Advertisment

Ensuring Data Integrity in SANs

author-image
PCQ Bureau
New Update

SANs have numerous benefits in an enterprise setup, as they create an aggregated pool of storage for the

organization. But such a storage pool that’s accessible to all may become a liability

unless well thought out security policies are framed and made a part of the storage area network.

Advertisment

Traditionally, SANs were deployed for a subset of a single data center, that is, a small isolated network and, therefore, were inherently more secure. But, today it is commonplace to find a SAN that spans outside a data center for business continuance and disaster recovery purposes. Moreover, with the advent of technologies such as iSCSI and FCIP, which use vulnerable TCP/IP for the transport, the need to secure SANs has

become more evident. In this article, we’ll discuss SAN security.

Understanding threats



When planning out the security for your SAN, you need to first identify the possible sources of the threats. These can be broken into three parts. One, of course, is the external threats like hackers or people with malicious intent trying to get in. Two, you need to control unauthorized access by internal users and should be able to detect any compromised devices; and last but not the least, your SAN should be able to deal with unintentional threats, like mis-configurations and human errors. Unfortunately, the third issue is the most ignored and minimal or no attention is paid to it. Just like in UNIX or Windows, where it’s prudent to minimize the use of root or administrator privileges; in a SAN also we should have strict control over access privileges granted to users.

Direct Hit!

Applies To: Storage Managers



USP: Secure your SAN


Primary Link:
http://www.storagesearch.com




Google Keywords: Data integrity, SAN
Advertisment

In the SAN switches for instance, remove the

operator privileges so that nobody has complete control, and use role-based

authentication instead. Likewise, ensure that there are no overlapping domain Ids, which can otherwise result in configuration errors. A correctly configured switch can help prevent both deliberate and

unintentional disruptions. Besides securing the SAN fabric, there are many other technologies available for securing the SAN better. Let’s have a look at them.

Zoning



This is a method of creating barriers in
the SAN fabric to prevent any-to-any

connectivity. In zoning, you have to create different groups of servers and storage

devices that are connected to the SAN

fabric. Only devices within a particular zone can talk to each other through managed port-to-port connections. So if a server wants to access data from a storage device located in a different zone, the latter must be configured for multi-zone access.

SANs provide port-to-port pathways from servers to storage devices and back through bridges, switches and hubs. Zoning lets you efficiently manage, partition and control these pathways. Additionally, with zoning, heterogeneous devices can be grouped by operating systems, and further demarcation done based on applications, functions, or departments.

Zoning is of two types. Soft zoning, which as the name suggests, uses software to enforce zoning. It uses a name server database connected to the FC switch. This stores port numbers and WWN (World Wide Names) to identify devices during a zoning process. If a device is put in a different zone, it gets a record of Registered State Change Notification (RSCN) in the database. Each device must correctly address the RSCN after a zone-change else all its communications with storage devices in the previous zone will be blocked.

Advertisment

You can also have hard zoning, which only uses WWNs to tag each device. Here, the SAN switches have to regulate data transfers between verified zones. Due to this, hard zoning requires that each

device pass through the switches’ routing tables. For example, if two ports are not

authorized to communicate with each other, their route tables are disabled and hence, the communication between those ports gets blocked.

While zoning is a good way to control access between various devices on a SAN, it cannot mask individual tape or disk LUNs that sit behind a device port. This can be done through LUN masking.

LUN masking



This is a RAID-based feature that binds the WWN of the HBA (Host Bus Adapter) on the host server to a specific SCSI identifier, or LUN. Since zoning can't mask individual LUNs behind a port, it can't limit an application server to a specific partition on a RAID. LUN masking overcomes this
restriction. Let's say a single 24 GB RAID is divided into three 8 GB partitions to store data for the Finance, Production and

Marketing departments. LUN masking, for example, could ‘hide’ the Finance and

Marketing partitions, so that an application server can only see the Production

department partition.

Advertisment

The problem with all this is that there's no requirement for authentication.

Although storage vendors are planning to support a wide range of authentication methods, the DH-CHAP (Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol) is used for Fibre Channel Security Protocol (FC-SP), which addresses FC's weak

security.

LUN masking can be done either at the RAID device level itself or at the server HBA. Here, though the former is more secure, it’s not always possible because all RAID devices don’t support this. That’s where the second method is used, through a process known as ‘Persistent binding’. This is nothing but letting the Operating System assign SCSI target IDs and LUNs through the device drivers of the host HBA. One way this works is that the host assigns a SCSI target ID to the first router it finds, and subsequently assigns LUNs to the SCSI devices attached to it.

Operating systems and high-level

applications, such as backup software, typically require a static or predictable SCSI target ID for their storage reliability and persistent binding provides the same.

Advertisment

Shoring up the weak points



If you are adding a new switch to the
fabric, then Access Control Lists (ACLs) are used to allow or deny their addition. Host-to-fabric security technologies use ACLs at the port-level of the fabric to allow or deny HBA of a specific host from attaching to certain port. So an intruder host can not just attach to any port on the fabric and access data without authority. ACLs are also used to filter network traffic, ie they can be used to allow or block routed packets from passing at the router interface. PKI can be used for authentication here. PKI and other encryption technologies like md5 can also be used on some of the switches for managing the entire fabric. All management and configuration changes are then passed to all the switches on the SAN from them.

This will also result into a SAN with

a minimal number of security control points. Finally, configuration integrity

is also very important. It ensures that



configuration changes in the fabric only come from one location at a time, and
are correctly propagated to all switches

in the fabric with integrity. The use of a distributed lock manager is one way in which you can ensure that a serial and valid configuration change is enabled on the fabric.

Data encryption



What if despite having all the security measures in place to prevent anybody from entering your SAN, somebody
manages to get in? If all the data is sitting in plain text, then it’s all available to

the hacker. In such a case, it becomes

important to consider data encryption techniques. It may not be feasible to

encrypt all the data sitting on the SAN,

so you need to figure out which is the most sensitive data that needs to be

encrypted. You might also need to

encrypt certain data due to regulatory

requirements.

Advertisment

While SAN vendors bolster their

security, several companies are betting there's a market for storage encryption. Many vendors have also introduced security appliances to encrypt data between the application server and the RAID. But, these products are new and have little or no track record in the real world. So, better wait for reviews to come.

Virtual SANs



Thanks to the developments taking place in this direction, we have now something called VSANs. A virtual SAN (VSAN) is a logical partition of a SAN. It allows the
traffic to be isolated within specific

sections of the network. So it becomes easier to isolate and rectify a problem with minimum disruption. The use of multiple VSANs is said to make a system easier to configure and also more scalable. You can add ports and switches at your will. You can also try different permutations and combinations of ports, because it is all logically done, giving you more flexibility. VSANs can also be configured separately and independently, making them more

secure. They also offer the possibility of data redundancy, thereby reducing the risk of catastrophic data loss.

Final words



It is unwise to expect that the required level of security can be achieved from any one of the above discussed technologies, alone.

Therefore, in a heterogeneous SAN

environment, some combination or all

of the aforementioned technologies could be employed to ensure a storage area

network where data integrity is

guaranteed. Finally, as the SAN infrastructure evolves and as new technologies emerge, the SAN security strategy must also be periodically worked upon by every organization.

Manu Priyam

Advertisment