This article can also be found in the Premium Editorial Download "Storage magazine: Low-cost storage pieces fall into place."
Download it now to read this article plus other related content.
With an amazing number of people leaving the back door of their storage area network (SAN) wide open, it's really time to start thinking about your SAN management interfaces.
If you haven't been following this series over the last two months, here's a quick review. There are five different elements to security. Authentication confirms you are who you say you are. Authorization ensures you're allowed to do what you're trying to do. Integrity makes sure that if you do access it, the data will be what it's supposed to be. Encryption ensures that if someone who isn't supposed to see it does see it, they won't be able to read it. And auditing is a way of double-checking all of the above.
|Six Ways to Secure Your Storage|
I've also said that storage networks created a much easier way for one server to access another server's data. And storage networks have given hackers a new way to get to your data. They may attempt to to steal it, corrupt it or they may simply try to block your access to it.
Last month's article concentrated on how different zoning methods can change your security level. Proper zoning is a protection method against in-band attacks--attacks from within the storage network. If you're using world-wide name (WWN)-based zoning, a hacker that has access to the storage network might get a server's host bus adapter (HBA) to masquerade as another server's HBA and access a given zone. Port-based zoning prevents that because the hacker would need to physically move cables to access a given zone.
However, all zoning methods can be defeated by someone accessing the zoning configuration via the management interface--an out-of-band threat.
Circumvent your security
Management interfaces on Fibre Channel (FC) switches, storage arrays, network-attached storage (NAS) filers and other storage devices have something in common with the storage networks they manage. While they allow you to easily manage the storage resource from anywhere, they also give a hacker another way to circumvent your security. Here are some ways a hacker might use a management interface to access or damage your data.
Consider a SAN that's using port-based hard zoning. As discussed earlier, this means that only those servers physically connected to the appropriate ports can access the storage in a particular zone. If a given server attempts to access a storage array port not in its zone, it will be denied access. This is about as secure as FC gets these days. What might happen if a hacker gained access to the management interface of one of the switches in this SAN?
With most switches, all a hacker with access to this SAN's management interface needs to do is to add a single WWN to this port-based zone. Now the hacked server has access to the entire zone. Additionally, some switches automatically switch to soft zoning if you use even a single WWN as the member of a domain. The assumption is that if you're using WWN-based zoning, you're not concerned about security.
The hacker would have full access to your data--credit card numbers, secret sauce documents, engineering drawings, future company plans, personnel records--once this has been done.
This was first published in October 2003