Implementing Security for SANs

BRKSAN-2892

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

1

Agenda
SAN Security Scope Cisco MDS9000 Security
SAN Management Security Fabric and Target Access Security Fabric Protocols Security IP Storage Security Security for Data at Rest: Storage Media Encryption

PCI DSS Compliance Considerations Recap and Conclusions

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

SAN Security Scope

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2

Several Threats: Incomplete Solutions
SAN security is often overlooked as an area of concern but can have the most detrimental impact Application-level integrity and security is well addressed, but the back end network carrying data is generally not SAN extension solutions now push SANs outside the data center boundaries Not all compromises are intentional (many are accidental breaches), but they still have the same impact SAN security is only one part of complete DC solution:
Host access security—one time passwords, audit logs, VPNs Storage security—data-at-rest encryption, LUN security Datacenter physical security

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

SAN Security Scope
Fabric security augments overall application security
Host and disk security also required
6.Data Integrity and Secrecy 4.SAN Fabric Protocol Security

Six key areas of focus
SAN Management Access—Secure access to management services Fabric Access—Secure device access to fabric service Target Access—Secure access to targets and LUNs SAN Protocols—Secure switch-toswitch communication protocols IP Storage Access—Secure FCIP and iSCSI services Data Integrity and Secrecy— Encryption of data in transit and at rest
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Host

Cisco MDS 9000 Family

Target

2.Fabric Access Security

3.Target Access Security 1.SAN Management Security
iSCSI

5.IP Storage Security (iSCSI/FCIP)

6

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

3

SAN Management Security

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

7

SAN Management Potential Threats
Three main areas of vulnerability:
1. Disruption of switch processing
CPU hogging from unnecessary queries Denial-of-service attacks

Result: Switch can’t react to fabric events 2. Compromised fabric stability
Altered/lost switch configurations Removal of other security services Disabled switches/ISLs/device ports

Result: Loss of service, unplanned down time 3. Compromised data integrity and secrecy
Altered target (and LUN) visibility Altered zoning configuration

Out-of-band Ethernet Management Connection

Result: LUN corruption, data corruption, data theft or loss
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Accidental or Intentional Harmful Management Activity 8

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

4

SAN Management Security
Securing access to all management facilities on the Cisco MDS 9000 Family
Must secure console sessions Must secure GUI application access Must secure API access (SMI-S) Must also secure file transfer to/from switch
SAN Management Security Infrastructure
Management Network
Integrated RFC 2625 IP-over-FC provides redundant IP connectivity for security services over in-band FC link

RAD RADIUS server for user authentication

TAC+ TACACS+ server for user authentication

Out-of-band Ethernet Management Connection

Equally important to enable audit mechanisms
Integrated RADIUS for user accounting and switch scope assignment Integrated SYSLOG for switch event accounting Integrated SNMP traps for access denial accounting Network time protocol (NTP) support to synchronize clocks, log entry time stamps
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

SNMP

SNMP Polling server using SNMPv3

NTP NTP server for time/date synchronization

Cisco Fabric Manager using SNMPv3

MDS 9000 SAN OS CLI using SSH/SFTP
switch> config t switch(config)> analyzer on switch(config)> exit switch>

9

Roles-Based Access Control (RBAC)
Partitioning management capabilities in the Cisco MDS 9000 Family
Different roles for different user profiles (sys admin, network admin, super admin) Common roles across CLI access and Cisco Fabric Manager access
Roles-Based Access Control Details
Sample Roles Management Network
RADIUS server can be used to centralize user accounts and assign roles Role #1 – ‘super’ admin
Zoning FSPF VSANs FCID Policy iSCSI FCIP Zoning FSPF VSANs FCID Policy iSCSI FCIP Zoning FSPF VSANs FCID Policy iSCSI FCIP full full full full full full VSAN-2 VSAN-2 no VSAN-2 view-only view-only view-only view-only view-only view-only full full

RAD

Role #2 – dept. admin

Integrated Roles-Based-Access-Control
Assign subsets of full command set to roles Users are then assigned to roles May have a maximum of 64 unique roles Roles include IP storage features (iSCSI/FCIP) Commands not visible if not part of assigned role

Roles are populated into switches. Different roles can exist in different switches as required

Role #3 – network admin

VSAN-based RBAC
Roles can be assigned to specific VSAN(s) only Enables administrator-per-VSAN model Reduce infrastructure costs through consolidation using VSANs and still delegate fabric ‘island’ administration
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

VSANEnabled Fabric

1

2

Bill – SAN admin Role #1 All switches (full fabric admin) Sally – Storage admin Role #1 Switch 1,2 only (assigns storage only)

3

4

5

6 Fred – Email admin Role #2 Switch 3,4 only (VSAN-2 – email app)

VSAN 1

VSAN 2

10

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

5

Flexible RADIUS and TACACS+ Services
Used for AAA (Authentication, Authorization, and Accounting) services
Limit management access to a subset of switches MDS 9000 supports up to five HA server definitions
RADIUS and TACACS+ Deployments
Datacenter routers and switches Dial/VPN servers for remote access System console terminal servers

RADIUS—Remote Authentication Dial In User Service (IETF RFC-2865 standard)
Initially used for dial-in networks—now greatly expanded to a variety of uses System user account centralized authentication Network device user account AAA services Dial-in/VPN service AAA services iSCSI host authentication

AD Microsoft Active Directory

RAD Redundant Server

NMS

Network management stations

RAD Windows 2000 IAS Server (RADIUS)

Authentication calls and accounting records are sent to centralized RADIUS or TACACS+ servers

LDAP Server

TAC+ Linux TACACS+ Server
DB

TACACS+—Terminal Access Controller Access Control System (based on RFC-1492)
Widely used and supported by Cisco Freely available from Cisco—similar to RADIUS
BRKSAN-2892 14698_05_2008_X1

Cisco MDS 9000 Family Switches

Database Server (Oracle, mySQL, etc)

RBAC role membership info is authorized by RADIUS/TACACS+ servers

Roles are populated into MDS 9000 switches

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Sample Radius Accounting Record
Example snapshot of a Microsoft IAS RADIUS record generated during an MDS 9509 CLI session ‘Start/stop’ records are recorded by default, ‘accounting’ records of actual commands are enabled on the MDS 9000 as an option Similar record generated by TACACS+
NAS-IP-Address User-Name Record-Date Record-Time Service-Name Computer-Name NAS-Identifier NAS-Port-Type NAS-Port Service-Type Calling-Station-Id Client-IP-Address Client-Vendor Client-Friendly-Name SAM-Account-Name Fully-Qualified-Name Authentication-Type Class Packet-Type Reason-Code : 172.19.48.87 : net-adm-1 : 10/3/2007 Decoded Microsoft IAS : 11:51:08 Radius accounting record : IAS using Microsoft’s : IBM305S1 ‘iasparse.exe’ support tool : login (part of Windows 2000/2003 : Virtual distribution) : 3001 : Authenticate-Only : sjc-1.cisco.com : 172.19.48.87 : CISCO : core3 : IBM305S1\net-adm-1 : IBM305S1\net-adm-1 : PAP : 311 1 172.19.48.54 10/3/2007 18:44:03 1 : Access-Request : The operation completed successfully.

Full RADIUS Accounting Record

172.19.48.87,net-adm-1,10/3/2007,11:51:08,IAS,IBM305S1,32,login,61,5,5,3001,6,8,31,sjc-1.cisco.com,4108,172.19.48.87,4116, 9,4128,core3,4129,IBM305S1\net-adm-1,4130,IBM305S1\net-adm-1,4127,1,25,311 1 172.19.48.54 10/3/2007 18:44:03 1,4136,1,4142,0 172.19.48.87,net-adm-1,10/3/2007,11:51:08,…,shell:roles=network-admin,MDS Policy,172.19.48.87,core3,IBM305S1\net-adm-1,… 172.19.48.87,net-adm-1,10/3/2007,11:51:34,…,accounting:accountinginfo=vsan:4001 values updated interoperability mode:1,… 172.19.48.87,net-adm-1,10/3/2007,11:51:56,…,accounting:accountinginfo=vsan:4001 values updated loadbalancing:src-id/dst-id/oxid,… 172.19.48.87,net-adm-1,10/3/2007,11:52:02,…,accounting:accountinginfo=Interface fc3/1 state updated to down,… 172.19.48.87,net-adm-1,10/3/2007,11:52:05,…,accounting:accountinginfo=Interface fc3/1 state updated to up,… 172.19.48.87,net-adm-1,10/3/2007,11:52:16,…,accounting:accountinginfo=vsan:4001 deleted,… Some of these records have been 172.19.48.87,net-adm-1,10/3/2007,11:52:20,…,accounting:accountinginfo=vsan:4000 deleted,… shortened to fit them on this slide ‘…’ 172.19.48.87,net-adm-1,10/3/2007,11:52:23,…,accounting:accountinginfo=shell terminated,…
BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

6

Configuration Consistency Analysis
Important to keep consistent configurations across all switches
Especially important for security configurations: RADIUS/TACACS+, Remote SYSLOG, NTP, SNMP communities, Authentication and Roles
Administrator compares policy reference config to all switches in fabric

MDS 9000 Family configurations can be extracted from switches as a flat text file
Allows for easy and regular archiving

Policy Reference Switch

Cisco Fabric Manager provides “Fabric Configuration Analysis” tool
Checks all switch configurations against policy switch or file Can take corrective action to fix configurations Also has ‘zone merge analysis’ tool to validate zone merge validity

Fabric Configuration Analysis Part of Cisco Fabric Manager

Review Results and Take Corrective Actions Define Analysis Rules

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

SAN Management Recommendations
1. Use RBAC to grant adequate privilege to SAN administrators
Example: Not every administrator needs capability to disable modules Reserve select functions to fewer ‘super-admin’ RBAC role: VSAN definition, firmware upgrades, roles definition, RADIUS and SSH configuration

2. Use RADIUS or TACACS+ for centralized user account administration
Ensures consistent and timely removal of users if required Use RADIUS accounting feature for audit log of configuration events

3. Use all secure forms of management protocols—disable others
SSH, SFTP, SCP, SNMPv3, SSL for SMI-S support Disable Telnet, FTP, TFTP, SNMPv1,v2

4. Enable NTP across all switches for consistent time stamping of events 5. Log and archive everything
Enable centralized SYSLOG Take regular copies of MDS 9000 configurations (can use CiscoWorks RME) Turn on Cisco MDS 9000 “Call Home” feature to alert of anomalies
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

7

Fabric and Target Access Security

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Fabric and Target Access Potential Threats
Three main areas of vulnerability:
Compromised application data
Unauthorized access to targets and LUNs High potential for data corruption, loss, or theft

Result: Unplanned down time, costly data loss Compromised LUN integrity
LUN corruption due to unintentional OS mount Accidental formatting of LUN—loss of data

Unauthorized Fabric Service

Unauthorized Target Access

Result: Unplanned down time, costly data loss Compromised application performance
Unauthorized I/O potentially causing congestion Injected fabric events causing disruption; i.e. rogue HBA hammering fabric controller

Result: Unplanned down time, poor I/O performance
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

16

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

8

Fabric Access Security: Port Modes
Port mode security—Allow edge ports to form F_Ports or FL_Ports only, i.e. no ISL/EISL
Cisco MDS 9000 Family supports an Fx_Port mode which allows F_Port or FL_Port only Limit users who can change port mode via Roles-Based Access Control assignments
Port Mode and VSAN-based Security

Management Network ‘E_Port’ mode

IP access lists (ACL) based on source and destination IP addresses, TCP/UDP ports, and TCP connection flags
‘Auto’ mode Any port type

VSAN-based security—only allow access to devices within attached VSAN
Strict isolation based on fabric service partitioning and explicit frame tagging Independent name server table per VSAN Independent active zoneset per VSAN Part of ANSI T11 ‘Fabric Expansion’ study group
VSAN 1 VSAN 2 Both

‘Fx_Port’ mode F,FL Only ‘Fx_Port’ mode

‘F_Port’ mode F Only ‘E_Port’ or ‘Auto’ mode

EISLs carrying multiple VSANs

Disk array connected to multiple VSANs

Management port access security
Provides IP access control lists (ACLs) for management traffic (SNMP, SSH, Telnet, etc.)
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

One active VSAN only

Unique services per VSAN

17

Fabric Access Security
Cisco MDS Access Security Technology
Grant selective access to fabric based on device identity Failure results in link-level login failure Prevents FC frame S_ID spoofing through hardware frame filtering

Supports device-to-switch (port security) and switch-toswitch (fabric binding) Uses grouping of attributes to define binding configuration
WWN or Port_ID – port identifier on switch (i.e. fc1/2) Multiple ‘groups’ are created and activated as a ‘group set’ to enforce desired policy

Auto-learning mode to ease initial configuration

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

9

Fabric Access Security: Fabric Binding
Used to allow ISL establishment Attributes to define binding configuration:
fWWN—Fabric WWN of switch port sWWN—Switch WWN Port_ID—Port identifier on switch (i.e. fc1/2)
sw-1
fWWN-2 Port_ID-2 pWWN-1 sWWN-1 nWWN-1 fWWN-5 Port_ID-5 fWWN-6 Port_ID-6 pWWN-4 fWWN-3 Port_ID-3 fWWN-4 Port_ID-4 nWWN-2 fWWN-1 Port_ID-1 pWWN-3

Bind sw-2 to sw-1 ISL

Security Group – sw-1 sWWN-2

pWWN-2

sw-2
sWWN-2

Bind sw-2 to sw-1/port 5 ISL

Security Group – sw-1 sWWN-2 Port_ID-5 or fWWN-5

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Fabric Access Security: Port Security
Used to allow device-to-switch login Attributes to define binding configuration
pWWN—Port WWN of attaching device nWWN—Node WWN of attaching device fWWN—Fabric WWN of switch port Port_ID—Port identifier on switch (i.e. fc1/2)
Security Group – sw-1 pWWN-1 or nWWN-1
fWWN-2 Port_ID-2

Bind host to sw-1 (any port)

sw-1
fWWN-1 Port_ID-1 pWWN-3 sWWN-1 fWWN-5 Port_ID-5 nWWN-1 fWWN-6 Port_ID-6 pWWN-4 fWWN-3 Port_ID-3 fWWN-4 Port_ID-4 nWWN-2

Bind host, disk to sw-1 (any port)

Security Group – sw-1 pWWN-1 or nWWN-1 pWWN-3 or nWWN-2

pWWN-1

Bind host to sw-1 /port 2

Security Group – sw-1 pWWN-1 or nWWN-1 Port_ID-2 or fWWN-2

pWWN-2

Bind host HBA-1 to sw-1/port 2

Security Group – sw-1 pWWN-1 Port_ID-2 or fWWN-2

sw-2
sWWN-2

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

10

Fabric Access Security: Authentication
Device authentication provides stronger means of ensuring device identity
WWNs can be spoofed by simple means
Fibre Channel Fabric Authentication
Management Network
RADIUS and TACACS+ servers can be used to hold DH-CHAP user accounts and passwords for centralized authentication

RAD RADIUS server for user authentication Out-of-band Ethernet Management Connection TAC+

ANSI T11 FC-SP Security Protocols working group
Cisco was the prime contributor

TACACS+ server for user authentication

DH-CHAP provides authentication mechanism
Switch-to-switch authentication Device-to-switch authentication (when adopting HBA supporting DH-CHAP)
New switch wanting to join the fabric

HAP DH-C
AP - CH DH

New host wanting to join the fabric

DH-CHAP

FCIP Network

Equipped with HBA supporting DH-CHAP (Emulex, Qlogic)

New switches wanting to join the fabric over FCIP

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

FC-SP DH-CHAP Authentication Protocol
Authentication Initiator (N)
AUTH_Negotiate / T_ID=Q (NameN, DH-CHAP, hash=MD5orSHA1, DiffieHelmanGroupID=2or3)

Authentication Responder (M)

DHCHAP_Challenge / T_ID=Q (NameM, hash=MD5, DiffieHelmanGroupID=2, challenge C1, g^x mod p)

DHCHAP_Reply / T_ID=Q (NameM, response R1, g^y mod p, challenge C2)

DHCHAP_Success / T_ID=Q (response R2)

DHCHAP_Success / T_ID=Q

BRKSAN-2892 14698_05_2008_X1

Note: common DH key is g^xy mod p
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

22

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

11

Fabric Access Recommendations
Use IP ACLs on management interfaces to block unused services
Enable logging of denied attempts—block denial-of-service attacks

Hard-fix switch port administrative modes to assigned port function
Lock (E)ISL ports to only be (T)E_Ports—set to ‘E_Port’ mode Lock access ports to only be F(L)_Ports—set to ‘Fx_Port’ mode

Use VSANs to isolate departments
Provides security AND availability benefits RBAC management control per VSAN allows individual admin assignment

Use port security features everywhere
Bind devices to switch as a minimum level of security Bind devices to a port as an optimal configuration Consider binding to line card in case of port failure Bind switches together at ISL ports—bind to specific port, not just switch

Use FC-SP authentication for switch-to-switch fabric access
Use device-to-switch when available
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

23

Target Access Security: Zoning
Zoning is prime mechanism for securing access to SAN targets (disk and tape) Two prime types of zoning:
Soft Zoning (sw-based name server filtering) Communication still possible if FC_ID known Hard Zoning (hw-enforced frame filtering) Absolute requirement for true security Also involves name server filtering Can filter on various attributes Switch Port_IDs—vendor-specific Device nWWN/pWWNs—standards-based Advanced zoning features offered by Cisco
zone-1 pWWN-1 pWWN-3 Simple Name Server
pWWN-1 pWWN-2 pWWN-3 pWWN-4 FCID-1 FCID-2 FCID-3 FCID-4

IP access lists (ACL) based on source and destination IP addresses, TCP/UDP ports, and TCP connection flags

Zoning
Each device connected to the switch registers with the name server and queries it to find potential targets

fWWN-1 Port_ID-1

fWWN-3 Port_ID-3 pWWN-3 fWWN-4 Port_ID-4 pWWN-4

1 1

pWWN-1 fWWN-2 Port_ID-2

2 2

pWWN-2

zoneset-A (active) zone-2 pWWN-2 pWWN-3 zone-3 Port_ID-1 Port-ID-4 Frame Filtering Device Visibility
pWWN-3 FCID-3

Name Server and Frame Filtering Device Visibility
pWWN-3 pWWN-4 FCID-3 FCID-4

Zoning is very complementary to VSANs
One active zoneset per VSAN Multiple configured zonesets per VSAN Non-disruptive zoneset activation to other VSANs
BRKSAN-2892 14698_05_2008_X1

1 1

Name server visibility restricted based on active zone definitions

2 2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

12

Cisco MDS 9000 Family Zoning Services
All zoning services offered by Cisco are implemented in hardware
No dependence on whether using mix of WWNs and Port_IDs in a zone—all hardware based WWN-based zoning implemented in software with hardware reinforcement (i.e. no name server only zoning) WWNs are translated to FCIDs to be frame-filtered
1 Hardware-Based Zoning Details
fWWN-1 Port_ID-1 fWWN-3 Port_ID-3 pWWN-3 fWWN-4 Port_ID-4 pWWN-4

1

pWWN-1 fWWN-2 Port_ID-2

Dedicated high speed port ‘filters’ called ternary CAMs (TCAMs) filter each frame in hardware and reside in front of each port
Support up to 20,000 programmable entries consisting of zones and zone members Very deep frame filtering for new innovative features Wire-rate filtering performance—no impact regardless of number of zones or zone entries Optimized programming during zoneset activation— incremental zoneset updates

2

2
pWWN-2 FCID-2

WWNs translated to FCIDs to filter

TCAM hardware frame filtering

Zone_A (active)

New
To add new host to Zone_A and activate, an additional TCAM entry is simply programmed at the relevant ports – no disruption to existing active zones

NEW

RSCNs contained within zones in given VSAN Selective Default Zone behavior—default is deny
Per VSAN setting
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

25

Cisco Advanced Zoning Services
Cisco has introduced two new zoning capabilities in the MDS 9000 Family: LUN Zoning is the ability to zone an initiator with a subset of LUNs offered by a target
Host discovers all LUNs but can only login to those LUNs part of the zone Inaccessible LUNs are busied-out by the switch at the ingress port Provides powerful solution combined with array-based LUN security to add fabric enforcement Accidental LUN exposure prevented by fabric
report_LUNs 10 LUNs available report_size LUN_1 LUN_1 is 50GB report_size LUN_3 LUN_3 is unavailable Read-only zoning restricts ‘write’ commands from being sent to zoned targets Media Master Server Zone_A (active)

Advanced Zoning
LUN zoning allows control of access to specific LUNs based on zone assignment

Zone_A (active)

1 2
pWWN-2

pWWN-1

X X X

X X X X X

Read-Only Zoning leverage the hardwarebased frame processing of the MDS 9000 Family
Filters FC4-Command frames based on whether the command is a read or write command Useful for systems that only need read access to a volume such as multimedia servers Especially useful for media servers that need high speed access to rich content for broadcast—block level bypasses NAS service
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Streaming NEW Server

Zone_B (read-only) (active)

26

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13

Target Access Recommendations
Use zoning services to isolate where required
Port or WWN-based, all hardware enforced Use read-only zones for read-only targets Use LUN zoning as extra reinforcement Set default-zone policies to ‘deny’
Learn the FCID and gain access Isn’t soft zoning good enough?

Suggested to only allow zoning configuration from one or two switches to minimize access
Use RBAC to create two roles, only one allowing zoning configuration Install ‘permit’ role on two switches, ‘deny’ role on remainder Or, use RADIUS or TACACS+ to assign roles based on particular switch, more flexible

Occupy the port and gain access

Ok, add portbased zoning

Spoof the WWN and gain access

Ok, add WWN-based zoning

Use WWN-based zoning for convenience and use port-security features to harden switch access
Works well for interop with non-Cisco switches Port-based zoning in ‘native mode’ interoperability in SANOS v1.2
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

*Better* Must spoof and occupy to gain access

Ok, add portsecurity

*Best* Need full authentication to gain access

Ok, add DHCHAP 27

Fabric Protocols Security

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

14

Fabric Protocols Potential Threats
Three main areas of vulnerability:
1. Compromised fabric stability
Injection of disruptive fabric events Creation of traffic ‘black-hole’
Rogue Switch

Result: Unplanned down time, fabric instability 2. Compromised data security
Injection of harmful zone reconfiguration data Open access to fabric targets
Fabric Control Protocol Integrity

Result: Unplanned down time, costly data loss 3. Compromised application performance
Unauthorized I/O potentially causing congestion Numerous disruptive topology changes

Result: Unplanned down time, poor I/O performance
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

29

SAN Fabric Protocols Security
Very important to secure the fabric control protocols to ensure fabric stability
Securing access to control protocol configuration via Cisco RBAC is first step Enable port-security for switch binding Using FC-SP for switch-to-switch authentication is next critical step to block rogue ISLs
5 5 Port Channeling for HA and performance 3 3 3 4 4 4 6 6

Fabric Protocols Security
Dept ‘A’ Dept ‘B’

VSAN Trunk Bundles

1 7

2 8 Cisco MDS 9216

Plug-n-play fabric protocol configuration is convenient—however, static configuration is more secure
Configure static principle switch Enable static domain IDs Enable static FCIDs *optional but recommended* Great benefit for HP/UX and AIX environments Enable RCF-reject, especially on long-haul links Enable RSCN-suppression where necessary
Statically assigned domain_IDs, one per active VSAN minimizes potential for disruptive RCF ‘RCF-reject configured to protect against remote initiated fabric rebuild

Cisco MDS 9500 Multilayer Director

VSAN Trunks over optical DWDM or CWDM Network Statically assigned principle switch per VSAN

1 1

2 2

Enterprise Tape VSAN

Use VSANs to divide and manage individual fabric configuration and resiliency
BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

15

Certificate Infrastructure
MDS can relay upon the IKE (Internet Key Exchange) infrastructure to exchange asymmetric keys
Asymmetric key are used to initialize protocols like IPSec and SSH

MDS can enroll with a CA (Certificate Authority, trust point) to obtain an identity certificate The identity certificate contains the local MDS public key encrypted with the CA private key (RSA format) Only one certificate per CA, but MDS can enroll with multiple CAs The default key label is the switch fully qualified name The local MDS can trust multiple CAs
It can communicate with a remote peer that uses a certificate provided by a different CA, where the local MDS is not enrolled The key pair is different for each CA certificate

As a good practice relay upon the IKE infrastructure to establish a secure and trusted relationship between all the network elements and management nodes
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

31

Key Management Based on Certificates
Without certificate each switch must be configured with the symmetric key for each other switch
Keys

Keys

Keys

Keys

CA

Without certificates the CA will distribute the public keys used for secure key exchange

Keys

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

16

IP Storage Security

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

IP Storage Security
iSCSI leverages many of the security features inherent in Ethernet and IP
Ethernet Access Control Lists (ACLs) ↔ FC zones Ethernet VLANs ↔ FC VSANs Ethernet 802.1x port security ↔ FC port security iSCSI authentication ↔ FC DH-CHAP authentication
RADIUS server used to centralize iSCSI accounts
pWWN1

IP Storage Security

iQN2 is mapped to an allocated pWWN and registered in the fabric iQN1 = pWWN1/ nWWN1

iSCSI

iSCSI

RAD
Cisco Catalyst® 6500 Multilayer LAN Switches

RAD

iSCSI offers LUN masking/mapping capability as part of gateway function FCIP security leverages many IP security features in Cisco IOS®-based routers
IPSec VPN connections through public carriers High speed encryption services in specialized HW Can also be run through a firewall

iSCSI Login registering iQN using CHAP authentication

IP ACLs 802.1X Auth. Ethernet VLANs

iQN1 iSCSI

iSCSI

FCIP Tunnels over IPSEC Network

iSCSI qualified names are defined within iSCSI client

FCIP tunnel is a virtual ISL—Can leverage FC-based FC-SP switch-toswitch authentication
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

34

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

17

Security for Data at Rest: Storage Media Encryption

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

Cisco SME Overview
Application Server
Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold

Encrypts storage media (data at rest)
Strong, IEEE compliant AES-256 encryption

Key Management Center
Encrypt IP

Integrated as transparent fabric service

Supports tape devices and VTLs Compresses tape data Offers secure key management Allows offline media recovery Built upon FIPS-140-2 level-3 system architecture

Name: XYZ @!$%!%!%!%%^& SSN: 1234567890 *&^%$#&%$#$%*!^ Amount: $123,456 @*%$*^^^^%$@*) Status: Gold %#*@(*$%%%%#@

Tape Library

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

18

Cisco SME-Enabled Platforms

MDS 9222i MDS 9000 Family Systems MDS 9216A MDS 9216i

MDS 9506

MDS 9509

MDS 9513

MDS 9000 Modules 18/4-Port Multiprotocol Services Module (MPS) Mgmt. OS
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved.

Cisco Fabric Manager w/Key Management Center Cisco MDS 9000 Family SAN-OS
Cisco Public

37

Transparent Fabric Service
Application Servers

Integrates seamlessly with existing Cisco MDS fabrics Non-disruptive deployment
No appliances to insert in data path No SAN re-wiring or re-configuration

MPS-18/4

MPS-18/4

Redirects traffic flows after enabling encryption Highly scaleable performance Load balances automatically Reliable, highly available service

Tape Library

Routes traffic to another MPS when one fails

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

19

Wizard-Based Provisioning

Management integrated in Fabric Manager (Web Client)
Resources management Key management Media management
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

SME Key Management
Cisco Key Management Center

Complete key lifecycle management
Archives, recovers, distributes, and shreds media keys

Application Servers

Accommodates single and multiple site environments

Transports keys and management traffic securely (SSH, HTTPS)
MPS-18/4 MPS-18/4 Fabric ’A’ MPS-18/4 MPS-18/4 Fabric ’B’

Key catalog based on a standard database or on third party Key Manager Integrates with Cisco FM server
No additional software to install Intuitive provisioning and management with Cisco FM Web client

Tape Libraries

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

20

Media Encryption Key Hierarchy
Master Key resides in Smart cards
Master Key Quorum (M out of N) of smartcards required to recover a Master Key Recovery Shares accomplish secret sharing

Cisco Key Management Center
Tape Key

Keys reside in clear-text only within crypto boundary on switch module
Tape Volume Group Key

Unique key per tape, or per tape volume group Media keys wrapped by Master Key before storage or transport to Cisco Key Management Center Option to store tape keys on tape media

Tape Key
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

41

SME Media and Keys Management Options
Key mode:
Individual Key Mode: To achieve maximum security, each individual tape is assigned its own unique key Shared Key Mode: To simplify key management procedures and reduce to a minimum the size of the key database, SME uses the same key for all tape volumes belonging to the same group

Volume group (group of physical tapes) mode:
Manual grouping: Volumes are manually identified on the basis of the cartridge bar code Auto grouping: Volumes are assigned automatically to a group by the backup application

Tape compression in the SME interface enabled or disabled
Compression should be performed before encryption, since the compression ratio for encrypted data is usually very low

Tape recycle controls how the media key used for a tape cartridge is managed when the specific tape is re-labeled.
One or more copies (clones) of the original tape may have been generated outside the Cisco SME environment, to have redundant physical copies of the data in different locations If a tape is recycled, when labeling occurs, a new media key is generated and the previous media key is purged from the Cisco KMC database; all copies of the original tape are virtually shredded If a tape is not recycled, a new media key is generated for the tape, but the old media key will be left in the Cisco KMC database, the copies of the original tape will still be readable
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

42

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

21

Encryption Meta-Data Storage on Tape
Provides option to store media keys on tape
Media keys (Tape Volume Key) are encrypted with the Volume Group Key for protection These media keys are not stored in KMC, increasing scalability with large numbers of tape volumes Simplifies export of tapes to remote site No need to export media keys routinely Only need to export wrap key once

SME creates unique tape header to store SME-related information

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Effect of Media Key Options on Key Management
Group Shared Key
Shared Key across a Group of Tapes Pros
The catalog dimension is contained. A single key allows decoding all tapes in the group, very practical in case a single backup spans more tapes, or to share a group of tapes with a third party.

Cons

Less secure. If the single common Tape Volume Key is compromised, all the tapes in the group can be accessed. Key export is required only when a new tape volume group is created, either manually or by the auto grouping Only a tape group The key catalog size remains constant

Recovery Procedure Virtual Shredding Implications Tape Recycling

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

22

Effect of Media Key Options on Key Management
Unique Key per Tape
Unique Key per Tape Media Key stored in catalog Pros More secure. Each tape can be managed or transferred to a third party independently. If a Tape Volume Key is compromised, only the given tape may be accessed. If a Tape Volume Group Key is compromised, the hacker still need to access the catalog to access the data Media Key stored on tape The catalog dimension is contained. A single key allows decoding all tapes in the group, very practical in case a single backup spans more tapes, or to share a group of tapes with a third party. The tapes in a group use different media keys, solution cryptographically more secure than using the same key for many tapes.

Cons

The catalog contains an entry for each tape, so it could be very large.

If a Tape Volume Group Key is compromised, the hacker can decrypt the Tape Volume Key and the data of all tapes in the group. Key export is required only when a new tape volume group is created, either manually or by the auto grouping Only a tape group The key catalog size remains constant

Recovery Procedure

Key export is required only when a tape volume is labeled Can be at the individual tape level The key catalog contains a new entry every time a tape is re-labeled, unless the recycle option is selected
Cisco Public

Virtual Shredding Implications Tape Recycling

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

45

Secure System Architecture
Hardware and software architecture designed to meet FIPS140-2 Level-3 certification requirements Tamper-proof: Attempts to tamper with system destroys the sensitive information Strong, standard AES-256 modes of encryption Smart cards available for master key protection Critical security parameters and media keys never leave system un-encrypted Role-based access control (RBAC) secures management
Enforces SME specific roles AAA server support allows centralized user authentication and accounting (auditing)

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

46

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

23

Roles and Identities
SME Administrator
Responsible for provisioning SME Per-VSAN role-based access control limits management scope SAN administrator may assume this role too

SME Recovery Officer
Responsible for any recovery function requiring a Master Key Quorum of Recovery Officers needed to perform recovery procedures (default is two out of five) Security operations (SecOp) staff may assume this role

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Master Key Management
Smart cards

Advanced

Level of Security

Smart cards with Recovery Shares for each Master Key where M of N Recovery Officers are required to recover a Master Key

Standard
Smart Cards with all Master Keys No Recovery Shares

Basic
• USB Drive with all Master Keys • A file with all Master Keys • Master keys encrypted with a password • Regular backup & archive.

Simplicity
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

24

Cisco SME Review
Solution for and tape and VTL
Supports existing storage devices Simplifies provisioning and integrates key management

Integrates transparently into SAN fabric, which simplifies deployment and eliminates down-time
No need to rewire SAN Eliminates appliances, extra cables, and wasted switch ports

Reliable and scalable solution
Cisco MDS directors provide highly available platform, Encryption can be added and enabled

non-disruptively

Virtual SAN support
Encryption services available for all VSANs Full RBAC with AAA servers and VSAN-based access control

Integrates management with Cisco FM Server
No additional management software needed, FM Server License not required Unifies user rights and credentials management FM Web Client supports provisioning and key management
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

49

PCI DSS Compliance Considerations

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

25

PCI (Payment Card Industry): Data Security Standard (DSS)
PCI DSS are applicable if a Primary Account Number is stored, processed or transmitted The security requirements apply to all system components, including servers, networks or application, that are part of or connected to the cardholder data environment Adequate network segmentation can reduce the scope of the cardholder data environment The following requirement are excepted from the PCI DSS v1.1, released in September 2006

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Build and Maintain a Secure Network
Requirement 1: Use a firewall to protect cardholder data Cisco MDS9000 SAN:
Storage protocols are likely used in internal network zone only Use SNMPv3 and ssh for management Create a protected internal IP network for iSCSI Segment the SAN using Virtual SANs

Requirement 2: Do not use vendor-supplied default password Cisco MDS9000 SAN:
SANOS can enforce the use of passwords compliant to PCI

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

26

Protect Cardholder Data
Requirement 3: Protect stored cardholder data Cisco MDS9000 SAN:
Deploy SME to protect data at rest Store the Keys in the Cisco Key Management Server or in a secure third party Key Manager as RSA KM VSANs provide additional segmentation and abstraction to implement the Appendix-B compensating control if needed

Requirement 4: Encrypt data across public networks Cisco MDS9000 SAN:
Use FCIP over IPSec tunnels for SAN extension

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Maintain a Vulnerability Management Program
Requirement 5: Anti-virus Cisco MDS9000 SAN:
Not applicable to SANOS

Requirement 6: Develop and maintain secure systems and applications Cisco MDS9000 SAN:
Use a test VSAN to validate any new configuration before production SANOS have been developed with secure coding guidelines and tested against common vulnerability

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

27

Implement Strong Access Control Measures: 1
Requirement 7: Restrict access by business need-to-know Cisco MDS9000 SAN:
The security features as VSANs, advanced zoning, fabric binding, port security, FC-SP authentication and RBAC with SNMPv3 and ssh make MDS9000 the ideal platform to enforce the restricted access RBAC in particular, if used in conjunction with VSANs, is especially designed to support a tight partitioning of the physical infrastructure

Requirement 8: Assign a unique ID to each user Cisco MDS9000 SAN:
Create an individual account for each administrator with strong password Authentication can be performed using the external AAA server of choice (e.g. TACAS+), to implement the desired policy of user authentication an password management
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

55

Implement Strong Access Control Measures: 2
Requirement 9: Restrict physical access to cardholder data Cisco MDS9000 SAN:
Media can be encrypted using SME, that provides tools to transfer the key information to share data with a partner, secure the data transferred via courier SME can instantaneously “cryptographically shred” the data without destroying the physical media, that may be recycled

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

28

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data Cisco MDS9000 SAN:
Fabric Manager Server provides continuous monitor of the SAN, it allows to establish criteria and thresholds to generate real time alarm and call home Syslog offers detailed entries, it may be redirected to a log server to consolidate monitoring the IT infrastructure Note that the log never contains application data

Requirement 11: Regularly test security systems and processes Cisco MDS9000 SAN:
Fabric Manager Server provides the configuration and topology information needed to design, schedule and execute such a test

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Maintain an Information Security Policy
Requirement 12: Policy that address information security for employees and contractors Cisco MDS9000 SAN:
SANOS can automatically disconnect unused management sessions RBAC allows a clear responsibility assignment for administrators Detailed logging supports a detailed audit

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

29

Conclusions

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

SAN Security Review
SAN Security Scope Cisco MDS9000 Security
SAN Management Security (Secure Protocols, RBAC, log) Fabric and Target Access Security (Fabric Binding, Port Security, Authentication) Fabric Protocols Security (VSAN, hardening) IP Storage Security (authentication, secure transport) Identity based on certificate

Security for Data at Rest: Storage Media Encryption
Architecture, Key management Configuration options

PCI DSS Compliance: Requirement analysis
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

60

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

30

Conclusions
As SANs continue to grow and expand out of the data center, security becomes increasingly a concern Cisco offers a comprehensive set of security features in the MDS 9000 Family
No impact on switch performance Data path features are all hardware-based Address management, access, data in flight and data at rest

All security features are securely managed through Cisco’s Fabric Manager The adoption of the Cisco MDS 9000 Family security feature is a step forward in achieving compliance to applicable regulations
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

61

Other Relevant Sessions and Useful Links
Sessions relevant to SAN security
Cisco Fabric Manager BRKSAN-???? SME Configuration and Troubleshooting BRKSAN-????

White Papers relevant to SAN security
Cisco MDS 9000 SAN Security
http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps4358/prod_white_ paper0900aecd80281e21_ns513_Networking_Solutions_White_Paper.html

SME Key Management
http://www.cisco.com/ToBeDefined

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

31

Q and A

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

63

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press® Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSAN-2892 14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

32

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily Receive 20 Passport points for each session evaluation you complete Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008 Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

BRKSAN-2892 14698_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

33

Sign up to vote on this title
UsefulNot useful