Managing and protecting all enterprise data


Protect your SAN from attack, part 2

We continue our security series by looking at how to provide strong authentication for SANs, otherwise known as zoning. The trick is to find the right zoning technique that meets your needs for both security and convenience.

Isn't hard zoning the same as port-based zoning?
No, it's not. Given Brocade Communications Systems Inc.'s predominance in the market, I'm blaming them for this wide misconception. Consider the following quotes from the Brocade Zoning User Guide (Version 2.2 for the SilkWork 2800): "In a hard zone, sometimes referred to as a port zone, zone members are specified by physical port number ... In a soft zone, at least one zone member is specified by a [world-wide name] WWN."

However, they also say that in soft zoning, "the switch does not control data transfer, so there is no guarantee against data transfer from unauthorized zone members."

This sure sounds like Brocade thought that soft zoning and WWN-based zoning were the same (as well as confusing hard zoning with port zoning). While they are still separate concepts, it's true that up until now, Brocade only offered hardware enforcement (hard zoning) in a port-based zone. You couldn't do hardware enforcement with a WWN-based zone. Therefore, while the two pairs of terms weren't synonymous--they were inseparable.

Consider these restatements of the above manual quotes to bring them in line with what I've been writing: "In a hard zone, sometimes incorrectly referred to as a port zone, zone members are specified by physical port number [because Brocade didn't offer hardware enforcement of WWN-based zones] ... In a soft zone, at least one zone member is specified by a WWN [therefore, if you specify a WWN name as any member of a zone, you will get soft--or nonenforced--zoning because Brocade didn't offer hardware enforcement of WWN-based zones]."

However, in the recent releases of Brocade switches, this is no longer the case. As shown in the specification sheet for the Brocade 12000, you can now specify hardware enforcement based on a WWN, port or even a LUN. Therefore, you can now have hard zoning with a WWN-based zone.

Although SANs can be designed in a secure manner, chances are that your SAN wasn't designed that way. Why? Neither soft zoning nor WWN-based zoning offer bulletproof security, and using them together is an invitation to disaster. And yet, most SANs use both, because that's what your SAN vendor told you to do.

This second part of my series on SAN security will explain the real differences between hard and soft zoning, as well as the differences between soft zoning and WWN-based zoning because the two are often confused with each other. Let's start with a quick review of my previous article, "Protect your SAN from attack," in the August issue of Storage.

There are five aspects of security: authentication, authorization, encryption, integrity and auditing. Authentication makes sure that a server requesting a block of data really is the server that it says it is. Authorization verifies that this server is allowed to view that block of data. Encryption ensures that if authentication or authorization are somehow defeated, the data won't be used by the wrong party. Integrity ensures that when the server gets the block of data it requested, that block actually contains valid data. Lastly, auditing allows for the verification of all of the other aspects, looking for possible security breaches.

This article is mainly concerned with authentication, because without it, there's no way to verify integrity, not much point in encrypting the data and almost no point in giving different servers different authorization. If any server can masquerade as any other server, what's the point?

In the old days of direct-attached storage (DAS), there was no reason to secure the storage. You couldn't get to the storage unless you went through the server. Authorization was built into SCSI, but it was only done to ensure that requests for data were sent to the correct device. No efforts were made to verify that the entity sending or requesting the data was allowed to do so. SCSI assumed that the request was coming from a valid server because someone would have to physically disconnect the SCSI cable from Apollo and plug it into Elvis' SCSI card in order to be able to access Elvis' storage. However, in storage networks, if you don't configure things correctly, it's possible for any server connected to the SAN to see any other server's storage.

Two ways to zone

This hypothetical data center illustrates the main concepts involved with zoning for security. We'll use A and B to distinguish between ports on the two redundant switches and W for host bus adapters (HBAs) on our servers and storage. The disk array has eight adapters, labeled W1 through W8, and the four servers have two HBAs apiece, labeled W9 through W16.

Although world-wide names (WWNs) are much longer than this, these 16 designations will serve to represent the 16 WWNs for the eight adapters on the array, and the eight HBAs on the servers.

The green shaded area (containing the second server, four ports on two switches and two adapters on the disk array) represents a zone that we would like to create. We have two choices in how we specify the zone:

Port-based zoning. This method uses the ports to which the members are connected. We would create a zone, and give it a name (e.g., Zone_a). Each of the ports on the switches would also be given aliases (e.g., A3, A6, B1 and B6). We would then say that the members of Zone_a are A3, A6, B1 and B6. This means that anything connected to those ports belongs to Zone_a. This, of course, would be the two HBAs on the server and the two adapters on the disk array.

WWN-based zoning. Another method to list the WWNs of the HBAs and adapters on the disk array belonging to the zone. In this case, that would be W3, W8, W11 and W12. Again, we'd create a zone and name it (e.g., Zone_a). Then each of the HBAs and array adapters would receive an alias (e.g., W3, W8, W11 and W12). We would then specify that the members of Zone_a are W3, W8, W11 and W12, regardless of which switch port (or even which switch) they plug into.

Soft zoning vs. hard zoning
Simply put, the difference between soft zoning and hard zoning is like the difference between a server with no firewall and a server with a firewall.

For example, suppose you have servers that are accessible from the Internet, but their host names are only listed in your internal DNS server that only responds to DNS requests from addresses within your local DNS domain. This means that no one can ask the question, "What is the IP address of the Apollo server at [your company name here]?" But if the person asking the question happens to be on your internal network, the answer would be easily obtained.

It wouldn't take long for a person who's targeting your company to determine the range of IP addresses that you are using, and then launch an attack on each of them. You could also be attacked by any number of random hackers browsing IP addresses looking for servers to hack. The question is not if, but when, you will be attacked.

Now put that server behind a firewall that doesn't allow incoming connections from the Internet. No one from the outside can even access the DNS server, so they're not able to determine its IP address. Even if someone knew the IP address range that you use for your internal network, they wouldn't be able to get through the firewall to try and hack you.

The two scenarios I just described are analogous to soft and hard zoning. With soft zoning, only members of a zone can ask what the other members of the zone are and what their WWNs are, but it doesn't prevent entities that aren't a member of the zone from communicating with members of the zone.

A WWN is equivalent of a MAC address in IP. It's a unique hardware address given to each device by the manufacturer, and part of the address shows which vendor it came from. This means if someone can guess--or obtain through other means--the WWN of one of the members of the zone, that person can communicate with all the devices belonging to that zone.

For example, suppose you have an enterprise disk array with 32 adapters on it, each of which is connected to a SAN. There are also 32 servers connected to the SAN, with one host bus adapter (HBA) each. For administrative reasons, you might create 32 zones, each of which has two members in it: an HBA on the host and an adapter on the storage array. If one of these 32 hosts were compromised, it would be a very simple matter to determine the WWN of the adapter on the disk array that it is connected to, using basic Fibre Channel (FC) commands. How much difference do you suppose there is between the WWNs of the various adapters on the disk array? It's not that much. This means if you know the WWN of Adapter 8, it wouldn't be that hard to figure out the WWN of Adapter 17. You could then create a device that points to that WWN, and read from that disk.

Hard zoning, on the other hand, is enforced. It's also referred to as hardware-enforced zoning. If you're not a member of the zone, you aren't allowed to communicate with members of that zone. It's as simple as that. Even if you were able to guess the WWN of the other members in the zone, you wouldn't be able to communicate with anyone in that zone.

Hard zoning and soft zoning are often used as synonyms to WWN-based zoning and port-based zoning, respectively. This is not the case because:

  • The difference between hard and soft zoning is how it is enforced; and
  • The difference between port-based and WWN-based zoning is how we specify the members of the zone (see "Two ways to zone," on this page).
As discussed in my previous article, WWN-based zoning offers no security. Using the drivers that come with your HBA, you can easily change your WWN, thus spoofing another entity on the SAN and reading its data. Port-based zoning is much safer because it requires someone to physically disconnect the right cable from a switch port, and connect their cable in its place. This would be much more noticeable than a spoofed WWN. This is also the FC equivalent to the way SCSI used to work.

What's port binding?
Because vendors are aware that world-wide names (WWNs) are spoofable, they wanted to offer a way to use WWN-based zoning, but have some level of security. Their solution: port binding. This means you can bind a WWN to a port so that hardware enforcement will only allow traffic to and from that WWN if it's connected to the right switch port. I suppose you could consider this in-depth defense. This method defeats both the WWN spoofer and the person who physically switched ports. But I think it goes a bit too far. Port-based hard zoning offers the best solution to date.

Convenience over security
Considering the increase security implications, why do people use soft zoning? Simply put, most SAN implementations to date have prioritized convenience over security. The following quote from the "Brocade Zoning Implementation Strategies" document says it all. According to the Brocade Zoning User Guide (Version 2.2 for the SilkWork 2800), port-based zoning, "provides good security in the fabric but requires reliable processes to prevent incorrect devices from being attached to the wrong ports. You should normally avoid this form of zoning unless you have rigidly enforced processes for port and device allocation in the fabric."

In other words, port-based zoning increases your security, but it makes moves, adds and changes more difficult. With WWN-based zoning, you can move a server to any port on any switch, and not worry about a thing. With port-based zoning, you would need to add the new port to the zone and subtract the old port from the zone. Yes, it's more work. It's always more work to have decent security, and it's also easier not to back up your data.

Remember, if you care about security, forget everything you've been taught about how to create zones. Yes, I know that many SAN instructors tell you to use WWN-based zoning because it's a lot easier to use than port-based zoning. But if you want security in your SAN, don't use WWNs to specify the members of your zones, and don't use soft zoning. The former is spoofable, and the latter is laughable.

Article 10 of 19

Dig Deeper on SAN technology and arrays

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All