It is always a challenge to justify investment in an expense item such as security. So, this time, I thought I would outline some of the potential attacks against your storage networks. Note, that while storage is supposedly confined securely within the data center walls, about 80% of the attacks are often attributed to insiders.
So what are the possible attacks? There are many, and we can only list some of the common and well-known attack scenarios.
Off-line crypto attack
: This is perhaps one of the more serious attacks for storage networks. These attacks can occur against your encrypted data. The attacker obtains a copy of your encrypted data, either when it is in flight or when it is at rest. Now the attacker launches a variety of attacks. Note that the attacker has almost unlimited time to achieve success. For starters, he or she can launch a brute force attack, using multiple machines. A more sophisticated attack may combine some cryptanalysis along with the brute-force attack, to achieve faster success. For storage networks, such an attack may be targeted against encrypted data -- both for customer data as well as management data.
IP address spoofing
: IP addresses are not protected in an IP packet when IPSec is not in use. So there is no authentication of the source IP address. As such, the attacker can insert a victim's IP address as the source IP address and send out multiple requests. The responses to these requests may flood the victim's machine. This attack may be launched to victimize the storage management server, which is often attached over an IP network.
: In a replay attack, the attacker copies the data or a sequence of messages and resends it at an appropriate time. Now consider the sequence when the administrator accesses the storage management server. The admin logs on using a user ID and password. Let us also assume that the password was sent encrypted. The attacker copies the sequence using a sniffer or a similar device. The attacker can then replay this information to access the network. The attack may be launched on a Sunday morning or whenever the attacker is confident that the admin will not be logged on.
: In this attack, an attacker intercepts a message exchange, and poses as sender to the receiver and receiver to the sender. These attacks essentially hijack one of the two endpoints of the session. The attack can take place during authentication sequence, but the worse scenario is when it can occur over an already established session.
In no way is the above an exhaustive list of attacks. So what do you do to resist the above attacks? In short:
Offline crypto attacks may be thwarted by having a sufficiently strong encryption key that has a longer lifecycle than the value of the information
IP address spoofing is prevented by using IPSec
Replay attacks on passwords require using one-time passwords
Man-in-the-middle attacks require authenticating each message in addition to authentication at logon