Securing Storage Networks - 1702-17 - Disaster Recovery Journal

Securing Storage Networks

By GREG SCHULZ & DAVID O’LEARY

As storage networks grow larger and become more pervasive, IT managers face two challenges: balancing security needs to protect critical information resources and maintaining the flexibility necessary to meet growth scalability and changing business requirements. Increasing pressure within business verticals for regulatory compliance plays into the security landscape, and manifests itself with requirements for online data retention and secured storage of data elements. This paper provides an understanding of various storage networking security threats and how to protect against them.

Introduction
Storage area networks (SANs) provide a mechanism by which information can be efficiently accessed and managed to support evolving business solutions. With SANs, storage devices that were previously attached to servers using secure dedicated interfaces can now be shared across multiple servers. Ultimately, this effective utilization and management of information and resources can reduce total cost of ownership (TCO) and return on investment (ROI).
Traditionally, security for storage and storage interfaces has relied on physical protection, trusted access to computer rooms and systems, as well as reliance on application and file system access restrictions. With storage now being accessed outside the “safe” confines of the data center and being transmitted over open networking infrastructures, providing security for storage and storage networking is becoming increasingly critical.

Storage Networking Security Threats
There are numerous threats to storage networks, and they can occur in various forms and arrive from different sources, both internal and external. As a storage network extends farther from the relatively safe confines of the data center, additional security threats (similar to those experienced with traditional networking) can occur.
Potential threats include:

Access by two or more servers to shared storage
Different types of operating systems and servers accessing the same storage and data
Storage and data sharing and access, whether read only, read/write, or delete
Shared bandwidth and accessibility to data components within the storage network infrastructure
Shared access to management tools and interfaces

Additional security threats can include:

Attacks on the physical network including cabling, switches, directors, eavesdropping (sniffing) on inter-switch links (ISLs) and WAN/MAN links
Rogue switches, servers, and management tools SNMP traps and alerts, Telnet commands
Data transmission integrity
Attacks on the storage devices and servers
Denial of service attacks on servers and networks
Unwanted authorized access to physical and logical volumes
Unwanted access (read, write, delete) of files, volumes, logical unit numbers (LUNs)
Stolen storage devices

Securing the Storage Network
Securing a storage network involves not only managing the security of the switch or fabric, but also properly securing access to the data and where it is stored, the components, the transports, and the management tools and interfaces.
Some items that should be addressed with a storage networking security strategy, similar to the enterprise, include:

Securing storage networking ports, devices, and transport
Securing transmission and ISL interfaces
Securing management tools and interfaces
Securing storage resources and volumes
Access control and policies

A good security plan should be practical and executable with respect to the applicable threats while supporting and enabling your business. Work done to secure the enterprise connected storage infrastructure should be performed within the guidelines of the overall security program and business objectives of the company. These objectives should be directly correlated to the level of risk associated with meeting these goals.
Similar to the advances in flexibility that LAN enabled in the 1980s, storage networks are now an enabling technology, allowing businesses greater flexibility to manage the lifecycle of their critical data information. With this enhanced flexibility comes increased security threats and concerns. A simple, extreme and secure model is to have a server with direct attached disk storage and tape in a secure room with restricted access with no outside network access (as seen in some popular movies like “Mission Impossible” and “Charlie’s Angels”).
There are applications and environments that may need this level of security. However, this article focuses on more traditional environments that need slightly less protection and restricted access. Networking and remote access bring flexibility while exposing information resources and data to security threats that must be balanced between data protection and business productivity.
Traditionally, storage has been accessed via secure or semi-secure interfaces usually over short distances. Network interfaces can span distances of more than 100 km and beyond by using storage over metropolitan area networks (MAN), wide area networks (WAN), and channel extension technology.
As storage networking converges with enterprise infrastructures and enables storage and information resources to be accessed over longer distances, it becomes more susceptible to threats and thus requires more protection. Understanding the “data path” and implementing security in a tiered approach along that path is the key to success.
The following list is a subset of some basic, best practice actions and activities that can be taken to secure your storage-networking environment.
Some Best Practice Security Actions:

Classify information resources and authorize access to them
Authenticate and track access to your data
Encrypt and protect data within guidelines
Monitor and audit activity surrounding data access and movement
Restrict physical access to data storage hardware and appliances
Layer security solutions as they are being applied as part of the overall solution

Special Security Consideration for Servers
Securing storage and storage networking resources start (or end) at the server. At the server level, basic security starts with proper security of the individual file systems, directors, files, logical and physical volumes, and access to other storage resources. Patch management and updates are a vital part of a maintenance program. Keeping servers up-to-date can mitigate vulnerabilities that could otherwise compromise the data lifecycle.
Access to storage management tools, such as volume managers that provide a layer of abstraction (i.e., virtualization) should be restricted to those with appropriate responsibility and the capability to make configuration and provisioning changes. Access tools that affect storage resource availability, whether they are path managers for HBAs, volume managers, file systems, backup, mirroring, and storage configuration should be safeguarded as well.
One of the first methods for providing LUN or volume mapping and masking was to use what is now generally referred to as “persistent binding.” This involves configuring software and files on a host server to determine what devices will be seen and accessed from a particular server. This approach complements storage mapping and fabric-based zoning for servers that control who configures the system and its parameters. Risks with this approach include the fact that whoever can gain access to a server can control what volumes or devices are accessed. This is why a tiered approach to security, where the storage device is the last line of defense, is necessary.
Other security concerns include access to network configuration tools and storage interfaces. Depending on the environment, access to the servers themselves by system administrators, storage analysts, and database analysts may vary. In some environments, storage resources are presented to a specific server via the storage network, and complete control and access to those resources (LUNs or volumes) is at the discretion of the individual system administrator. The system administrator may in turn restrict access and allocation of specific volumes and resources to other administrators who are responsible for specific pieces of storage. In other environments, a system administrator may have complete end–to-end responsibility and the capability to configure the storage network, the storage, and access to it.

Advanced Security Topics
Ultra-secure environments may need an additional layer of security provided by in-place encryption of data while in transit, when stored, or both. There are different forms of encryption that provide various levels of protection and can be implemented by native devices or integrated software, in the data path, in communications equipment, or via special security appliances.
Security appliances are devices with storage networking interfaces that (depending on the specific solution) have interfaces to support local and wide area storage networking security services, including encryption and access authentication. SNIA offers an informative introductory tutorial booklet on encryption as part of a security strategy for storage networking, as well as a primer on encryption. Encryption encodes the information so that even if the information could be read, it could not be decoded without the correct key and encryption algorithm.
The above table shows some examples of how long it would take to hack various levels of encryption. The right level of encryption is dependent upon your needs and environment.
An often-overlooked part of security is physically securing, monitoring, and detecting changes and intrusions of physical cabling infrastructure. This can be as basic as ensuring that all switch ports and their associated cabling and infrastructure are physically secured.

Also, care should be taken when disposing of no longer needed storage resources. Properly disposing of magnetic tapes could entail de-gaussing or burning. Disk sub-systems and storage located in servers, workstations, desktops and laptops, should have sensitive data removed and, if necessary, be reformatted and written over. Simply deleting data can still leave the data recoverable by those interested in doing so. Servers, storage controllers, and switches should also be reset to factory configurations and have their NVRAM cleared. Consult with your manufacturer on the suggested procedure for safeguarding information and ensuring that the resources disposal does not compromise your business information.

Greg Schulz, formerly of CNT, has more than 20 years systems experience. Schulz is currently a senior storage analyst with the Evaluator Group (www.evaluatorgroup.com). He has been extensively published including a co-author of “The Resilient Enterprise” from Veritas Press.

David O’leary is director of secure IP networks for the professional services team at CNT (http://www.cnt.com/). O’leary has more than 15 years of experience in the high-tech industry designing and delivering large scale secure networks for national and multinational organizations.

To comment on this article, go to 1702-17 at www.drj.com/feedback

«BACK to the Articles Index