The Basics of SAN Security, Part II Page 2
Authentication and Authorization
Fibre Channel protocol provides a variety of services to clients. These services include simple name server (the Fibre Channel directory service), management server (for accessing topology information and controlling zones), alias server (for multicast support), time server (for acquiring time data), and a security key distribution server. Each of these servers is accessed through an ANSI specified client interface. By using any port on the switched Fibre Channel SAN, this access point is in band. As a result, in band access requires security that ensures authorization and authentication of client requests. A potential security breach can occur in an open SAN where a management application has unauthorized access to the fabric-zone services provided by the management server.
The ANSI standard defines a mechanism to ensure security, because these servers provide critical information about SAN resources and control SAN resources. Each server provides a client interface that includes a common security header in the request. This security technique is referred to as CT authentication. It is used to authenticate requests and responses between a server and a client (such as the communication between a management application and a director's management server). By using a secret key and transfers that signature to the fabric server, this security mechanism computes a signature. The fabric server validates and executes or rejects the request. This in band security technique ensures only trusted client requests that are executed in conjunction with the key distribution server that periodically distributes new secret keys, and a standard message digest for producing a unique signature,.
When additional SAN resources are required, a distinct benefit of switched SANs is the ability to adapt. System administrators connect storage or server ports to the director or switch, when additional storage or server access is needed. The director or switch in the SAN discovers the new ports, adds them to the name server, and signals when they are available to other servers in the SAN.
While this mechanism has undesired side effects in certain installations, it provides flexibility to add and remove SAN resources. The dynamic discovery of new devices has the potential to expose storage to unauthorized clients in storage service provider (SSP) environments, where the visibility of storage resources needs to be strictly controlled. This phenomenon can occur when service personnel inadvertently or accidentally connect two fabrics (i.e. interconnect to expansion ports (E_ports) on two different switches) or connect storage ports to the wrong director or switch. Directors and switches should provide configuration security methods via:
- Fabric membership authorization.
- Port-type controls.
- Switch port binding.
The preceding security methods span from complete secure authorization using switch port binding to simple security using port type configuration.
Access between server and storage ports must be addressed, once configuration security is ensured. As previously discussed in Part I, zoning is provided to restrict access between user-administered endpoints within the switched fabric. Zoning security is provided through:
- Hard zoning.
- HBA port binding.
- Simple name server (or soft zoning).
Fabric services are accessed in band via client interfaces to the management server. For purposes of topology discovery and zoning administration, the management server provides access to management clients.
SAN Security Benefits
The majority of today's SANs are designed to have multiple systems (whether heterogeneous or homogenous) sharing storage devices. By reducing both hardware and manpower resources required in a shared environment, corporations and government agencies can dramatically reduce Total-Cost-of-Ownership. Shared access does however have the potential to pose a few risks to data security. To protect sensitive data, many organizations require that a security barrier be put in place. This could range anywhere from an ASP that must guard against the risk of customers tampering with each other's data or to an enterprise that needs to ensure that HR and corporate financial data are not vulnerable to access on the intranet. Therefore, by defining node-to-node LUN access at the controller, the most effective means of guarding shared storage is to segment it into volumes and provide a security barrier.
Host-Based and Switch Based Mapping
While mapping at the Host level is theoretically possible, it is barely feasible and quite problematic, especially in a heterogeneous environment. Host based mapping uses filter drivers that restrict access to LUNs. This does not lend itself to a very versatile SAN. This can be a very cumbersome task, in addition to keeping up with a different filter driver for each separate operation system as well as upgrading it for new O/S renditions. Furthermore, multiple filters create difficulties in maintaining a common management framework and add multiple I/O layers to processing overhead. A more feasible means of partitioning a SAN is Switch Based Mapping, or "zoning." However, zoning is limited to a port-level mapping scheme. In order to mask LUNs in a shared storage device, a finer grain mapping scheme is needed.