Protect your SAN from attack, part 2


This article can also be found in the Premium Editorial Download "Storage magazine: Is it time for SAN/NAS convergence?."

Download it now to read this article plus other related content.

Two ways to zone

Requires Free Membership to View

This hypothetical data center illustrates the main concepts involved with zoning for security. We'll use A and B to distinguish between ports on the two redundant switches and W for host bus adapters (HBAs) on our servers and storage. The disk array has eight adapters, labeled W1 through W8, and the four servers have two HBAs apiece, labeled W9 through W16.

Although world-wide names (WWNs) are much longer than this, these 16 designations will serve to represent the 16 WWNs for the eight adapters on the array, and the eight HBAs on the servers.

The green shaded area (containing the second server, four ports on two switches and two adapters on the disk array) represents a zone that we would like to create. We have two choices in how we specify the zone:

Port-based zoning. This method uses the ports to which the members are connected. We would create a zone, and give it a name (e.g., Zone_a). Each of the ports on the switches would also be given aliases (e.g., A3, A6, B1 and B6). We would then say that the members of Zone_a are A3, A6, B1 and B6. This means that anything connected to those ports belongs to Zone_a. This, of course, would be the two HBAs on the server and the two adapters on the disk array.

WWN-based zoning. Another method to list the WWNs of the HBAs and adapters on the disk array belonging to the zone. In this case, that would be W3, W8, W11 and W12. Again, we'd create a zone and name it (e.g., Zone_a). Then each of the HBAs and array adapters would receive an alias (e.g., W3, W8, W11 and W12). We would then specify that the members of Zone_a are W3, W8, W11 and W12, regardless of which switch port (or even which switch) they plug into.

Soft zoning vs. hard zoning
Simply put, the difference between soft zoning and hard zoning is like the difference between a server with no firewall and a server with a firewall.

For example, suppose you have servers that are accessible from the Internet, but their host names are only listed in your internal DNS server that only responds to DNS requests from addresses within your local DNS domain. This means that no one can ask the question, "What is the IP address of the Apollo server at [your company name here]?" But if the person asking the question happens to be on your internal network, the answer would be easily obtained.

It wouldn't take long for a person who's targeting your company to determine the range of IP addresses that you are using, and then launch an attack on each of them. You could also be attacked by any number of random hackers browsing IP addresses looking for servers to hack. The question is not if, but when, you will be attacked.

Now put that server behind a firewall that doesn't allow incoming connections from the Internet. No one from the outside can even access the DNS server, so they're not able to determine its IP address. Even if someone knew the IP address range that you use for your internal network, they wouldn't be able to get through the firewall to try and hack you.

The two scenarios I just described are analogous to soft and hard zoning. With soft zoning, only members of a zone can ask what the other members of the zone are and what their WWNs are, but it doesn't prevent entities that aren't a member of the zone from communicating with members of the zone.

A WWN is equivalent of a MAC address in IP. It's a unique hardware address given to each device by the manufacturer, and part of the address shows which vendor it came from. This means if someone can guess--or obtain through other means--the WWN of one of the members of the zone, that person can communicate with all the devices belonging to that zone.

For example, suppose you have an enterprise disk array with 32 adapters on it, each of which is connected to a SAN. There are also 32 servers connected to the SAN, with one host bus adapter (HBA) each. For administrative reasons, you might create 32 zones, each of which has two members in it: an HBA on the host and an adapter on the storage array. If one of these 32 hosts were compromised, it would be a very simple matter to determine the WWN of the adapter on the disk array that it is connected to, using basic Fibre Channel (FC) commands. How much difference do you suppose there is between the WWNs of the various adapters on the disk array? It's not that much. This means if you know the WWN of Adapter 8, it wouldn't be that hard to figure out the WWN of Adapter 17. You could then create a device that points to that WWN, and read from that disk.

Hard zoning, on the other hand, is enforced. It's also referred to as hardware-enforced zoning. If you're not a member of the zone, you aren't allowed to communicate with members of that zone. It's as simple as that. Even if you were able to guess the WWN of the other members in the zone, you wouldn't be able to communicate with anyone in that zone.

Hard zoning and soft zoning are often used as synonyms to WWN-based zoning and port-based zoning, respectively. This is not the case because:

  • The difference between hard and soft zoning is how it is enforced; and
  • The difference between port-based and WWN-based zoning is how we specify the members of the zone (see "Two ways to zone," on this page).
As discussed in my previous article, WWN-based zoning offers no security. Using the drivers that come with your HBA, you can easily change your WWN, thus spoofing another entity on the SAN and reading its data. Port-based zoning is much safer because it requires someone to physically disconnect the right cable from a switch port, and connect their cable in its place. This would be much more noticeable than a spoofed WWN. This is also the FC equivalent to the way SCSI used to work.

This was first published in September 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: