How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.
![Page 1: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/1.jpg)
How to Finally Secure your Network Storage
Himanshu Dwivedi
Managing Security Architect
@stake, Inc.
![Page 2: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/2.jpg)
Why is SAN Security Needed• Information– Unauthorized access or unintentional damage
• Protection– Internal and External Threats
• Competitors, ex-employees, future ex-employees, etc.
• Connectivity– SANs include all types of servers (Application, Web,
FTP, etc) that are attached to the Ethernet and the existing storage network
– A single compromised server may open the gateway to the SAN
![Page 3: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/3.jpg)
Importance of SAN Security
• Importance– What we see: Clients dedicating large budgets to SANs
• Protect intellectual property• SANs typically contain the keys to the kingdom
– What we know: Attacks rarely change, they get modified• Management methods/networks are the primary target• IP attacks will be used for Fibre Channel
– What vendors know: • “Many SANs are only as secure as the hosts and clients attached
to the storage network” --Scott Robinson, CTO, Datalink Corp
![Page 4: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/4.jpg)
Example SAN
Internal Network
Web Server 1/Database Server 1
Web Server 2/Database Server 2
Web Server 3/Database Server 3
FirewallInternet
JBODs
JBODs
JBODs
Fibre ChannelSwitch
EnternetSwitch
ManagementWorkstation
Green Lines - Fibre ChannelRed Lines - Ethernet
![Page 5: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/5.jpg)
Common Problems - Authentication
• Limited access control– Limited concept of multi-user administration
• Management tools do not provide a variety of security profiles
• Authentication Vulnerabilities– Username/Password is not enough!– Cisco Vulnerability: It is possible to read stored
configuration files from the Storage Router without any authorization
![Page 6: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/6.jpg)
Common Problems – Clear-text
• Fibre Channel management – SCSI Enclosure Services (SES)
• SES provides no extra security besides username/password
– FC-SNMP• SNMP is clear-text and provides no extra security besides
community strings
– Browser-Based Management • HTTP, SNMP, SES may be managed via a browser• Username and password (pass in the clear), is the only security
provided
• Again….Username/Password is not enough!!
![Page 7: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/7.jpg)
Fibre Channel Layers
![Page 8: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/8.jpg)
Attack Vector: FC - Layer 2
![Page 9: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/9.jpg)
Weaknesses - Sequence ID
• SEQ_CNT and SEQ_ID– A Fibre Channel Sequence is a series of one or more related
frames transmitted unidirectionally from one port to another.
– All frames must be part of a Sequence. Frames within the same Sequence have the same SEQ_ID field in the header.
• For each frame transmitted in a Sequence, SEQ_CNT is incremented by 1.
– This is similar to what? – ISN in TCP/IP– Attacker can guess the SEQ_ID and attempt to hijack the
session
![Page 10: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/10.jpg)
Weakness - Joining the Fabric
• Pollute SNS when joining the fabric– N_Port send a Fabric login (FLOGI) to the well know
address of xFFFFFE (broadcast).– The switch receives the frame at xFFFFFE and
returning an accept frame (ACC). Service information is exchange
– Knowing there is no validation required to receive an accept frame (ACC), an attacker could send a modified 24-bit address to xFFFFFE in an attempt to corrupt the SNS information• As soon as ACC is received, attacker knows that SNS has been
modified
![Page 11: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/11.jpg)
Weakness - Flow control
• Disruption of Flow Control– A device can transmit frames to another device only
when the other device is ready to accept them. Before the devices can send data to each other, they must login to each other and establish credit.
– Credit• Credit refers to the number of frames a device can receive at a
time. This value is exchanged with another device during login, so each knows how many frames the other can receive.
– Disruption of Flow control• Injecting a high or low credit value disrupts the service
![Page 12: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/12.jpg)
Weakness - Switches
• Cut-through switching– A switch only looks at the D_ID (24-bit
Destination address) to route the frame– Increases performance by reducing the time
required to make a routing decision– However, there is no verification of the S_ID
(Source address) and the frame is passed
![Page 13: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/13.jpg)
Weakness - Simple Name Server
• Simple Name Server– Simple Name Servers maps the 24-bit fabric
address and the 64-bit World Wide Name
• IP Attack: Polluting the ARP tables
• Fibre Channel Attack: Polluting the SNS
![Page 14: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/14.jpg)
Weakness - HBA
• World Wide Names – WWNs can be easily changed on an HBA– WWNs are used as unique identifiers that do
not get authenticated– WWNs can be spoofed to access different
zones
![Page 15: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/15.jpg)
LUN Masking and Zoning
• Switch Features– LUNs Masking and Zoning
• LUN masking creates subsets of storage within the SAN virtual pool and allows only designated servers to access the storage subsets.
• Zoning restricts access to specific physical devices such as RAID arrays or individual disks (Equivalent to VLANs in the Ethernet world).
– LUN masking and Zoning are NOT considered security tools, but rather efficiency tools
![Page 16: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/16.jpg)
LUN Masking
• Types of LUN Masking– Server configuration– Host level drivers on HBA– Storage controllers are configured
• Must be supported by the storage vendor
– Storage Virtualization – LUN Masking device• Works with any server and any HBA, added
overhead and performance issues
![Page 17: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/17.jpg)
LUN Masking
• Strengths– Provides segregation
• Weaknesses– Design for segmentation, not security– Modifications at HBA are granted– LUNs “broadcasting” is built to be highly
available
![Page 18: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/18.jpg)
Zoning
• Zoning is separation– A method for separating fabric connected devices in
group over the same physical fabric– Similar to VLANs in the Ethernet world
• Types of Zoning– Hard, Soft, and combination– Hard
• Physical port address – static fabrics
– Soft• Node WWN and Port WWN – dynamic fabrics
![Page 19: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/19.jpg)
Hard Zoning
Switch
HBAWWW-a
HBAWWW-b
HBAWWW-c
HBAWWW-d
HBAWWW-e
1 2 3 7 9
Zone 1:PhyscialPort 1,2,3,4
Zone 2:PhyscialPorts5,6,7,9
![Page 20: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/20.jpg)
Soft Zoning
Switch
HBAWWW-a
HBAWWW-b
HBAWWW-c
HBAWWW-d
HBAWWW-e
Simple NameSever
Zone 1:WWW-aWWW-b
Zone 2:WWW-cWWW-dWWW-e
![Page 21: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/21.jpg)
Future Problems
• Ethernet attack techniques will soon be used for FC– Man-in-the-Middle*– Replay – Spoofing*– Malformed Packets– Zone Hopping (VLAN hopping)– Cache Poisoning– Hijacked sessions*– Sniffing– Denial of Service
* Example to Follow
![Page 22: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/22.jpg)
Future Attacks - MITM
• Man-in-the-Middle– A attacker sends out a modified frame to xFFFFFE
with the 24-bit address of the legitimate switch. The fabric assumes that the attacker is the legitimate fibre channel switch
– All frames destined for the real switch are passed to the attacker first, then to the legitimate switch.
• However, tools need to be written to to pass the traffic to the switch, otherwise the attack will not work.
![Page 23: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/23.jpg)
Future Attacks - MITM
• Man-in-the-Middle
ManagementWorkstation
Fibre ChannelSwitch
Attacker
HBA1WWN
0038283xxxx
Sends out 24bit addressof switch to xFFFFFE
Supposed interaction
Actual interaction
WWN1018201xxxx
![Page 24: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/24.jpg)
Future Attacks - Spoofing
• Spoofing– A server is strictly given rights to zones from
the switch • An attacker changes (spoofs) its WWN to the WWN
of the server
• The switch grants access rights to certain zones because it is recognizes the WWN
![Page 25: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/25.jpg)
Future Attacks - Spoofing
• Spoofing
Server
Fibre ChannelSwitch
Attacker
HBA1WWN
0038283xxxx
Simple Name ServerWWN Zone9382108xxxx 1,4,60038283xxxx 2,5,9
HB2takes
WWN 0038283xxxx
Legitimate Interaction
Spoofed interaction
Legitimate
Spoofed
![Page 26: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/26.jpg)
Future Attacks – Session Hijacking
• Session Hijacking– FC session hijacking could be conducted if a
third party takes control of an existing session between two trusted machines by predicting the Sequence ID (SEQ_CNT field) in FC-2
• In FC-2, the SEQ_CNT field identifies individual frames within a Sequence. For each frame transmitted in a Sequence, SEQ_CNT is incremented by 1.
![Page 27: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/27.jpg)
Future Attacks – Session Hijacking
• Session Hijacking
TrustedWorkstation
Attack Machine
Initial Interaction
Session HijackSwitch
![Page 28: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/28.jpg)
Future Attacks – Switch Attacks
• Switch Attacks– E-port to E-port replication!
Fibre ChannelSwitch
Rogue Server
What the switch thinks
Simple Name Servercompromised!!!
Fibre ChannelSwitch E-port
SSP
![Page 29: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/29.jpg)
Short Term Solutions
• Segmentation– Logical segmentation of management traffic from data
traffic– FC for data– Ethernet of FC-IP for management (with IPSec)
– Create a separate SAN management network, segmented from corporate/data network• Traffic segmentation will limit exposure of other network
segments in the event that a segment is compromised. • It ensures individuals who require access to one network
segment (e.g. management) cannot access other segments (e.g. data); thus limiting access to business need.
![Page 30: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/30.jpg)
Short Term Solutions
• Switch Configurations– Simple Name Server (soft) Zoning and Hard Zoning
• Regular zoning, both hard zoning and simple name server (soft) zoning, will be required on all switches. This will add a layer of security for WWNs on all appropriate physical ports
– Port Binding (locking)• Physical Port Binding enables only authorized WWNs to
access a particular port on each front-end switch and the secure fibre switch. Fabric Membership Authorization
– Port-type Controls• Port-type Controls will lock each port to a G-port, F-port, or E-
port, according to their appropriate specifications.
![Page 31: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/31.jpg)
Fibre Channel Solutions
• Fibre Channel Security– Andiamo Systems, Cisco, EMC, Qlogic,
VERITAS
• Requirements– Authentication (e.g. switch to switch)– Integrity (e.g. data integrity)– Encryption (e.g. ESP payload)
![Page 32: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/32.jpg)
Fibre Channel Solutions
– FCSec– Authentication and Encryption at the FC-2 Layer– Provides:
• Switch to Switch Authentication• Node to Switch Authentication• Node to Node Secure Channel
– Defends:• Spoofing• Session Hijacking• Man-in-the-Middle
– Monkey-in-the-Middle?
![Page 33: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/33.jpg)
Fibre Channel Solutions
• FCSec– AH and ESP over FC-2– Authentication with AH will be once in a while,
meaning that overhead should be relatively low– What are the bandwidth concerns?
![Page 34: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/34.jpg)
Fibre Channel Solutions
• FCSec– Switch to Switch Authentication
• After keys have been exchanged, frames exchanged between the switches, will be authenticated to ensure data integrity
– SLAP (Switch Layer Authentication Protocol)– SA is inserted in E_Port Frames
– Node to Switch Authentication• After key exchange, two nodes can exchange frames to ensure
integrity
– Node to Node Secure Channel• After key exchange, FC-2 frames can be encrypted with ESP
![Page 35: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/35.jpg)
Fibre Channel Solutions
• Switch Solutions
• SLAP– Switch Layer Authentication Protocol
• Security Associations between two E_Ports
• Provides Authentication
• Provides non-repudiation
– Developed by Brocade• Currently in beta
![Page 36: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/36.jpg)
Long Term Solutions
• Switch Configurations– SLAP
• Switch Layer Authentication Protocol. Switch to switch authentication via digital certificates and unique private keys
– Fabric Membership Authorization• Fabric Membership Authorization incorporates an internal
database on each switch with a list of authorized WWNs that may join the fabric.
– Fabric Configuration Servers• This switch is the only device allowed to manage the other
switches. It uses its own database for authentication, rather than SNMP or regular username/password combination.
![Page 37: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/37.jpg)
Long Term Solutions
• Encryption of data in transit and in storage – Encryption will facilitate data integrity and
confidentiality– FCSec (Fibre Channel Security)
– Both Data and Management encrypted
• Authentication– Certificate based authentication to fabric
• Switch to Switch and HBA to Switch
![Page 38: How to Finally Secure your Network Storage Himanshu Dwivedi Managing Security Architect @stake, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d265503460f949fdc3f/html5/thumbnails/38.jpg)
Conclusion
• What does it all mean?– KNOW YOUR RISKS
Acceptable amount of risk+Different functionality
= Secure SANs