This article can also be found in the Premium Editorial Download "Storage magazine: What to do when storage capacity keeps growing."
Download it now to read this article plus other related content.
|SNIA storage security recommendations|
Second line of defense
The second line of defense forms at the servers and hosts. "You need to have good security on any server attached to the SAN," says StorageIO's Schulz. It's easy to launch an attack on storage systems from a compromised server. Once again, storage managers have little control here, except to exhort their systems and application counterparts to button down all the security settings built into server operating systems. This can be as basic as regularly changing passwords.
Storage managers can implement zoning and masking on the SAN, which limits what a given server or host can access. "This lets you do SAN segmentation, in effect creating sub-SANs," says Schulz. However, zoning and masking provide only a modest amount of security. If the host has been compromised, it's easy to get around such SAN segmentation. Still, "LUN masking and zoning are basics that have to be done," insists Budnik.
"Zoning is a big part of our SAN security," says Lynn Granger, senior manager of data assurance at VeriCenter Inc., Houston. "We're a managed hosting company and we need to separate hosts from each other." Granger also changes passwords on the switches, uses access control lists for the firm's SAN routers and implements Public Key Infrastructure (PKI) to protect management tools.
Beyond that, storage managers are nearly helpless at this level. "How do you authenticate an HBA so it will talk to storage?" asks Preston. Most SANs authenticate based on the worldwide name, which isn't secure.
Third line of defense
The storage team really takes charge of security at the third level, where SAN-connected devices are locked down and communication between devices and switches is secured. You should start by running the latest operating system with all current patches on each device and switch, and change passwords on all equipment regularly. Expect vendors to complain about password changes because it hinders their support technicians, warns Budnik. In addition, close off unused ports and disable unused services on the switches, suggests Schulz.
Things should improve with the introduction of the Fibre Channel Security Protocol (FC-SP) later this spring, says SNIA's Budnik. FC-SP will include protocols for the authentication of FC devices, and will cryptographically secure key exchange as well as communication between FC devices.
A security protocol under FC-SP is Challenge-Handshake Authentication Protocol (CHAP) and Diffie-Hellman (DH)-CHAP. CHAP provides bidirectional secure key-exchange authentication for switch-to-switch and host-to-switch authentication. CHAP is required as part of iSCSI, while DH-CHAP is for FC.
This was first published in June 2006