Data Protection and Information Lifecycle Management

 < Day Day Up > 

There are many hurdles for the system architect who is trying to craft a secure storage system. Foremost of these is a lack of support for security in the products and protocols used to build enterprise storage systems.

Fortunately, there are several strategies that can be used to enhance security for storage systems that do not cost very much to implement. As is always the case with system security, none of these practices can guarantee that an intruder won't damage data in a storage system. These strategies will, however, set obstacles in the path of the malicious and the unwitting.

Separate Networks for Management

One of the best vectors for the malicious or curious is the management interface of a storage system device. Management interfaces must be kept on completely separate networks to ensure that there is no path to the device from anywhere on the main LAN or, especially, the Internet.

It is very convenient for a storage administrator to have access from a standard desktop computer to the devices he manages. Unfortunately, this desktop access provides an opportunity for others to see and perhaps even access the devices' management features. At best, this provides an intruder with valuable intelligence. A more likely scenario is that the network connection is used as the basis for an attack.

The best defense is to have management interfaces on completely separate networks. This network should also be accessible only from a dedicated workstation. A workstation that has access to both the main network and the management network may itself be used as a platform for an attack on the storage system.

IP storage poses a bit of a problem for similar reasons. If the storage devices are accessible from the main network, they may be exposed to attacks from computers on that network. Unlike the management interfaces, though, hosts need to access the IP storage devices. They in turn must be accessible by other hosts, such as desktop computers.

The best solution is to have a separate IP network for the storage system that only the hosts can access. Hosts should be double homed (having two Ethernet cards attached to separate networks), and a firewall should be placed between the hosts and the IP storage devices.

Hard Zoning in FC Networks

To begin with, all Fibre Channel SANs should use zoning in some form. It is surprising how often a SAN is put into place without it. That is because there is no default zoning in Fibre Channel. Fibre Channel networks believe all hosts to be trusted and, hence, work under a Default ALLOW posture. Zoning doesn't truly change this, because any host not in a zone has access to any nonzoned resource, but it is better than nothing.

Hard zoning is preferred to soft zoning. Soft zoning is susceptible to WWN spoofing and similar host attacks because it is based on the host bus adapter and not the Fibre Channel switch. With soft zoning, hosts don't "see" the resources outside their zone but could still access them given the proper tools. Thus, the hosts themselves represent a vector that can be used to attack the system.

On the other hand, hard zoning is based on the switch port. This makes it more difficult for the host to be used for an attack by overcoming zoning restrictions. It also is impervious to WWN spoofing.

Tip

All ports should be zoned, even unused ports. A zone should be established that contains no resources at all, and empty switch ports must be assigned to that zone. This way, even if someone plugs a host into the switch port, it will remain isolated from the other hosts and resources on the SAN.

Virtual Fabrics

So-called intelligent storage switches implement a new feature called virtual fabrics. Virtual fabrics provides a higher degree of isolation than zoning does.

Each host is assigned to a virtual fabric in much the same way that Ethernet hosts can be isolated within a VLAN. What is most important is that each virtual fabric has its own set of fabric services. This differs from zoning, in which major fabric services such as the Simple Name Server and the zoning service itself are shared by all nodes in the entire fabric. If an intruder can find a way to circumvent or disrupt these services, she may cause damage to the entire SAN.

With a virtual fabric, damage would be mitigated only to the virtual fabric that is accessible from the port used for the attack. Even if an attacker can overcome a switch's hard zoning, damage would be isolated to the nodes in the virtual fabric.

Strong Application and Host Security

It's hard for intruders to do damage to the storage system if they can't get to them in the first place. Strong host security is as much a part of storage system security as it is of server security. Specifically:

  • Tight access control is a must. Limit user access to the host, especially processes running on their own, such as UNIX daemons.

  • Place strict restrictions on which users can run storage utilities. Any storage utility that does not have to be on the host should be removed.

  • Restrict the ability for a program to be loaded over the network. This will make it difficult for intruders to place utilities on the host that directly access the storage resources via SCSI commands.

  • Use two-factor authentication for all hosts. Although terribly inconvenient, two-factor authentication, especially when one of the factors relies on a physical object such as a swipe card, makes it very difficult for a remote processes to use the host as a vector for an attack on the storage system.

Host security is the "moat" that an attacker needs to cross to get to the storage "keep." It needs to be full of monsters ready to eat intruders.

SAN System Management Software

As discussed previously, rogue computers on the SAN are an excellent way for an insider to make mischief with a SAN. This is especially true for Fibre Channel networks, where it is very difficult to get to the network from outside the SAN.

Proper SAN management helps detect some of the changes that would indicate that an attack has happened; is in progress; or, better yet, is about to happen. Most SAN management software is capable of discovering hosts (via the host bus adapter) and devices as they enter the network. Unexpected hosts may indicate that an attacker has penetrated the system. Good SAN management software can also note changes in device settings and storage provisioning, and even sudden upswings in network usage to a particular port. All of these, if not expected, may indicate an attack in progress or one about to commence.

Finally, SAN management software will usually allow system settings and states to be saved. This feature will allow storage administrators to recover more quickly from attacks if they are successful.

Secure SAN Switch Operating Systems

Some SAN switch vendors offer a version of the switch operating system that includes special security features. Some examples of what a secure switch operating system might include are

  • Virtual fabrics. Virtual fabrics provide higher levels of isolation, especially of fabric services.

  • Access control for the management port. Certain secure operating systems allow for access control lists to be set for the management. This limits which hosts can be allowed to manage the switch.

  • Policy-driven management. Some switches allow for the setting of policies that restrict what switch functions can be used by which users or hosts. This limits the damage that an intruder or poorly skilled technician can do.

  • Port-level access control. Some secure fabrics implement policy-driven access controls at a port level tied to a WWN. This helps defeat WWN spoofing, because the WWN is bound to a particular port. This is stronger protection than zoning.

Security features can also be found in some storage servers. Although most storage servers focus on basic SAN services, such as virtualization, some have also begun to implement security features lacking in switches. Access controls and inline encryption are two examples of security features included in some storage servers.

When purchasing a SAN switch or storage server, it is important to consider whether the device supports these features. If security is a major concern, the extra money that these options will cost is worth it.

Manage IP Connections

IP SANs iSCSI in particular often uses multiple IP connections for the same data stream to get the bandwidth necessary for storage applications. This represents a risk, because it can hide potentially harmful traffic from IDS and firewall devices. In fact, it is better to disallow this capability at the firewall and not rely on it for storage applications.

It is also better not to perform block-level storage over a public network. This represents an opportunity for intruders to get at storage resources that were previously hidden. Using VPN helps, in that the data is encrypted, but even encrypted data can carry a malicious payload. No one can look at the traffic, but it may still be dangerous.

File-level data is different, because many IDS and firewall programs understand CIFS and NFS and are capable of creating the proper security environment for them. In this case, stick to the use of common protocols supported by security devices. It is not safe to use proprietary solutions.

Use LUN Locking in Addition to LUN Masking

LUN masking only hides the storage device from the hosts; it is still accessible. LUN locking, on the other hand, actually disallows hosts from accessing specific LUNs unless they have permission to do so. LUN locking is a function of the storage device and should be taken into account when purchasing disk arrays and tape libraries.

Having LUN locking in place does not mean that LUN masking should not be used. By masking the LUN, the attacker is initially denied valuable information about the storage system and will have to work for it. Together, LUN masking and LUN locking are much more powerful than each is alone.

Use Encryption

It must be assumed that, despite best efforts, an intruder will penetrate the defense of a storage system. At this point, one might also assume that the intruder will be able to steal lots of important information before doing whatever other mischief she has in mind.

Maybe not. If the data that the attacker gains access to is encrypted, it may not be safe from damage but will not be usable by the attacker. The side benefit of having the data encrypted is that encryption makes it less likely that professional hackers will break in. They won't waste their time stealing data that can't be used or sold. It's like robbing an empty house.

A Storage Security Checklist

When designing storage systems or buying storage products, system security must be part of the equation. Table 6-1 is a checklist of security practices that should be part of your overall storage system planning.

Table 6-1. A Sample Storage Security Checklist

Best Practice

Management network separate from LAN and SAN

Hard zoning employed (Fibre Channel)

All ports zoned, even unused ones (Fibre Channel)

Access control in place on hosts

Access control in place on management ports

Access controls in place on SAN switch ports (Fibre Channel)

Restricted use of storage utilities to trusted administrators

Programs cannot be loaded over the network to hosts

Two-factor authentication in place for hosts

Two-factor authentication for management ports

SAN switches have secure operating systems (Fibre Channel)

Switches support virtual fabrics (Fibre Channel)

Devices support policy-based management

Single connections for each iSCSI data stream

VPN for iSCSI traffic

Use common protocols for file traffic

LUN locking and LUN masking employed

Data at rest encrypted (disk and tape)

Data in motion encrypted

     < Day Day Up > 

    Категории