Keeping your SAN under lock and key

By Jacob Farmer
Cambridge Computer Services

We are getting ready to deploy a storage area network (SAN) and we are wondering what kinds of security measures to take. Are SANs susceptible to hacking?

The good news is that SANs are assumed to be secure from hacking mainly because your average teenage hacker does not have access to Fibre Channel equipment to practice on. The bad news is that many SANs extend beyond the locked doors of the data center where physical security cannot always be ensured. Without physical security, your SAN is vulnerable to a variety of attacks.

Take an extreme example: Your SAN extends down the hall between two data centers. Your malefactor pops up a ceiling tile, finds the cables, snip, snip, crimp, crimp. SAN security is compromised. Similarly, if your SAN extends between buildings, someone could dig up your parking lot with a backhoe and splice into your cables. If someone wants your data badly enough, then these extremes are not that extreme at all. So, what can you do to prevent this type of breach? Many companies and government organizations encase fiber-optic cables in heavy concrete.

Think these examples are way out there? Maybe the following are more reasonable: What if you had a SAN connection that you extend into a collocation facility? Maybe you are mirroring data for disaster-recovery purposes or you backing up to a remote site for instant off-site tape storage. In these cases, your only real security measure is encryption. Many vendors, particularly those that sell metropolitan fiber-optic network equipment, offer point-to-point encryption, but this type of encryption won't help you if someone has access to your rack in the collocation facility or if he/she steals your tapes or drive mirror.

If you are sending data off-site, you need special encryption devices that can differentiate Fibre Channel signaling commands and SCSI protocol commands from actual data. These devices allow seamless communication with off-the-shelf storage devices, while ensuring that any data that leaves the secure data center is encrypted. Whether someone goes to the extreme of digging up the parking lot or merely steals your tapes, your data is safe.

Switch zoning, LUN masking
As for machines in your data center, you still have to be smart about security. If someone breaches your physical security, he/she can do all kinds of damage. SAN security is typically made up of switch zoning and LUN masking. Both can be tampered with by anyone with physical access to your storage.

Switch zoning determines which machines can talk to each other, while LUN masking provides a more granular level of security, giving hosts access to specific storage partitions. Switch zoning can be implemented in two ways: at the port level in hardware or through the fabric name server in software.

On the whole, hardware port zoning is very secure, but security can be breached if cables are moved from one port to another. Name server zoning identifies host computers by the WWNs of host bus adapters (HBAs). (Similar to Mac addresses in Ethernet, WWNs are unique IDs encoded in the firmware of every Fibre Channel device.) Cables can be moved from port to port without compromising name server zoning; however, if someone removes an HBA and installs it in another computer, security will be compromised. Also, someone could fool the name server zoning, but that person would have to be pretty sophisticated. (If anyone knows of specific examples of SANs being hacked, please e-mail me.)

LUN masking can be implemented in software on the host, inside the fabric, in a SAN router, in a storage virtualizer, or on a disk array. The most vulnerable method is implementing it in software. All other forms are tied to the WWNs of the HBA and can be breached in many of the ways described above.

Words of wisdom
Be sure to secure the management consoles of your fabric switches and storage devices. Remember that a fabric made up of multiple switches is still administered from a single console, and if a malicious person has access to it, he/she could change the way your SAN is zoned.

If the rest of your SAN is designed well, this should not result in data loss or data theft, but it could result in a colossal denial of service. Someone playing around with zoning could instantaneously achieve the same result as pulling the plugs on all of your servers at once! Similarly, someone tinkering with your storage array could grant LUN access to unauthorized hosts. It would be easy to copy off all of the data undetected. It would be even easier to delete it all in an instant. The vendors are aware of these vulnerabilities and are offering increasingly sophisticated security models with secure authentication and multiple levels of administrative security.

In short, keep your SAN under lock and key. Limit management access to trained and trusted personnel. If you extend your SAN outside of the data center, use encryption. Finally, if a screen pops up that asks, "Are you sure?", you should be sure before clicking "yes."

Jacob Farmer is the CTO of Cambridge Computer Services, a storage technology integrator and training provider based in Boston, MA. His team is currently writing a book on SAN and NAS technologies to be published this summer. He can be reached at jacobf@cambridgecomputer.com.

This article was originally published on July 01, 2002