In the contemporary data center that includes storage area networks, security is quite important. But SAN security was (and sometimes still is) lagging behind in performance, speed, and port counts.
Deployments of disaster recovery centers, the introduction of IP SANs utilizing SCSI over Internet (iSCSI) and Fibre Channel over IP (FCIP) and virtualization with a plethora of servers all are opening SAN to attacks. Once confined, storage area networks now are opened to potentially malicious traffic. Threats arise from outside as well as within the network (including unintentional mistakes that could bring down the SAN).
A single compromised SAN-attached server could disrupt other SAN-attached devices, access the data without being authorized and bypass existing security devices.
As with any security policy, to be effective an end-to-end approach to SAN security is necessary. One might think that implementing encryption of data at rest is sufficient, forgetting that the SAN remains susceptible to DoS attacks and misconfiguration. SAN security must prevent accidental data loss and corruption as well as protect against intruders.
The following issues have to be addressed:
- SAN fabric and target security.
- SAN fabric protocol security.
- IP storage security.
- SAN management security.
How can we address these areas? By utilizing the following protective measures:
- Segregate traffic for different server farms by dividing a single SAN into virtual fabrics. A virtual SAN (VSAN) restricts communication between devices and improves the stability of the fabric.
- Deploy zoning to restrict communication between devices within the same fabric. Hard zoning or zoning based on logical unit number (LUN) provides better security than soft zoning.
- Confine access to a specific port with port security, thus preventing unauthorized access to the network.
- Utilize Fibre Channel Security Protocol (FC-SP) for host-to-switch and switch-to-switch authentication, to implement fabric and target access security.
- Reject disruptive fabric reconfiguration due to administrative mistakes.
- Use persistent or static FC ID assignment to a port World Wide Name (pWWN).
- Integrate IP Security (IPSec) with FCIP to encrypt the data that traverses the IP network.
- Protect data at rest with storage media encryption (SME), regardless of the storage device type and vendor.
- Authenticate iSCSI initiators with RADIUS or TACACS+ based authentication, using persistent or static initiator WWNs, and confine access with access control lists.
- Control infrastructure configuration with role-based access control (RBAC) integrated with RADIUS/TACACS+ authentication.
- Use a secure mechanism for SAN infrastructure management, such as SSHv2 or SNMPv3.