SAN Security

GROUP NO. 11

Uma Shankar (PRN 8020541052)

Vaibhav Mishra (PRN 8020541053)
Vineet Garg (PRN 8020541054)
Vishal Ganjoo (PRN 8020541055)
Vivek Deshpande (PRN 8020541056)
 What is SAN
• A "SAN" (Storage Area Network) is a complete storage network.
A SAN is a complete architecture that groups together the
following elements:

1. A fibre channel broadband network or

SCSI
2. Dedicated interconnection equipment
(switches, bridges, etc.)
3. Network storage elements (hard drives)
Difference b/n DAS, NAS & SAN
SAN Simplified Diagram
How it looks like
PHASES of STORAGE TECH.
 ATTACKS ON SAN
• Some of the most common attacks against SAN are

– Spoofing the ports.

– Spoofing the FC-AL.

– DoS (Denial of Service) attack.

 Contd…
• Administrator-to-Security Management Domain
Administrator access controls work in conjunction with
security management functions. Because security
management impacts the security policy and
configuration of the entire SAN fabric, administrator-level
fabric password access provides primary control over
security configurations.
• Host-to-Switch Domain
Individual device ports are bound to a set of one or more
switch ports using access control lists (ACLs) in host-to-
switch communications. Device ports are specified by
worldwide name (WWN) spoofing, which typically
represent HBA’s.
 IDENTIFYING DOMAINS
First of all we need to define the security needs by identifying the
domains. These domains typically define different categories of
communications that must be protected by the in a storage area
network. These domains include:

• Administrator-to-security management domain: Between

administrators and their management applications.

• • Host-to-switch domain: Between host servers, Host Bus

Adapters (HBAs), and the connected switches.

• • Security management-to-fabric domain: Between management

applications and the switch fabric.

• • Switch-to-switch domain: Between interconnected switches.

 Contd…
• Security Management-to-Fabric Domain
A security management function should encrypt appropriate data
elements with the switch's public key. The switch then decrypts the
data element with its private key.

• Switch-to-Switch Domain
The switches should enforce the security policy in secure switch-to-
switch communications. By using digital certificates and ACLs, the
security management function initializes switches. Switches
exchange these credentials during mutual authentication, prior to
establishing any communications. This practice ensures that only
authenticated and authorized switches can join as members of the
SAN fabric or a specific fabric zone. Furthermore, this authentication
process prevents an unauthorized switch from attaching to the fabric
through a port.
 SAN SECURITY METHODS
• The common methodologies used to provide
security in SAN are

– Zoning

– LUN masking

– Binding ports with servers.

 ZONING
• Zoning is the method of logical separation and isolation of the fabric.
Only the member of a zone can access the devices in that zone
only.
• Zoning is the partitioning of a Fibre Channel fabric into smaller
subsets to restrict interference, add security, and to simplify
management. If a SAN contains several storage devices, each
system connected to the SAN should not be allowed to interact with
all of them.

• Zoning applies only to the switched fabric topology (FC-SW), it does

not exist in simpler Fibre Channel topologies.
• Zoning is sometimes confused with LUN masking, because it serves
the same goals. LUN masking, however, works on Fibre Channel
level 4 (i.e. on SCSI level), while zoning works on level 2.

• This allows zoning to be implemented on switches, whereas LUN

masking is performed on endpoint devices - host adapters or
disk array controllers.
ZONING
Contd.
 Contd..
• There are two types of zoning : -

– Soft Zoning

– Hard Zoning

• Soft Zoning
Soft zoning uses the WWN (World Wide Name) of the nodes connected to
the fabric. WWN’s are in hexadecimal format. A WWN may look like
12:12:23:34:1a:ab: e3: 27.This WWN uniquely identifies the devices
connected to the SAN. If the WWN of the node is assigned to a particular
zone then all the ports associated with that node are also in the same zone.
• Hard Zoning
Hard zoning uses port number instead of WWN’s as in soft zoning. If a port
number is assigned to a particular zone also the ports associated with that
port would not be in that zone. So we need to configure for each and every
port, which helps in improving the security. Though hard zoning is hard to
configure for the dynamic environments it is the one that can improve the
security.
 LUN MASKING
LUN Masking, or address masking, is a method
of assigning LUN to be exclusively accessed by
a particular hosts. By using LUN masking it is
possible to assign a single LUN to single host.
This allocation of a LUN to host is made by
hiding the rest of the LUN’s in the network. LUN
doesn’t use any special connection it just hides
the other devices. It is like an unlisted phone
number, which is very hard to guess. In the
figure below the LUN address 2,5,8 are blocked
(hidden) and only LUN address 11 is visible for
the host I/O controller.
LUN MASKING
LUN MASKING
 Binding ports with servers

• It’s a method of defining which servers will

access which ports like windows server will
access port 1 to port 5 etc., this provides a way
to separate heterogeneous servers and maintain
them very easily.

• Hard Zoning along with LUN masking in SAN

and port binding gives higher level of security.
A SAN Weak Points
A SAN Fabric Infra. with weak
points
A secured SAN by Fabric OS
Components
Secure Fabric OS Components
Switch using PKI Technology
 Different Vendors of SAN security
• HDS ( Hitachi Data Systems ) – Hard Disks
• Brocade – Fabric Switches and OS’s like Secure Fabric
• Cisco – Fabric Switches and OS’s like SAN-Os 2.0
• Emulex – Fibre Channel HBA’s (Host Bus Adapters)
• Qlogic -- Controller Chips, HBA’s, Management
Softwares, Swtiches , etc
• IBM – SAN Management Softwares
Proprietary Hardware and Software
of SAN Security

• Brocade 7500 Router series, Brocade SilkWorm 3800

Enterprise Fibre Channel Fabric Switch, Secure Fabric
OS
• Cisco MDS 9000 Fabric Switches, SAN-OS 2.0
• QLogic 8Gb HBA’s
 Glossary
– ACL-Access Control List
– CHAP- Challenge Handshake Authentication Protocol
– DoS-Denial of Service
– FCAP –Fibre Channel Authentication Protocol
– FCP – Fibre Channel Protocol
– FCPAP- Fibre Channel Password Authentication
Protocol
– IP – Internet Protocol
– LAN – Local Area Network
– LUN-Logical Unit Number
– SAN – Storage Area Network
– SCSI – Small Computer System Interface
– SNIA – Storage Networking Industry Association
– WWN-World Wide Name
 References

• Basic Concepts and a Security Glossary by Bill Ayen,Ph.D. –SNIA

• Basics of SAN security by John Vacca

• www.enterprisestorageforum.com/sans/ features/article.php/1431341

• www.pdf-search-engine.com

• www.snia.org/ssif/home

• www.sans.org

• www.brocade.com/security

• www. sansecurity.com/san-security-faq.shtml