security team is not only protecting data from an outsider but
also making everyone in organization aware of what is expected from their side. The
basic objectives of security are
• Reliability
• Confidentiality
• Integrity
• Authentication
• Availability
• Access control.
Reliability
Reliability refers to making sure that anytime you access your data, it is what you
had ended up with, after the last modification. Reliability is implicit requirement from
any security policy.
Confidentiality
Confidentiality deals with protecting the disclosure of information to an unauthorized
person. This information may be business secrets or any copyrighted material. We
can achieve this by using an encryption/decryption algorithm that can be understood
by only the intended senders and recipients.
Integrity
Integrity deals with verifying whether the data is same on both the sending and
receiving ends or not. Integrity ensures data is not corrupted. This maintains the
uniformity of the data on both sides. Integrity can be achieved by adding some extra
information to the original, which can represent the actual data.
Authentication
Authentication is validating the sender and receiver. This helps both sender and
receiver to trust each other. Authentication can be done by using digital signatures,
passwords etc.,
Availability
It is very important for any organization to have their data available anytime and
anywhere for an authorized user. The downtime for an organization is very costly
and may drive business into losses. Fixing the patches and preventing hackers to
peep through the network can ensure availability.
1
Access control
Access Control refers to making sure that people get exposed to only the information
they are supposed to access. Making the right kind of information accessible to the
right person only, is a major aim of security.
A good security solution should protect all the objectives. A good security solution
needs proper planning and this plan can be called as a security policy.
Because of the uncertainty associated with the risks in the IT business it is not easy
to calculate risk level. So several techniques are developed for finding them like
multiplying the threat frequency with the risk associated with it. All the risks are
considered such as those of assets, information etc., while calculating the overall
risk.
Cost benefit analysis gives an estimate of the monetary losses if the data is lost. So
cost benefit analysis is used for calculating a break-even point. Break-even point is
the point at which both the security implementation investment and monetary losses
are same. In this analysis risk is not taken into consideration. For example it is not a
wise decision to implement a security with 10000 bucks for information worth 1000
bucks.
This analysis acts like a baseline for creating a security policy. Formulation of the
security policy needs higher officials from all the departments and domain experts.
2
Determine the need for policy
Modify if
Check for legal issue needed
Review/Update and modify if needed
For every three or six months
Formulate policy
Modify if
needed
Higher officials Approval/Review
Implementation
Security in SAN
3
• Administrator-to-security management domain: Between administrators
and their management applications.
• Host-to-switch domain: Between host servers, Host Bus Adapters (HBAs),
and the connected switches.
• Security management-to-fabric domain: Between management
applications and the switch fabric.
• Switch-to-switch domain: Between interconnected switches.
Host-to-Switch Domain
Individual device ports are bound to a set of one or more switch ports using access
control lists (ACLs) in host-to-switch communications. Device ports are specified by
worldwide name (WWN) spoofing, which typically represent HBA’s.
A security management function should encrypt appropriate data elements with the
switch's public key. The switch then decrypts the data element with its private key.
Switch-to-Switch Domain
• Zoning
• LUN masking
Zoning
Zoning is the method of logical separation and isolation of the fabric connected
devices into logical groups. These devices may include servers, switches, and storage
disk arrays. Only the member of a zone can access the devices in that zone only. The
figure below describes the zoning. Only the members of zone A (Server A, Server B
4
and disk1) can access only the members of zone A and members of Zone B cannot
access members of Zone A unless he is a member of Zone A
Server C Server D
Server
Server A
B
SAN
Switch
Zone Zone B
A
Zoning
• Soft Zoning
• Hard Zoning
Soft Zoning
Soft zoning uses the WWN (World Wide Name) of the nodes connected to the fabric.
WWN’s are in hexadecimal format. A WWN may look like 12:12:23:34:1a:ab: e3:
27.This WWN uniquely identifies the devices connected to the SAN. If the WWN of
the node is assigned to a particular zone then all the ports associated with that node
are also in the same zone.
Hard Zoning
Hard zoning uses port number instead of WWN’s as in soft zoning. If a port number
is assigned to a particular zone also the ports associated with that port would not be
in that zone. So we need to configure for each and every port, which helps in
improving the security. Though hard zoning is hard to configure for the dynamic
environments it is the one that can improve the security.
5
LUN Masking
SERVE
R
Address 2-Blocked
Address 5-Blocked
Address 8-Blocked
Address 11-visible
Host I/O Controller
LUN
masking
LUN masking in servers is very easy to implement. To implement this servers are
configured to ignore all the LUN’s, which are not assigned to them. The problem with
implementing at server level is it actually sees all the LUN’s but it ignores which are
not assigned. This is not what we want to have in a good secured environment.
6
LUN masking in SAN
In many ways we can implement LUN masking in SAN, like using special devices,
configuring switches etc
There are many devices available which performs the function of LUN masking. This
device sits between the SAN and Storage devices. This is very attractive because it is
independent of hosts, servers and storage devices. This also provides interoperability
among vendors. The problem with this method is it needs an extra host to manage
the device.
The other method is configuring the switch itself using a look up table. Still research
is going on this method because of memory constraints on FC switch. Some vendors
are planning to release switches, which support LUN masking.
It’s a method of defining which servers will access which ports like windows server
will access port 1 to port 5 etc., this provides a way to separate heterogeneous
servers and maintain them very easily.
These are the common methods available today to improve the security in an SAN
environment. Based on the organization requirements we need to decide which
method to be used and in what way. Hard Zoning along with LUN masking in SAN
and port binding gives higher level of security.
Conclusion
SAN is used in an organization where data needs to be highly available, reliable and
serviceable. Implementation of SAN will not only address these but we also need to
protect our SAN from various attackers like hackers, competitors etc., and make our
data secure in SAN environment. To secure SAN we need to formulate a security
policy matching all the organization requirements, implemented by higher officials
and also creating awareness among associates in the organization. This security
policy should be reviewed quarterly or half yearly and modified as needed to meet
the organization requirements.
7
Glossary
7. IP – Internet Protocol
8. LAN – Local Area Network
9. LUN-Logical Unit Number
10. SAN – Storage Area Network
11. SCSI – Small Computer System Interface
12. SNIA – Storage Networking Industry Association
13. WWN-World Wide Name
References