Fibre Channel security

Computer Technology Review, March, 2003 by Christine Taylor Chudnow

Until recently, storage area networks have largely served departmental storage needs. This meant that with no outgoing pipes and limited LAN connections, these SANs were secure by default: Now companies are increasingly consolidating their departmental SANs into large centralized storage networks. However, as centralized SANs become more popular, they are more at risk for security breaches, both from humans and from the nature of SANs' any-to-any connectivity. Brandon Hoff, strategic marketing manager for security at McData, commented on consolidation, "To do this we're punching holes in the data center. We're also putting more information using more ports." Security threats against Fibre Channel can be loosely divided into two camps: machine-based and human.

Protecting the SAN Against Itself

The very capacities that make SANs ideal for storage--networking--the ability to make any-to-any connections--makes it possible for application servers to see all storage devices on the SAN at the same time, and even to blithely overwrite each other on the same disks. This is generally considered a bad thing, so storage administrators must protect against this all-seeing problem by zoning and LUN masking.

Zoning:

* Provides barriers between devices that use different operating systems. Windows NT, for example, grabs every bit of storage it sees unless it's been zone-restricted.

* Protects confidential data by enabling access rights for specific user groups.

* Segments groups of devices from other devices in the fabric. This allows storage administrators to carry out installations, testing, and upgrades on segmented devices without impacting other zones.

Fabric switches provide hardware- or software-based zoning by segregating nodes by several different categories including address, physical port or name. This leaves zone members with any-to-any connectivity, while leaving non-members in the dark. Hardware-based zoning includes hard zoning, which links ports on the fabric, and soft zoning, which uses the WWN (World Wide Name) of the fabric-connected Fibre Channel devices. (FalconStor asserts that port zoning is easier to implement but not as flexible as WWN zoning, since hard zoning storage administrators must reconfigure a zone whenever a SAN Fibre Channel device changes its switch port.) Soft zoning can follow a Fibre Channel device when it is moved between ports. Software-based zoning may use the switch-based Simple Name Server (SNS), which defines zone members using the World Wide Node Name and World Wide Port Name. In this case, when a host accesses the SAN to request available storage devices, the SNS will return only those devices it is allowed in the zoning table.

Port-type controls ensure that that switches automatic ally sense a connection type when receiving an enabling command. This procedure distinguishes between a generic switch port (G-port), fabric port (F-port), or an E-port, where two switches are connected. A port-type configuration allows the storage administrator to restrict a switch to a particular kind of port, which protects storage ports from inadvertent or malicious misuse--for example, attempting to change a network topology by connecting two G-ports to make an E-port. Port-type controls would disable the commands unless they were accompanied by stringent authentication protocols.

Zoning also protects storage networks from failure during new equipment deployment and testing. Administrators can secure the network by using switches to segment it into zones such as management traffic or testing segments. This ability is particularly helpful to system integrators because it allows them to lock down their customer's fabric against inadvertent changes when installing new network components. It is then a simpler and safer matter to grant access to the integrator installing and testing new equipment on a working SAN.

LUN masking adds a further level of protection against errant hosts attempting to bypass the SNS. LUN masking controls access to individual storage devices on the SAN at the component level; LUN masking could make a host turn a blind eye to a subset of disks on a single array, or to specific tape drives in a tape library. Like zoning, LUN masking can use both hardware- and software-based approaches, working through hardware devices like routers and controllers, or through code residing on hosts. Since LUN masking is labor-intensive, it is most appropriate for smaller SANs.

Human Threats

When a human being presents a threat, most people immediately picture shadowy outlaw hackers. However, company employees present much greater threats than outsiders--many a SAN has been damaged by inexperienced storage administrators, and the FBI claims that 75 percent loss from security breaches are from internal sources. In spite of real security threats from ignorance or malice, Fibre Channel security against external attacks is not as mature as messaging network security. Hoff said, "Security for storage networks is new because most people, three or five years ago, didn't know about them. New networks are hard to hack because you don't know how." As more people find out how to hack into storage networks, they publicize vulnerabilities over the Internet and other hackers attempt to exploit that knowledge. Storage administrators may not have even known about the original intrusion because the hacker left no traces, but suddenly the network is suffering thousands of attempts.