Storage security has been in limelight for last two to three years. There has been an earnest effort by vendors, consortia and standards bodies to design, develop, document and deliver some of the security technologies to protect storage network resources.
From the perspective of storage security standards, ANSI's T11 Technical Committee's Fibre Channel Security Protocols (FC SP) Workgroup has been developing security standards for Fibre Channel and the first working draft of the document has been just published. This document is the start of what should evolve into a comprehensive set of Fibre Channel security standards. This working draft includes the first significant step in storage security – authenticating the storage network entities.
The scope of the draft document includes:
- Protocols to authenticate and setup secrets for Fibre Channel entities
- Protocols for frame-by-frame integrity and confidentiality
- Protocols to define and distribute security policies
The draft has detailed descriptions of some of the authentication protocols. Three protocols are outlined:
- DH CHAP (Diffie Hellman Challenge Handshake Authentication Protocol) based on well-known CHAP scheme
- FCAP (Fibre Channel Authentication Protocol) using digital certificates
- FCPAP (Fibre Channel Password Authentication and Key Exchange Protocol) using Secure Remote Password (SRP) scheme
Each protocol provides for authenticating the storage entities and optionally generates a shared secret key among the authenticating entities. These shared keys may be used for possible confidentiality of frames using IPSec ESP protocol. DH CHAP is mandatory, while FCAP and FCPAP are optional authentication protocols. The draft document is dated March 2, 2003 and is available as document number T11/03-149v0. It is termed as "a working draft" and as such it is subject to changes and revisions until finalized.
So what does it mean for an enterprise? The answer lies in your storage security policies. You should roll out security technologies according to your storage security needs. In terms of standards, the security protocols for Fibre Channel are being developed in the following order:
- Storage authentication protocols to authenticate entities within storage networks
- Details of protocols to provide confidentiality
- Integrity of Fibre Channel data at frame level