The Basics of SAN Security, Part II
With the development of Fibre Channel technologies, SANs are becoming a viable and even preferred solution for data management in enterprise, mid-sized and smaller networks. As previously defined in Part I, SANs are simply a means of centralizing data to provide high performing and easy to manage data access. Therefore, while maintaining the ability to easily manage your data, an open system architecture is vital to having an effective, versatile and broad SAN, which will attach multiple components. In other words, managing a storage area network not only involves providing highly-available data access and optimal performance, it is essential that all data on the SAN be completely secure at all times.
Fibre Channel Security Management
Fibre Channel continues to grow as the architecture of choice for providing high-speed, robust, and scalable interconnects for SANs. The storage industry is witnessing a rapid increase in servers and storage considerations within SANs. As system administrators become more comfortable with the highly-available, consolidated data access that a SAN brings to their storage environment, SANs themselves are growing in complexity. As a result, security measures are required to ensure safe server and storage access and to guard against accidental reconfiguration that could compromise security.
In other words, driven by the storage administrator's security policies, security is a broad topic and one that evokes a myriad of solutions. Fibre Channel enables the separation of storage and server, unlike the small computer system interface (SCSI), where the interconnect scheme is confined to the servers' cabinetry. A host of new security challenges consists of the exposure of critical business data to increased distances, greater availability, heterogeneous implementations, automatic re-configuration, increased services and changes in strong model administration.
Fibre Channel is not a secure protocol by itself. Application servers will be able to see all devices on the SAN and could even write to the same physical disk without implementing certain security measures within a Fibre Channel SAN. As previously discussed in Part I, the two most common methods of providing security on a Fibre Channel SAN are zoning and LUN masking.
As you know, zoning is a function provided by fabric switches that allows segregation of a node by physical port, name or address. The zones are similar to virtual local area networks (VLANs) in data networking in the way they establish a "virtual SAN" within a SAN. Zoning works by inclusion. Zone members have any-to-any connectivity within the zone and non-members have none. Zoning can be implemented using either hardware or software.
As previously discussed in Part I, hardware zoning includes hard zoning, where zones are established by linking ports on the Fibre Channel fabric; and, soft zoning, where zones are established by using the World Wide Name (WWN) of the Fibre Channel devices connected to the Fibre Channel fabric. Zoning by ports is easier to implement, but less flexible than zoning by WWN. Hard zoning does not allow zones to overlap or "follow" a zone member that has its switch port changed. In other words, the zones need to be reconfigured whenever a Fibre Channel device in the SAN changes its switch port when hard zoning is used. When soft zoning is moved from one port to another, soft zoning can follow a Fibre Channel device.
Zoning can also be implemented through software (Simple Name Server (SNS)) that runs inside the fabric switch. By using the World Wide Node Name and the World Wide Port Name, software zoning allows members of the zone to be defined. When a specific host logs into the SAN and requests available storage devices, there is a potential security issue in using software zoning. The SNS will check the zoning table for all storage devices available for that host. And, the host will only see those devices that have been defined in the zoning table. Also, the host could make a direct connection to the storage device without asking the SNS for the information in the zoning table, in certain operating systems.
Many IT administrators use LUN Masking to limit access to storage devices to further protect the SAN. By filtering access to certain storage resources on the SAN, LUN Masking goes one step beyond zoning. Also, by utilizing a piece of code residing on each computer connected to the SAN, LUN Masking can be provided through hardware (i.e. intelligent bridges, routers, or storage controllers) or software. LUN Masking effectively masks off the LUNs that are not assigned to the application server (allowing only the assigned LUNs to appear to the application server's operating system), for each application server connected to the SAN,. The hardware connections to other LUNs still exist, but the LUN Masking makes those LUNs invisible. Managing paths by LUN Masking is a reasonable solution for small SANs, however, due to the extensive amount of configuration and maintenance involved, it is cumbersome for larger SANs.
Thus, with the preceding in mind, the Fibre Channel security areas to manage are:
- Authentication and authorization
- Configuration management
- SAN areas
Authentication and Authorization
Fibre Channel protocol provides a variety of services to clients. These services include simple name server (the Fibre Channel directory service), management server (for accessing topology information and controlling zones), alias server (for multicast support), time server (for acquiring time data), and a security key distribution server. Each of these servers is accessed through an ANSI specified client interface. By using any port on the switched Fibre Channel SAN, this access point is in band. As a result, in band access requires security that ensures authorization and authentication of client requests. A potential security breach can occur in an open SAN where a management application has unauthorized access to the fabric-zone services provided by the management server.
The ANSI standard defines a mechanism to ensure security, because these servers provide critical information about SAN resources and control SAN resources. Each server provides a client interface that includes a common security header in the request. This security technique is referred to as CT authentication. It is used to authenticate requests and responses between a server and a client (such as the communication between a management application and a director's management server). By using a secret key and transfers that signature to the fabric server, this security mechanism computes a signature. The fabric server validates and executes or rejects the request. This in band security technique ensures only trusted client requests that are executed in conjunction with the key distribution server that periodically distributes new secret keys, and a standard message digest for producing a unique signature,.
When additional SAN resources are required, a distinct benefit of switched SANs is the ability to adapt. System administrators connect storage or server ports to the director or switch, when additional storage or server access is needed. The director or switch in the SAN discovers the new ports, adds them to the name server, and signals when they are available to other servers in the SAN.
While this mechanism has undesired side effects in certain installations, it provides flexibility to add and remove SAN resources. The dynamic discovery of new devices has the potential to expose storage to unauthorized clients in storage service provider (SSP) environments, where the visibility of storage resources needs to be strictly controlled. This phenomenon can occur when service personnel inadvertently or accidentally connect two fabrics (i.e. interconnect to expansion ports (E_ports) on two different switches) or connect storage ports to the wrong director or switch. Directors and switches should provide configuration security methods via:
- Fabric membership authorization.
- Port-type controls.
- Switch port binding.
The preceding security methods span from complete secure authorization using switch port binding to simple security using port type configuration.
Access between server and storage ports must be addressed, once configuration security is ensured. As previously discussed in Part I, zoning is provided to restrict access between user-administered endpoints within the switched fabric. Zoning security is provided through:
- Hard zoning.
- HBA port binding.
- Simple name server (or soft zoning).
Fabric services are accessed in band via client interfaces to the management server. For purposes of topology discovery and zoning administration, the management server provides access to management clients.
SAN Security Benefits
The majority of today's SANs are designed to have multiple systems (whether heterogeneous or homogenous) sharing storage devices. By reducing both hardware and manpower resources required in a shared environment, corporations and government agencies can dramatically reduce Total-Cost-of-Ownership. Shared access does however have the potential to pose a few risks to data security. To protect sensitive data, many organizations require that a security barrier be put in place. This could range anywhere from an ASP that must guard against the risk of customers tampering with each other's data or to an enterprise that needs to ensure that HR and corporate financial data are not vulnerable to access on the intranet. Therefore, by defining node-to-node LUN access at the controller, the most effective means of guarding shared storage is to segment it into volumes and provide a security barrier.
Host-Based and Switch Based Mapping
While mapping at the Host level is theoretically possible, it is barely feasible and quite problematic, especially in a heterogeneous environment. Host based mapping uses filter drivers that restrict access to LUNs. This does not lend itself to a very versatile SAN. This can be a very cumbersome task, in addition to keeping up with a different filter driver for each separate operation system as well as upgrading it for new O/S renditions. Furthermore, multiple filters create difficulties in maintaining a common management framework and add multiple I/O layers to processing overhead. A more feasible means of partitioning a SAN is Switch Based Mapping, or "zoning." However, zoning is limited to a port-level mapping scheme. In order to mask LUNs in a shared storage device, a finer grain mapping scheme is needed.
Where possible, it is always desirable to have data management controlled by a hardware device as opposed to a software component. Rather than have storage devices maintain data availability, software layers result in higher CPU utilization and increase reliance on servers. Mapping logical disks to the SAN is a natural extension of RAID controllers. Since the controllers do the mapping, a RAID based mapping strategy does not impose overhead on nodes. In addition, since it eliminates a software component (which may be a potential security risk and hacked into), having the controller manage the masking feature is the most secure location for this function to take place. Also, since the controllers have to open every packet anyway in contrast with software components or additional hardware routers, I/O latency remains unchanged. By opening the packet to determine destination prior to sending the packet to the hardware RAID controller, these tools create an overhead layer. By using a controller, IT can allocate sensitive data to authorized users at the most secure, foundational level.
WWN Privileged Access
The controller's mapping table is a simple data structure that uniquely identifies users by their worldwide names (WWNs). IT simply selects which data it does and does not want each user to access when designing the SAN. Users are then granted access privileges to only the LUNs containing data, which they have been authorized via a mapping table. All other data is not only unavailable to the user it is invisible to the user. Essentially, what the user does not know exists will not even pose as a temptation. The mapping table operates under the following requirements:
- A locking protocol insures that simultaneous updates from different initiators to the table or to different copies of the table will not occur.
- Mirrored copies must be maintained in multiple devices to avoid losing the entire SAN should a failure occur.
- The mapping table is accessible only through the controller's management interface that provides a consistent view of all node-to-logical disk relationships.
The controller allows for enabling LUN Masking in Active/ Passive and Active/ Active Mode. If a controller fails while in Active/ Active mode, its partner emulates its loop address and services I/Os directed to both its native address and its failed partner's address. In the case of failover, this feature along with redundancy at the switch and HBA level, will ensure that there is no loss in data accessibility anywhere along the I/O path.
Finally, the ability to grow dynamically, is a vital characteristic of a healthy SAN. The controller can easily modify mapping to accommodate new WWNs, as nodes and new applications are added to the SAN. While remaining virtually transparent to users, IT can easily define and enforce storage access policies that are fully secure. The controller's LUN Masking capabilities allow organizations to more fully realize cost savings, while remaining true to the concept of server independent storage in the following areas:
- Bandwidth and capacity scaling.
- Centralized Storage Management.
- Flexible, Modular Storage Expansion.
- Increased Fault Tolerance.
- Shared Storage among different users groups.
Summary and Conclusions
Part II of this introduction to SAN security has centered around how the switched Fibre Channel infrastructure of a SAN must provide the tools to enforce security policies established by systems administrators. When planning and implementing SANs, security must be considered. Finally, in order to maintain the integrity of the fabric, the following security techniques have been developed:
- Configuration security methods can be employed to completely restrict devices within a fabric (switch port binding), restrict only switches (fabric membership authorization), or control the attachment of device types (port type configuration).
- Security must ensure only authorized access between SAN devices. Zoning provides a SAN access security technique using the name server (soft zoning), strict routing control (hard zoning), and HBA port binding.
- With the increased server functionality provided by switches and directors in a switched SAN, ANSI defined authentication and authorization techniques. These security methods control client's access to fabric services.
About the Author :John Vacca is an information technology consultant and author. Since 1982, John has authored 36 technical books including The Essential Guide To Storage Area Networks, published by Prentice Hall. John was the computer security official for NASA's space station program (Freedom) and the International Space Station Program, from 1988 until his early retirement from NASA in 1995. John can be reached at firstname.lastname@example.org.
See All Articles by Columnist John Vacca