Risks and Threats To Storage Area Networks
Every business faces risk as long as they have something of value. The more valuable the assets of the company are, the more risk they face. Data value increases when the amount of information in a database grows and the data can be harvested more effectively. Data should be protected or secured at a reasonable cost that is a fraction of the value of the data.
The cost of attacking a corporation’s data assets usually decreases as technology improves. To attack and exploit a company’s data center or get to a certain asset, a given investment would be needed to gain access to the data and gain benefit from it. The cost of certain attacks may be very low and the enterprise needs to guard against these attacks. If the cost of the attack becomes less than the value of the data, then the security for that asset should be upgraded to deter the attacker.
Unfortunately, most attackers do not do a cost-benefit analysis on the victim before attacking. Many low-cost methods of attack, like kiddie scripts (attack modes that are obtainable for free on the Internet), are done for kicks. Attackers may not benefit from the attack, but the attack may hurt the owner of the data. Enterprises need to fight against all types of attacks that threaten their assets or their ability to do business.
A general definition of risk will help show how threats are a factor in determining risk. Risk due to security attacks is the product of the threat, times the vulnerability to the threat, times the value of the asset. Since companies want to increase the value of their assets and cannot stop all threats, they must decrease their vulnerability to a given attack.
To find the total risk that a company faces, the company must inventory their data assets. With each asset tallied, the company can estimate the probability of the threats to each asset and the vulnerability to each threat in terms of a probability. The total risk will be the summation of the risks to each asset in terms of dollars.
To justify a security upgrade, the company may evaluate the reduction of risk due to a security upgrade. Dividing the reduction in risk by the cost of the security upgrade reassures return on security investment (ROSI). This analysis will give the user an estimate of the lower risk due to countermeasures. Reduction of risk makes the enterprise safer than if the threats are ignored. Enterprises can choose to install countermeasures before the attack or deal with the consequences after an attack.
Risk always starts with a threat. Threats can be broken up into three basic levels. The first level of threats is unintentional and due to accidents or mistakes. While not intentional, these threats are common and can cause downtime and loss of revenue. The second level of threats is a simple malicious attack that uses existing equipment and possibly some easily obtainable information. These attacks are less common but are intentional in nature and are usually from internal sources. The third level of threat is the large scale attack that requires an uncommon level of sophistication and equipment to execute the attack. A third level attack is usually from an outside source and requires access, either physically or virtually. Third level attacks are extremely rare in SANs today and may take considerable knowledge and skill to execute. Table 1 summarizes the three levels of threat.
Level 1 attacks are unintentional and are usually the result of common mistakes. A classic example of a Level 1 attack is connecting a device to the wrong port. While unintentional, a miscabling could allow a device to have unauthorized access to data or cause a disk drive to be improperly formatted. The incorrect connection could even join two fabrics that could enable hundreds of ports to be accidentally accessed. The unfortunate aspect of this attack is that it can be executed with little skill or thought. Fortunately, Level 1 threats are the easiest to prevent.
Level 2 threats are distinguished by the fact that someone maliciously tries to steal data or cause disruption of service. The variety of Level 2 attacks increases as the intruder (anyone initiating the attack) is attempting to circumvent barriers. An intruder impersonating an authorized user would be a common Level 2 attack. To prevent a Level 2 threat, the SAN will need to add processes and technology to foil the attack.
Level 3 threats are the most troublesome. These are large-scale offensives that are usually perpetrated by an external source with expensive equipment and sophistication. An example of this attack would be installing a Fibre Channel analyzer that monitors traffic on a link. Equipment to crack authentication secrets or encrypted data would be another example of a Level 3 attack. These cloak and dagger type attacks are difficult to accomplish and require uncommon knowledge and a serious commitment to perpetrate the attack. Level 3 attacks are rare and complex and are beyond the scope of this white paper.
The three levels of attack are helpful in categorizing threats, but an in-depth analysis is required to address each threat. The next section will enable a systematic approach to dealing with individual threats.
Administrator’s Perspective – Storage Network Points of Attack
Threats to storage networks come from many places. Each point of attack may be used as a stepping-stone for later attacks. To provide high levels of security, several checkpoints should be placed between the intruder and the data. The various points of attack are helpful in identifying security method to thwart different attacks. Similar to how castles have several defense mechanisms to defend against invaders, the enterprise should install many barriers to prevent attacks.
The point of attack helps the discussion of individual threats. The threats that will be discussed in this paper include:
– Unauthorized Access
Unauthorized access is the most common security threat because it can run the gamut of Levels 1 to 3 threats. An unauthorized access may be as simple as plugging in the wrong cable or as complex as attaching a compromised server to the fabric. Unauthorized access leads to other forms of attack, and is a good place to start the discussion of threats.
Access can be controlled at the following points of attack:
1. Out-of Band Management Application – Switches have non- Fibre Channel ports, such as an Ethernet port and Serial Port, for management purposes. Physical access to the Ethernet port may be limited by creating a private network to manage the SAN that is separate from a company’s Intranet. If the switch is connected to the company Intranet, Firewalls and Virtual Private Networks can restrict access to the Ethernet port. Access to the Serial Port (RS 232) can be restricted by limiting physical access and having user authorization and authentication. After physical access is obtained to the Ethernet port, the switch can control the applications that can access it with access control lists. The switch may also limit the applications or individual users that can access through point of attack 3.
2. In-band Management Application — Another exposure that a switch faces is through an in-band management application. The in-band management application will access the fabric services – such as the Name Server and Fabric Configuration Server. Access to the fabric services is controlled by the Management ACL (MACL).
3. User to Application – Once a user has physical access to a management application, they will have to log into the application. The management application can authorize the user for role-based access depending on their job function. The management application will need to support access control lists and the roles for each user.
4. Device to Device – After two Nx_Ports are logged into the fabric, one Nx_port can do a Port Login (PLOGI) to the another Nx_Port. Zoning and LUN masking can limit the access of devices at this point. The Active Zone Set in each switch will enforce the zoning restrictions in the Fabric. Storage devices maintain the LUN masking information.
5. Devices to Fabric – When a device (Nx_Port) attaches to the fabric (Fx_Port), the device sends a Fabric Login (FLOGI) command that contains various parameters like Port World Wide Name (WWN). The switch can authorize the port to log into the fabric or reject the FLOGI and terminate the connection. The switch will need to maintain an access control list (ACL) for the WWNs that are allowed to attach. The real threat to data will occur after the device is logged into the fabric and can proceed to point of attack 4 or 5.
6. Switch to Switch – When a switch is connected to another switch, an Exchange Link Parameters (ELP) Internal Link Service (ILS) will send relevant information like the Switch WWN. The switch can authorize the other switch to form a larger fabric or the link can be isolated if the switch is not authorized to join. Each switch will need to maintain an ACL for authorized switches.
7. Data at Rest – Stored data is vulnerable to insider attack, as well as unauthorized access via fabric and host-based attacks. For example, since storage protocols are all cleartext, administrators for storage, backup and hosts have access to stored data in raw format, with no access restrictions or logging. Storage encryption appliances provide a layer of protection for data at rest, and in some cases provide additional application- level authentication and access controls.
Controlling access with Access Control Lists (ACLs) prevents accidents from leading to catastrophes. ACLs will not stop attackers who are willing to lie about their identity. Unfortunately, most thieves usually don’t have a problem with lying to get what they want. To prevent spoofers (someone who masquerades as another) from infiltrating the network, the entity that is being authorized must also be authenticated.
Spoofing is another threat that is related to unauthorized access. Spoofing has many names and forms and is often called: impersonation, identity theft, hijacking, masquerading and WWN spoofing. Spoofing gets its names from attacking at different levels. One form of attack is impersonating a user and another attack is masquerading as an authorized WWN.
The way to prevent spoofing is by challenging the spoofer to give some unique information that only the authorized user should know. For users, the knowledge that is challenged is a password. For devices, a secret is associated with the WWN of the Nx_Port or switch. Management sessions may also be authenticated to ensure that an intruder is not managing the fabric or device.
Spoofing can be checked at the following points of attack:
1. Out-of Band Management Application – When a management application contacts the switch, the switch may authenticate the entity that is connecting to the switch. Authentication of the users is addressed in point of attack 6.
2. In-band Management Application – The in-band management application will use Common Transport (CT) Authentication to prevent spoofing of commands to Fabric Services.
3. User to Application – When the user logs into the application, the management application will challenge the user to present a password, secret or badge. The application could authenticate the user with biometric data like fingerprints, retina scans or even DNA samples.
4. Device to Device – After an Nx_port receives a PLOGI, the Nx_Port can challenge the requesting port to show its credentials. CHAP is the standard Fibre Channel mechanism for authenticating Nx_Ports. The requesting Nx_Port should also challenge the other Nx_Port so that both ports are sure of the authenticity of the other port. Two-way authentication is known as mutual authentication.
5. Devices to Fabric – When a device sends a Fabric Login (FLOGI) command, the switch could respond with a CHAP request to authenticate the user. The Nx_Port should respond to the CHAP and challenge the switch as well for mutual authentication.
6. Switch to Switch – When a switch is connected to another switch, both switches should authenticate each other with CHAP.
To authenticate every point, four types of authentication are possible:
1. User Authentication
2. Ethernet CHAP Entity Authentication
3. CT Message Authentication
4. Fibre Channel DH-CHAP Entity Authentication
After entities and users are authorized and authenticated, the traffic should be able to flow securely between authorized devices. Data flowing on the link could still be stolen by a sniffer. Sniffers will be investigated in the final threat.
Data can be stolen in many ways. One way to steal data is sniffing the data while it is in flight. Sniffing is also referred to as wire-tapping and is a form of the man-in-the-middle attack. A Fibre Channel analyzer is a good example of a sniffer that can monitor traffic transparently. Sniffing does not affect the operation of the devices on the link if done properly. A cure for sniffing is encryption.
Encryption is the process of taking raw data and encrypting it in a manner that is unreadable without the correct secret. Without the correct key, the stolen data is worthless. Several encryption methods work and there are different encryption algorithms for different kinds of traffic. Instead of discussing the encryption techniques for each point of attack, the encryption method only applies to in-band and out-of-band traffic.
Encapsulating Security Payload (ESP) can encrypt the Fibre Channel traffic to ensure confidentiality. Ethernet traffic can be encrypted with Secure Sockets Layer (SSL) or similar protocols. These encryption techniques can use different levels of encryption to make stolen data worthless.
As SANs have grown in complexity, with many terabytes of data aggregated and replicated in shared systems, customers are increasingly concerned with the security of data at rest. Government regulations around privacy have further increased the importance of protecting stored customer information.
McDATA has developed integrated solutions with partners to provide transparent, wire-speed encryption for data at rest. These appliances use hardware-based encryption and key management to lock down data at rest, and enforce overall fabric security and access controls. These McDATA-certified solutions have been deployed by government and enterprise customers with minimal impact to application performance or management overhead. McDATA’s experienced consultants can work with your team to ensure a seamless integration that addresses your unique security requirements.
The most common threats are mistakes made by users. Various access control lists can limit the risk due to many forms of errors. Access control lists only stop users that do not spoof an authorized device. To prevent spoofing, authentication services are required to catch a lying intruder. If the intruder still manages to obtain physical access to the infrastructure and attaches a sniffer onto a link to steal data, encryption can render the stolen data worthless. These three common threats and solutions help IT organizations manage the risk associated with various attacks.
Referring back to the level of attack, access control lists prevent Level 1 attacks by preventing miscabling from proceeding past the initialization stage. If an intruder is trying to use an application under an authorized users name, the Level 2 attack will be stymied with authentication. If the intruder installs a wire tap in a Level 3 attack, encryption can spoil the intruder’s ill gotten goods. The three levels of attack require different types of defensive maneuvers. Each threat must be dealt with individually.