A storage solution with a security problem
- By John x_Zyskowski
- Feb 03, 2002
The storage-area network industry, a small but rapidly growing market, is scrambling to address security risks that many customers may not realize they have.
Storage-area networks, or SANs, improve the accessibility of data by serving as a middleman between all storage devices and servers on a network.
Many information technology managers believe SANs are relatively tamper-proof, tucked away as they are in secure data centers and shuttling data only very short distances between servers and storage devices. Plus, SANs run an esoteric network protocol called Fibre Channel, which is unfamiliar to most computer hackers who focus instead on networks that run the far more prevalent Internet Protocol.
But this sense of security is a mis- conception and is becoming an increasingly dangerous liability as most large enterprises begin to adopt SANs as the storage architecture of choice, according to many industry experts.
Fibre Channel SANs, for example, have several potential vulnerabilities, from deliberate hacker attacks and information theft to the inadvertent destruction of data due to decentralized, hard-to-manage storage configurations.
Although the limited number and scope of SAN deployments have made it easy to ignore security concerns, that complacency will be harder to maintain as SAN adopters such as NASA's Goddard Space Flight Center and others begin to use long-haul, general purpose networks to connect their once-isolated SANs to cross-enterprise storage pools shared by many users and applications.
"As long as [the SAN is] in a small, private computer environment, issues like spoofing don't come into play," said Ben Kobler, a computer scientist at Goddard. Spoofing is accessing a network with an un- authorized server that is posing as an authorized one. "Once you open it up to the world by plugging it into a larger network, there's much more to be concerned about."
The SAN.industry is trying to lessen those risks with new security management products and an effort to draft standards designed to give Fibre Channel the security features it lacks. However, interoperability among vendor security products is still several years away, leaving agencies that are building SANs with only a handful of half-measures and proprietary products for the future.
Kobler, along with Jack Cole, a systems analyst with the U.S. Army Research Laboratory in Aberdeen, Md., elaborated on the risks while they were co-chairmen of a December seminar on storage security, sponsored by NASA and the Institute of Electrical and Electronics Engineers.
A SAN "is not a fortress," they wrote. "It is vulnerable at the switches and fabrics, and because a SAN by its very nature is distributed, physical security of servers, switches and wiring cabinets may be difficult to enforce."
With these concerns in mind, Goddard officials are evaluating security options for their growing SANs. The center currently uses two common techniques for managing its SANs that also provide some basic security, though at a level many experts believe is insufficient for enterprisewide use. In one technique, called logical unit number masking, the collective pool of storage capacity created by the SAN's storage devices is divvied up in a virtual sense, allowing system administrators to control which servers can access the various virtual subsets of storage. Administrators can then set up, for example, one virtual pool of storage that only researchers can access, one just for the personnel department and so on.
In the other technique, called zoning, administrators can configure the Fibre Channel switches, which are hardware devices that route data between servers and storage systems in the SAN, to similarly control which servers can access which storage devices.
However, those measures do little to protect against attacks such as spoofing or to lock down access to the SAN's internal administrative features, which is as good as having a key to the SAN's front door. Among possible solutions, Kobler said Goddard officials were looking at a new product called SecureFabric OS from SAN switch vendor Brocade Communications Systems Inc.
Kamy Kavianian, a product marketing director with Brocade, said the goal of the new product was to let customers more securely "parse out elements of their SANs to share resources across an enterprise." Specifically, SecureFabric OS enables:
* Encrypted user names and passwords to secure communications between the SAN management interface and the switches.
* Greater control over which devices have SAN data access rights and, more important, SAN system administration rights.
* The use of digital certificates to authenticate all new switches that are added to the SAN and to restore broken switch-to-switch connections.
These are the types of features that could become part of new Fibre Channel SAN security standards under consideration by a working group at the Storage Networking Industry Association (SNIA). The group also aims to take security to another level with a standard for encrypting the actual data itself, both while it is in transit across the SAN and at rest on the storage devices, according to Jim Hughes, a fellow at Storage Technology Corp. and co-chairman of the SNIA security working group.
"This could be extremely valuable in the government where you often have different organizations sharing the same computer resources," Hughes said.
Of course, this early standards-development work is no guarantee that there will one day be interoperable SAN products from different vendors that can be mixed and matched to suit an agency's needs. Vendor participation in the SNIA working group has been relatively low, Hughes said.
Also, the SAN industry has had a lackluster track record on product interoperability, and there's little reason to believe that efforts on security will be much different, said Arun Taneja, a senior analyst with the market research firm Enterprise Storage Group. "It's sickening to see the lack of interoperability in Fibre Channel products," he said.
That won't stop vendors from putting out proprietary solutions to address security. Ultimately, that is what users will have to work with and, though not ideal, it is better than nothing, Hughes said.