|Isn't hard zoning the same as port-based zoning?|
This second part of my series on SAN security will explain the real differences between hard and soft zoning, as well as the differences between soft zoning and WWN-based zoning because the two are often confused with each other. Let's start with a quick review of my previous article, "Protect your SAN from attack," in the August issue of Storage.
There are five aspects of security: authentication, authorization, encryption, integrity and auditing. Authentication makes sure that a server requesting a block of data really is the server that it says it is. Authorization verifies that this server is allowed to view that block of data. Encryption ensures that if authentication or authorization are somehow defeated, the data won't be used by the wrong party. Integrity ensures that when the server gets the block of data it requested, that block actually contains valid data. Lastly, auditing allows for the verification of all of the other aspects, looking for possible security breaches.
This article is mainly concerned with authentication, because without it, there's no way to verify integrity, not much point in encrypting the data and almost no point in giving different servers different authorization. If any server can masquerade as any other server, what's the point?
In the old days of direct-attached storage (DAS), there was no reason to secure the storage. You couldn't get to the storage unless you went through the server. Authorization was built into SCSI, but it was only done to ensure that requests for data were sent to the correct device. No efforts were made to verify that the entity sending or requesting the data was allowed to do so. SCSI assumed that the request was coming from a valid server because someone would have to physically disconnect the SCSI cable from Apollo and plug it into Elvis' SCSI card in order to be able to access Elvis' storage. However, in storage networks, if you don't configure things correctly, it's possible for any server connected to the SAN to see any other server's storage.
|Two ways to zone|
This hypothetical data center illustrates the main concepts involved with zoning for security. We'll use A and B to distinguish between ports on the two redundant switches and W for host bus adapters (HBAs) on our servers and storage. The disk array has eight adapters, labeled W1 through W8, and the four servers have two HBAs apiece, labeled W9 through W16.
Although world-wide names (WWNs) are much longer than this, these 16 designations will serve to represent the 16 WWNs for the eight adapters on the array, and the eight HBAs on the servers.
The green shaded area (containing the second server, four ports on two switches and two adapters on the disk array) represents a zone that we would like to create. We have two choices in how we specify the zone:
Port-based zoning. This method uses the ports to which the members are connected. We would create a zone, and give it a name (e.g., Zone_a). Each of the ports on the switches would also be given aliases (e.g., A3, A6, B1 and B6). We would then say that the members of Zone_a are A3, A6, B1 and B6. This means that anything connected to those ports belongs to Zone_a. This, of course, would be the two HBAs on the server and the two adapters on the disk array.
WWN-based zoning. Another method to list the WWNs of the HBAs and adapters on the disk array belonging to the zone. In this case, that would be W3, W8, W11 and W12. Again, we'd create a zone and name it (e.g., Zone_a). Then each of the HBAs and array adapters would receive an alias (e.g., W3, W8, W11 and W12). We would then specify that the members of Zone_a are W3, W8, W11 and W12, regardless of which switch port (or even which switch) they plug into.
Soft zoning vs. hard zoning
Simply put, the difference between soft zoning and hard zoning is like the difference between a server with no firewall and a server with a firewall.
For example, suppose you have servers that are accessible from the Internet, but their host names are only listed in your internal DNS server that only responds to DNS requests from addresses within your local DNS domain. This means that no one can ask the question, "What is the IP address of the Apollo server at [your company name here]?" But if the person asking the question happens to be on your internal network, the answer would be easily obtained.
It wouldn't take long for a person who's targeting your company to determine the range of IP addresses that you are using, and then launch an attack on each of them. You could also be attacked by any number of random hackers browsing IP addresses looking for servers to hack. The question is not if, but when, you will be attacked.
Now put that server behind a firewall that doesn't allow incoming connections from the Internet. No one from the outside can even access the DNS server, so they're not able to determine its IP address. Even if someone knew the IP address range that you use for your internal network, they wouldn't be able to get through the firewall to try and hack you.
The two scenarios I just described are analogous to soft and hard zoning. With soft zoning, only members of a zone can ask what the other members of the zone are and what their WWNs are, but it doesn't prevent entities that aren't a member of the zone from communicating with members of the zone.
A WWN is equivalent of a MAC address in IP. It's a unique hardware address given to each device by the manufacturer, and part of the address shows which vendor it came from. This means if someone can guess--or obtain through other means--the WWN of one of the members of the zone, that person can communicate with all the devices belonging to that zone.
For example, suppose you have an enterprise disk array with 32 adapters on it, each of which is connected to a SAN. There are also 32 servers connected to the SAN, with one host bus adapter (HBA) each. For administrative reasons, you might create 32 zones, each of which has two members in it: an HBA on the host and an adapter on the storage array. If one of these 32 hosts were compromised, it would be a very simple matter to determine the WWN of the adapter on the disk array that it is connected to, using basic Fibre Channel (FC) commands. How much difference do you suppose there is between the WWNs of the various adapters on the disk array? It's not that much. This means if you know the WWN of Adapter 8, it wouldn't be that hard to figure out the WWN of Adapter 17. You could then create a device that points to that WWN, and read from that disk.
Hard zoning, on the other hand, is enforced. It's also referred to as hardware-enforced zoning. If you're not a member of the zone, you aren't allowed to communicate with members of that zone. It's as simple as that. Even if you were able to guess the WWN of the other members in the zone, you wouldn't be able to communicate with anyone in that zone.
Hard zoning and soft zoning are often used as synonyms to WWN-based zoning and port-based zoning, respectively. This is not the case because:
- The difference between hard and soft zoning is how it is enforced; and
- The difference between port-based and WWN-based zoning is how we specify the members of the zone (see "Two ways to zone," on this page).
|What's port binding?|
Convenience over security
Considering the increase security implications, why do people use soft zoning? Simply put, most SAN implementations to date have prioritized convenience over security. The following quote from the "Brocade Zoning Implementation Strategies" document says it all. According to the Brocade Zoning User Guide (Version 2.2 for the SilkWork 2800), port-based zoning, "provides good security in the fabric but requires reliable processes to prevent incorrect devices from being attached to the wrong ports. You should normally avoid this form of zoning unless you have rigidly enforced processes for port and device allocation in the fabric."
In other words, port-based zoning increases your security, but it makes moves, adds and changes more difficult. With WWN-based zoning, you can move a server to any port on any switch, and not worry about a thing. With port-based zoning, you would need to add the new port to the zone and subtract the old port from the zone. Yes, it's more work. It's always more work to have decent security, and it's also easier not to back up your data.
Remember, if you care about security, forget everything you've been taught about how to create zones. Yes, I know that many SAN instructors tell you to use WWN-based zoning because it's a lot easier to use than port-based zoning. But if you want security in your SAN, don't use WWNs to specify the members of your zones, and don't use soft zoning. The former is spoofable, and the latter is laughable.
Dig Deeper on SAN technology and arrays
What is SAN zoning and what are the different types of zoning?By: Simon Gordon
Storage 101: How to create, share and manage a LUN in SAN storage
How NPIV almost guarantees unique WWNs
Fibre Channel SAN zoning: Pros and cons of WWN zoning and port zoningBy: Steve Pinder