SAN Security

Uma Shankar Vaibhav Mishra Vineet Garg Vishal Ganjoo Vivek Deshpande (PRN 8020541052) (PRN 8020541053) (PRN 8020541054) (PRN 8020541055) (PRN 8020541056)

What is SAN
• A "SAN" (Storage Area Network) is a complete storage network. A SAN is a complete architecture that groups together the following elements: A fibre channel broadband network or SCSI Dedicated interconnection equipment (switches, bridges, etc.) Network storage elements (hard drives)

1. 2. 3.

Difference b/n DAS, NAS & SAN

SAN Simplified Diagram

How it looks like


• Some of the most common attacks against SAN are
– Spoofing the ports. – Spoofing the FC-AL. – DoS (Denial of Service) attack.

• Administrator-to-Security Management Domain Administrator access controls work in conjunction with security management functions. Because security management impacts the security policy and configuration of the entire SAN fabric, administrator-level fabric password access provides primary control over security configurations. • Host-to-Switch Domain Individual device ports are bound to a set of one or more switch ports using access control lists (ACLs) in host-toswitch communications. Device ports are specified by worldwide name (WWN) spoofing, which typically represent HBA’s.

First of all we need to define the security needs by identifying the domains. These domains typically define different categories of communications that must be protected by the in a storage area network. These domains include: • • • • Administrator-to-security management domain: Between administrators and their management applications. • Host-to-switch domain: Between host servers, Host Bus Adapters (HBAs), and the connected switches. • Security management-to-fabric domain: Between management applications and the switch fabric. • Switch-to-switch domain: Between interconnected switches.

• Security Management-to-Fabric Domain A security management function should encrypt appropriate data elements with the switch's public key. The switch then decrypts the data element with its private key. Switch-to-Switch Domain The switches should enforce the security policy in secure switch-toswitch communications. By using digital certificates and ACLs, the security management function initializes switches. Switches exchange these credentials during mutual authentication, prior to establishing any communications. This practice ensures that only authenticated and authorized switches can join as members of the SAN fabric or a specific fabric zone. Furthermore, this authentication process prevents an unauthorized switch from attaching to the fabric through a port.

• The common methodologies used to provide security in SAN are
– Zoning – LUN masking – Binding ports with servers.

• • Zoning is the method of logical separation and isolation of the fabric. Only the member of a zone can access the devices in that zone only. Zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. If a SAN contains several storage devices, each system connected to the SAN should not be allowed to interact with all of them. Zoning applies only to the switched fabric topology (FC-SW), it does not exist in simpler Fibre Channel topologies. Zoning is sometimes confused with LUN masking, because it serves the same goals. LUN masking, however, works on Fibre Channel level 4 (i.e. on SCSI level), while zoning works on level 2. This allows zoning to be implemented on switches, whereas LUN masking is performed on endpoint devices - host adapters or disk array controllers.

• •



• There are two types of zoning : – Soft Zoning – Hard Zoning • Soft Zoning Soft zoning uses the WWN (World Wide Name) of the nodes connected to the fabric. WWN’s are in hexadecimal format. A WWN may look like 12:12:23:34:1a:ab: e3: 27.This WWN uniquely identifies the devices connected to the SAN. If the WWN of the node is assigned to a particular zone then all the ports associated with that node are also in the same zone. Hard Zoning Hard zoning uses port number instead of WWN’s as in soft zoning. If a port number is assigned to a particular zone also the ports associated with that port would not be in that zone. So we need to configure for each and every port, which helps in improving the security. Though hard zoning is hard to configure for the dynamic environments it is the one that can improve the security.

LUN Masking, or address masking, is a method of assigning LUN to be exclusively accessed by a particular hosts. By using LUN masking it is possible to assign a single LUN to single host. This allocation of a LUN to host is made by hiding the rest of the LUN’s in the network. LUN doesn’t use any special connection it just hides the other devices. It is like an unlisted phone number, which is very hard to guess. In the figure below the LUN address 2,5,8 are blocked (hidden) and only LUN address 11 is visible for the host I/O controller.



Binding ports with servers
• It’s a method of defining which servers will access which ports like windows server will access port 1 to port 5 etc., this provides a way to separate heterogeneous servers and maintain them very easily. • Hard Zoning along with LUN masking in SAN and port binding gives higher level of security.

A SAN Weak Points

A SAN Fabric Infra. with weak points

A secured SAN by Fabric OS Components

Secure Fabric OS Components

Switch using PKI Technology

Different Vendors of SAN security
• • • • • HDS ( Hitachi Data Systems ) – Hard Disks Brocade – Fabric Switches and OS’s like Secure Fabric Cisco – Fabric Switches and OS’s like SAN-Os 2.0 Emulex – Fibre Channel HBA’s (Host Bus Adapters) Qlogic -- Controller Chips, HBA’s, Management Softwares, Swtiches , etc • IBM – SAN Management Softwares

Proprietary Hardware and Software of SAN Security

• Brocade 7500 Router series, Brocade SilkWorm 3800 Enterprise Fibre Channel Fabric Switch, Secure Fabric OS • Cisco MDS 9000 Fabric Switches, SAN-OS 2.0 • QLogic 8Gb HBA’s

– – – – – – – – – – – – – ACL-Access Control List CHAP- Challenge Handshake Authentication Protocol DoS-Denial of Service FCAP –Fibre Channel Authentication Protocol FCP – Fibre Channel Protocol FCPAP- Fibre Channel Password Authentication Protocol IP – Internet Protocol LAN – Local Area Network LUN-Logical Unit Number SAN – Storage Area Network SCSI – Small Computer System Interface SNIA – Storage Networking Industry Association WWN-World Wide Name

• Basic Concepts and a Security Glossary by Bill Ayen,Ph.D. –SNIA • Basics of SAN security by John Vacca • features/article.php/1431341 • • • • • www.