Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: How storage managers can survive e-mail archiving."

Download it now to read this article plus other related content.

FC networks are extremely insecure, but there are ways to make them more secure. The first thing is to change how zoning is done. Most people use soft zoning because most soft zoning is implemented using world wide name (WWN)-based zoning. In WWN-based zoning, the members of the zone are specified using the WWNs of the host bus adapters (HBAs) that belong in the zone. For example, HBA1, HBA2 and HBA3 are members of Zone ABC.

Port-based zoning is where the members of a zone are specified by the physical port on the switch to which they connect. For example, everyone connected to ports 1, 2 and 3 are members of Zone DEF.

The reason most people use WWN-based zoning is because it makes moves, adds and changes much easier. When you need to physically move a server from one switch to another, it doesn't require a change in your configuration. However, if you specified the members of the zone based on the port to which they are connected, then you'd have to change your zoning configuration if you moved a server from one port to another or from one switch to another.

Why is zoning a security issue? A zone is what gives certain servers access to the disk or tape drives on the SAN. If you use port-based zoning--the more secure of the two types--someone would need to gain physical access to your switch in order to spoof membership to a given zone, and thus read the data within that zone. If you used WWN-based zoning, they'd only need to spoof the WWN

Requires Free Membership to View

of the intended recipient to gain access to the zone. It's pretty easy to spoof a WWN: It's built right into the HBA driver.

The WWN is analogous to the MAC address on an Ethernet card. While changing the MAC address on an Ethernet card takes a bit of skill, changing the MAC address of an HBA is often built right into the driver. Why would vendors do this? Believe it or not, they did it to make things easier on you. If you are using WWN-based zoning--which most people use--what happens if you have to replace an HBA, disk or tape drive? You have to redo your zoning. Therefore, they built it right into the driver to be able to change the new HBA to the WWN of the old HBA.

However, this creates a serious vulnerability if one of the hosts on your SAN is compromised. If the hacker is able to obtain (or guess) the WWNs of other HBAs on the SAN, they'll be able to change the WWN of the HBA on the compromised host, then join any zones they want to join, therefore gaining permission to read or write to any disk on the SAN. Of course, the drives might have a SCSI reserve on them, but a simple SCSI bus reset will fix that.

One quick way to thwart this hacker is to:

  1. Use port-based zoning on all zones and ensure you have physical control over your switches.
  2. Use WWN-based zoning, but don't put hosts with different security levels on the same SAN.
  3. Investigate one of the newer, certificate-based authentication systems that are starting to come onto the market.
Part 2 of this series will will help you find what's best for you: soft zoning, WWN-based zoning, port zoning or hard zoning. Look for it in the next issue.

This was first published in August 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: