The Storage Security Industry Forum (the security forum in SNIA) recommends a five-step review for improved storage network security.
By Brandon Hoff
Most companies routinely assess their data security with overall security policy health checks, site surveys, and reviews of processes, systems, networks, and applications. Yet each of these activities rests on fundamental assumptions about where the data resides and how the data "behind the server" is secured.
Many companies are extending their security awareness, audits, practices, and policies to encompass the storage environment. There's no question that storage area networks (SANs) bring unparalleled benefits to organizations, but SANs can also introduce unmeasured and unmonitored security risks into applications and data-center services. Companies must go a step further: They must also implement a security program that adds incremental layers of security to storage networks to support a corporate-wide "defense-in-depth" security strategy.
Companies are focused on limiting vulnerabilities to their business by deploying an end-to-end solution that enables
- Improved application uptime—Any interruption in the flow of data can be disastrous, potentially costing a company customers, productivity, and money. Improved uptime is a key consideration of any security solution;
- Increased information compliance—Privacy, access, and data integrity are more important than ever because of new mandates such as HIPAA, the Gramm-Leach-Bliley Act (GLBA), California's enactment of SB 1386, and Homeland Security Initiatives; and
- Increased system resilience to internal and external malicious attacks.
Even though almost half the storage administrators work closely with their IT security administrators, 77% of companies have not developed a written plan to address storage security even though most companies have a documented strategy for overall IT security, according to an end-user survey conducted by McData Corp.
Finally, when you are selecting a storage network security solution, it is essential that the solution be flexible: It must allow a company to use only the security features that are adequate for their needs while disabling those features that are unnecessary. Superfluous features may be burdensome to manage and too complex to implement, or may create unwanted "vendor lock-in."
Standards for secure networks
Since a security strategy is only as good as its weakest link, interoperability is essential. Currently, there are two primary standards for storage network security: FC-SP (Fibre Channel Security Protocol), which applies to FCP and FICON; and IETF IPS (Internet Engineering Task Force IP Storage), which applies to iSCSI, iFCP, and FCIP gateway specifications from IP block-based networks to Fibre Channel block-based networks.
Many other security attributes are covered by specifications such as FC-SW, FC-GS, FC-SB, and other standards either approved or in development. Another key development for security is the Storage Networking Industry Association's (SNIA's) Storage Management Initiative Specification (SMI-S) standard, which includes a variety of security attributes. (For more information about SMI-S, visit www.snia.org.)
From the ANSI T11 Threat Model for storage networks (see Figure 1), which rates viable threats from low to high, the following five-step methodology is a recommended strategy for implementing secure storage networks (see Figure 2):
Priority 1: Centralize and control management access
It doesn't matter how good a security solution is unless the management of each security feature is managed from a single point of control by an administrator with designated authority to do so. Techniques used to lock down the management network and interfaces include centralizing management of the storage network to a single point of control using a management standard such as SMI-S, implementing basic security features such as IP membership lists for out-of-band management (which is proposed for the FC-SP standard), leveraging the security capabilities of CT-Authentication (FC-GS-3) for in-band management, secure device management through Web interfaces or command line interfaces using SSH or SSL, and integrating into single-sign-on solutions using RADIUS (RFC 2865).
Priority 2: Common authentication standard for all fabric devices
Authentication for multi-protocol storage networks is covered by two standards: the iSCSI gateway and FC-SP. Both standards mandate CHAP (RFC 1994), or DH-CHAP with a NULL option, for interoperability. Both block-based IP storage access and Fibre Channel storage access use the same type of authentication, which is a key end-user requirement. A single authentication solution provides companies with an end-to-end authentication technique that can be managed in a common way. For servers, storage, and storage network appliances, DH-CHAP for Fibre Channel N_Ports is mandated by the FC-SP standard for interoperability. For iSCSI initiators, CHAP is the authentication standard for authentication in an iSCSI-to-FC gateway. Authentication between switches/directors in a storage network requires two-way DH-CHAP, as mandated in the FC-SP for E_Ports standard.
Authentication for storage networks provides a way for each device to prove that it is a part of the network (if it is authorized). Authentication requires that each server, storage device, storage network appliance, iSCSI gateway, switch, or director support the standards outlined above.
Priority 3: Authorize and control devices joining the fabric
Once the devices have been authenticated, the next steps involve access controls, authorization, and binding for each device that participates on the fabric. These techniques either have been or are being defined in the form of policies, including fabric membership lists and switch connection controls. Device membership lists, as proposed for the FC-SP standard, identify what devices are allowed to be a part of the fabric. Switch membership lists (proposed for FC-SP) identify the switches that are allowed to be a part of the fabric.
Switch Connectivity Objects, also proposed for FC-SP, describe authorized topologies for the fabric. Fabric Binding, as a required security attribute in the FC-SB-3 specification, delivers a high-integrity fabric and controls the fabric topology and domain IDs that are used. These are in addition (and complementary) to software- and hardware-enforced zoning.
Authorization techniques that use worldwide numbers (WWNs) have added flexibility in that they can be installed and used without upgrading servers, storage devices, or appliance firmware. This non-disruptive feature has accelerated the adoption of fabric binding.
Priority 4: Encrypt the data
The encryption of block data (management data is discussed in Priority 1) can be executed for both data "at rest" and data "in flight." Encryption for IP is well understood and commonly deployed. The standards require IPSec for iSCSI, iFCP, and FCIP. For Fibre Channel, FC-SP may use ESP encryption (similar to ESP in IPSec) for confidentiality. Encryption of data at rest requires an advanced key management system, for which there are several solutions on the market today. Currently, there is no standard for encryption of Fibre Channel data in flight or at rest.
Priority 5: Auditing, logging, and forensics
The last piece of the security puzzle is to log, track, and report on what happened in the storage network. Especially with the new regulations, companies will need to be able to track and document any security breach and report it from a centralized point of control.
It is essential that a security solution be implemented end-to-end. Standards for security need to be open, interoperable, and easy to understand, learn, and administer. By implementing the security techniques covered in this article, companies should have a good foundation of security for their storage networks.
Brandon Hoff is a contributing member to the Storage Networking Industry Association (SNIA) Storage Security Industry Forum (SSIF). He is also senior manager of advanced development at McData.