Not making security part of your storage strategy can be a costly and time-consuming oversight.
By Dennis Martin
In 2001, the Computer Security Institute (CSI) conducted its annual "Computer Crime and Security Survey," which found that 85% of the 538 respondents polled detected a security breach within their system. A primary impact from these intrusions comes from monetary loss, which 65% of the respondents experienced. Only 186 of the respondents were willing and able to quantify those financial losses, which amounted to more than $370 million. Alarmingly, of those who experienced intrusions and financial loss, 95% have firewalls and 61% have intrusion detection systems.
Although the data provided by this report is interesting, most computer security breaches go unreported. The actual losses are certainly higher than this report indicates.
What is security?
Security is the management of risk. Risk is characterized as the necessity for information to be readily available, versus the exposure that availability generates in the form of theft, destruction, or alteration of that information.
A primary factor in the number of intrusions despite preventive measures is the continuing sophistication of attacks and the availability of automated tools that can perform these attacks. In the 1970s and early 1980s, network intrusions were perpetrated by those with the technical savvy to reverse- engineer the system from afar. The techniques employed ranged from basic password guessing to exploiting undocumented features of the system.
As the Internet took shape and the technologies that were employed to transmit information became more complex, the techniques used to infiltrate those systems also became more devious and began to include attacks such as IP Spoofing and Session Hijacking. Of more concern is the proliferation of automated tools on the Internet, making it possible for individuals-who otherwise would not have had the technical ability to perform an attack-to download tools and subsequently perform a sophisticated attack.
Common security mistakes
The primary mistake with any security solution is to assign security management responsibilities to inadequately trained staff and not provide the necessary time or training for professional skill development. Other common mistakes made by management include the failure to appreciate the value of a company's reputation (or the loss thereof in a security breach or disaster) or the failure to appreciate the value of data stored on computer systems. Other mistakes include the reliance on the individual technologies (e.g., firewalls, encryption, SSL, and IDS) without an overall security strategy, focusing on short-term security "fixes" without long-term follow-up, or totally ignoring the problem.
Another concern regarding security is to not adequately consider the sources of the attacks. To propose security solutions without first defining the type of attacker and the resources at their disposal leads to ambiguous security tasks that cannot achieve the desired goal. The attack patterns, types, resources available, and technical aptitude will vary depending on the source of the attack, which may include anyone from simple low-level intruders (or joy riders) who intrude upon a system for the perceived enjoyment and challenge of it, to the well-funded and trained perpetrators of terrorism and industrial and international espionage who have more malicious intent. Further, when faced with providing data storage and migration, an additional intruder type surfaces that seeks to use your bandwidth and storage for the replication and dispersion of pirated software.
Ultimately, when you are considering a storage solution, keep in mind that not making security part of your storage strategy can be a costly and time-consuming oversight.
Steps to achieving good security
It is a common analogy to equate the strength of a company's security to the strength of each component that makes up the security solution. In other words, a chain is only as strong as its weakest link. However, some chains have several weak links, compounding the problem. The initial step to forming a solution is to clearly define and understand the key process and assets of your business. This will range from the key concepts of the mission statement to the evaluation from the legal department regarding potential liabilities, to the marketing department regarding security failures and their potential effects on stock price and company reputation. The processes will range from day-to-day IT activities to employees' network usage and activities, which include login rights and permissions.
Once these assets are defined, evaluate the cost of these assets if they are lost or damaged. If a key asset is the storage of patient information, for example, and that information is stolen, the cost is great. The cost, in that case, is not limited only to the restoration of the database and fines imposed by the federal government, but also to the loss of trust in the company by its users.
A firm commitment to a security strategy goes a long way toward achieving good security practices. Enforce the rules with the appropriate tools and manpower, and conduct regular audits and reviews of the security measures in place. As the technologies, resources, and assets change what the security practices govern, so must the security practices change.
Even by taking realistic steps to protect assets, which include asset definition, resource management (login control), and enforcing a security strategy, your solution will still not be 100% intruder-proof. In reality, information and storage security cannot possibly be 100% secure. As many components of your system will comprise third-party software, you must rely on their security. When those components are combined, you will encounter the emergent properties of networked systems, where their behavior can be unpredictable. You can, however, generate a well-managed system that makes attempted breaches too expensive and time-consuming to conduct.
General IT security issues
Information storage poses security considerations that exist beyond those for your IT solutions. These facets directly address the access, integrity, availability, and confidentiality of the data. Who has access to the data, and is that access limited or uninhibited? Is the data intact or corrupted, and is the availability clear, slow, or blocked? Has there been damage to the data, was that damage inadvertent or malicious, and has the confidentiality of the data been compromised or was it maintained?
Asking these questions, along with addressing the differences in storage network security, examining the security measures currently in place, and questioning what risks are acceptable, will lead to the beginning of the Security Model. This model will help define the expectations of security for your storage network and act as requirements for both the implementation of security measures and a barometer by which your security is measured.
In addition to the scrutiny placed upon digital security, so must the physical security be addressed and maintained. Envi ronmental issues such as battery backups from an uninterruptible power supply (UPS), temperature control, fire detection and suppression systems, and the waterproofing of electrical systems must also be considered. Other items to consider include the physical structure and layout of things such as raised floors and false ceilings: Do they span into areas outside of your control? Ensure all entrances have adequate and consistent security, as it is not good to have strong security on the main entrance but weak security on a fire exit or roof access.
Additional scrutiny should be placed on personnel issues regarding the identification procedures for access to secure areas. It is not uncommon to find good digital security but weak physical security where an unwanted system intruder may be able to easily gain physical access to computers. Secure identification of personnel, including badge usage and monitored access to sensitive areas, is necessary. Another consideration is the use of good hiring and screening procedures for prospective employees as well as maintaining communication with current employees so that the appropriate staff is aware of any potential security risks of current employees. Employee morale should be considered, especially if your company is conducting layoffs.
Storage networking security risks
Traditionally, information storage was architected with one access point such as an IDE or SCSI interface between the storage device and host computer, and to access the storage device, a user would have to access a host with a user ID and password. In today's networked infrastructure, storage is taking place in complex topologies with a multitude of interface points. Users can access data from multiple hosts, other storage devices, switches, LAN/ WAN, and VPN, etc. This complex networked topology poses security risks specific to storage networks.
These attacks can be discussed in their two primary forms: an intruder attempts to gain unauthorized access, or he/she attempts to deny other users or systems from accessing the storage network. Both internal and external users of the system can perpetrate these attacks.
Unauthorized access attacks can result from either non-system users attempting to gain access to the system or users who have already successfully obtained low-level system rights but may be attempting to elevate their current privileges on the system. The goals of these attacks will vary from attempting to gain access to unauthorized information to destroying or altering information on the system.
The second primary attack type is to deny system services to either legitimate users or other systems on the network. These attacks, called a Denial of Service (DoS), can originate from a single system or from multiple systems in the form of a Distributed Denial of Service Attack (DDoS). The primary goal of these attack types is to overload a target system so that it will not be able to respond to legitimate access requests.
Security technology solutions
The technical solutions currently available address many components of the primary attack types. These solutions, when coupled with education and a firm commitment to security, will help mitigate the risk involved in running SANs.
Storage security perimeters Storage network security is achieved by making secure perimeters around information and systems. This provides a multi-tiered defense against intrusion and will facilitate the administration and management of the individual technologies. Since security will only be as strong as the weakest link, all perimeter technologies must be configured properly. From a storage perspective, there are three perimeters that must be addressed.
The outer perimeter comprises firewalls, intrusion detection systems (IDS), and other components of the network security framework. The internal network security framework may employ various firewall technologies such as packet filters, stateful packet inspection, proxy, or adaptive/dynamic proxy.
The middle perimeter consists of operating system security settings for host computers:
- For mainframes-properly configuring RACF, ACF2, etc.;
- For Unix systems-properly protecting "root" or other "super-user" accounts and protecting files using appropriate "rwx" permissions;
- For Windows NT and Windows 2000 systems-setting appropriate domain security policies and protecting files with good ACLs;
- For Unix and Windows 2000 systems-understanding and deployment of Kerberos security;
- For all systems-keeping current with all operating system fixes, patches, and ser vice packs; and
- For various application programs- security-related patches.
The inner perimeter, also referred to as the storage fabric, consists of SAN management software, switch zoning and other fabric security settings, and LUN masking. The security settings of the internal storage area take place here.
SAN management software SAN management software should at least have a User ID and password required for its use. Administrative software that does not need a User ID and password is a clear security risk. Some packages encrypt the User ID and/or password for improved security. Some solutions have multiple levels of privileges such as an administrator level with full privileges and a "read-only" level for those with lesser privilege. Expect additional kinds of privileges to be available in the future from various vendors.
Some solutions use secure communications such as Secure Socket Layer (SSL) between software components when communication over a network is required. The database used to store SAN component information may also provide some security settings. Some solutions use application programming interfaces (APIs) to communicate with SAN components so that the user has one interface to learn. Launching separate SAN component tools would require additional security.
Fabric security-switch zoning Switch zoning creates logical grouping of devices within the SAN. It provides a secure environment by segmenting the fabric into zones (comprising host computers, switches, and storage devices) that only interface with other members of their zone. These zones can be "soft," whereby a server only has information regarding the ports in its zone, or they can be "hard," whereby access is strictly limited to destinations within the zone based on a routing table in the switch. Soft zoning can be circumvented if the server can gain information about devices outside of its zone through other methods. Access management can be enforced within specific zones facilitating the seamless integration of security management and information access.
The security features of the switch include trust relationships, Access Control Lists (ACLs), communication security, and port binding and controls. These features should be taken into account when developing the environment and for deployment/maintenance of the switch.
Some SAN switches support trust relationships, called trusted switches, which are similar to "trusted servers" in network security. They manage the security of zones and other switch configuration items. Only authorized or trusted connections are permitted to make configuration changes.
ACLs describe which users can modify the status of various resources. "Users" in this case can be World Wide Names (WWNs), device ports, or IP addresses. ACLs often employ the use of security certificates or tokens.
Finally, some SAN switches support port binding that restricts communication of specific devices to specific predefined switch ports. This can prevent unauthorized devices from being added to specific ports. A less restrictive variation of port binding forces specific switch ports to operate in the E_Port, F_Port, or G_Port modes only, limiting specific ports to certain types of devices.
Fabric security-LUN masking LUN masking assigns logical unit numbers to specific host servers, and the host server is allowed to see only the LUNs assigned to it. LUNs not assigned to a specific host server are said to be "masked" from that host. LUN masking prevents hosts from "stepping on" each other's data. Years ago, mainframes mastered the concept of multiple hosts simultaneously sharing storage devices. However, allowing different Unix and/or Windows NT/2000 hosts simultaneous read/write access to the same LUN creates many problems today.
In large SCSI disk arrays, LUNs are typically assigned to a specific SCSI port on that disk array. In the Fibre Channel environment, LUNs are assigned to a specific WWN of a device.
LUN masking should not be confused with true security authentication but should be used in addition to switch zoning and other server-based security measures to ensure a secure environment. It can be accomplished in one or more of the following areas of the storage architecture: storage array controllers, switches and routers, host bus adapters, or server device drivers.
Some SAN management software applications use APIs to directly manage LUN masking at the storage array. Other SAN management software applications do not provide this function directly but can launch a separate tool-usually provided by one or more hardware vendors-to accomplish LUN masking.
Device "phone-home" features Many storage devices include "phone-home" features for diagnostic purposes by the manufacturer. Typically, connecting a modem and telephone line to the storage device enables these features. The security of this connection should be tested periodically.
Encryption Encryption provides an added layer of security by converting data into a format that, by its very nature, is unreadable by those without the proper authorization or key. Various encryption algorithms may be employed to accomplish this. They may be symmetrical (secret key) or asymmetrical (public key). A symmetrical algorithm uses one key to encrypt and decrypt information. Examples include DES, Triple-DES, CAST, AES, and Blowfish. Conversely, asymmetrical algorithms use two keys-one public and one private. These include RSA, DSA, and ECDSA. Asymmetrical encryption generally uses a more complex algorithm than symmetrical encryption.
Secure communication between agents and primary servers should be encrypted using secure communication protocols. Secure Socket Layer (SSL) for standard communications and Wired Equivalent Privacy (WEP) for wireless networks are available.
While encryption increases the difficulty for intruders, it also increases the cost for data owners. This cost is realized in CPU cycles to encrypt and decrypt the data or specialized encryption hardware that offloads the main CPU, as well as the increased storage space required by encrypted data.
SAN attacks Storage networks can use different interfaces (Fibre Channel) and protocols (SCSI) from regular Ethernet TCP/IP LANs but sometimes have a LAN type of connection that can be used for management purposes. Care must be taken to change default passwords that are provided by the device or software manufacturer. Some storage device configuration settings may be updated by using "tftp" or "telnet." The danger of "tftp" is that no password is required, and default "telnet" passwords are dangerous until changed.
In order to attack a Fibre Channel storage network, attackers would have to write special I/O device drivers, which are completely different from Ethernet and TCP/IP tools. Currently, writing I/O device drivers requires more specialized knowledge than is commonly available today, but it may not be long before this kind of knowledge is used for malicious purposes.
Putting it all together
A firm commitment to understanding SAN security will prove to be a vital component for a successful larger information security strategy. The available security technologies, when implemented properly, will prove invaluable when securing a SAN. Coupled with a firm commitment to the continued education and development of those responsible for its maintenance, achieving realistic risk management is possible.
The security threats posed to storage networks are real, as malicious intruders-both internal and external-thrive on their victims' ignorance and apathy. As SAN technologies continue to develop and become more complex, so must the commitment to secure those networks.
Dennis Martin is an analyst for the Evaluator Group (www.evaluator group.com), a Greenwood Village, CO-based industry analyst group that focuses exclusively on computer storage. Dennis covers storage management software and storage security issues and can be reached at firstname.lastname@example.org.