How to create solid policies for SAN security

By Arthur Scrimo

Many IT organizations are finally beginning to take a hard look at their data and network security models. One key area that is often overlooked is storage area network (SAN) security. In some cases, a company's critical information either flows through or is adjacent to its SAN environment, which is often the hub for business-critical data transactions.

For the most part, SAN security has been poorly addressed by SAN hardware and software vendors. That being the case, it is up to the IT organization to train or hire qualified security people for the SAN environment. A SAN security consultant may help to provide guidance on preventing unwanted access to critical networks.

Analysis from multiple angles

To identify all possible threats, security models must be analyzed from multiple angles, including physical, Fibre Channel network, storage, host, management network, and network administrator access.

Physical access

Physical access points are often overlooked when ensuring compliance with security models. SAN hardware should be located in a place that requires and monitors electronic access. Badges or biometric devices can help control access into the environment. Audit all accesses into the area on at least a monthly basis to ensure the appropriate people have the correct level of access. Video monitoring in parallel with electronic scanning devices can help to ensure a secure physical environment.

Fibre Channel network access

The next angle to address is network access to the SAN. The Fibre Channel specification does not provide a robust security model standard, although there is some information on standards related to Fibre Channel security at www.t11.org, www.fibrechannel.org, and www.snia.org.

Until Fibre Chan nel switch intero p erability becomes a reality, focus on what the vendor provides and implement as many of its security mechanisms as possible. Most switch vendors provide their own method for security and each method is specific to that vendor. It is important to make certain that switches are as secure as possible. Ensure that the default passwords on each switch are changed in compliance with the corporate security policy and that user- level access is maintained in accordance with the policy, too. In some cases, user and password information is not required to access a switch's internal configuration via FTP and TFTP, so be sure to double-check this.

Using zoning in a SAN environment minimizes potential security problems. "Hard," or port, zoning is the most secure method because it enforces zones at the hardware level. "Soft," or worldwide name (WWN), zoning is the most flexible approach, but is often susceptible to potential security threats such as WWN spoofing and rogue server access. Some other mixed zoning methods also provide levels of security to keep the correct ports or WWNs communicating with each other properly.

Most switch vendors provide the ability to specify the required port type or have the ability to disable a port to ensure authorized access. When a specific port is not being used it should be disabled to help protect against unauthorized access. Switch port binding can also be used to guarantee that the correct WWN is logging into the correct port.

Storage access

The repository for virtually all business-critical data is typically the least sophisticated from a security perspective. The practice of using LUN-level security helps to make sure that the proper host WWNs are accessing the proper storage units. LUN masking, as it is often called, also helps ensure that rogue server access is not permitted for a specific set of LUNs. LUN-level security in conjunction with port zoning will help provide the correct access level for each host.

The tape backup infrastructure is also susceptible to security problems. If Fibre Channel bridges are used to convert SCSI tape drives to Fibre Channel, it is critical to ensure that user and password information is in compliance with the corporate security model.

Host access

The hosts in the SAN environment are often the biggest targets for attackers, especially in an e-commerce application where external Web servers may have access to resources on the SAN. Host applications are often targeted to gain unauthorized access into the SAN. Even if the host is behind a network firewall, access may still be obtained either through external or internal sources. If attackers gain control of hosts, they have a wide range of options to steal, damage, or deny access to your data. Storage virtualization servers also suffer from the same security threats as application servers, so it is of equal importance to protect these assets from unauthorized access.

Ensure that host network ports are reconfigured from the defaults and opened only if needed. Use IPSec wherever possible for administrative accesses to further minimize risk. Make certain that the appropriate security patches have been installed on your hosts and that the proper user-level authentication methods are being utilized in accordance with the corporate security policy. Persistent bindings or LUN mapping at the host level can also provide an additional level of security.

Management network access

Management networks often provide the ability to monitor and manage the devices in the SAN. In most cases, this network is outside the path of the storage network and provides the framework for management applications.

In a Fibre Channel network, there are two primary ways to manage switches and other devices. The most common method is out-of-band management, which typically uses IP to communicate with the SAN devices. The second method is in-band management, which requires a Fibre Channel connection into the environment. This management network access can open up the potential for security violations. The out-of-band management network provides the connectivity to send and receive SNMP traffic for SAN monitoring applications. This network also provides the access for Fibre Channel and IP switch software and often is the same place where the storage device configuration applications perform their tasks.

It is common and advisable for this network to be protected behind a firewall and to use a private non-routable IP address range for your management network. The security model should also take into account dial-up and phone-home network services. It is a good idea to have the network audited not only internally, but also by a third-party security company to ensure that the security model functions as planned.

Network administrator access

SAN administrators are usually the weakest link in SAN environments. Complex SAN environments are rarely staffed with the appropriate number of qualified individuals. In most cases, the same people who implement the production environment are also responsible for the test environment. Unfortunately, administrators are usually busy stabilizing the SAN environment, and security gets put on the back burner. This is when the network is at its weakest and is most susceptible to intrusion.

Generally, those who wield the most power break the most rules. It is important to make sure that SAN administrators follow the organization's security models. Administrators should frequently change their passwords and use more-complex passwords than other end users. And the SAN environment and administrators should be frequently audited for compliance with the security model.

SANs are becoming an increasingly vital part of IT infrastructures. It is important to plan and comply with the corporate security model. If there is no security model, then work with your vendors and network security organizations to create a model that fulfills your requirements. Implementing a SAN security model is not an easy task, but it is better to go through the pain now than to wait until data has already been compromised. As the saying goes, "No administrator ever got a promotion for applying a security patch, but plenty have been fired for putting it off."

Arthur Scrimo is a senior SAN architect and a consultant with IBM Global Services (www-1.ibm.com/services/). He is also a Brocade Certified SAN Designer.

This article was originally published on September 01, 2002