Managing and protecting all enterprise data


The road to practical SAN security

The spread of SANs has created a growing number of security products that address specific Achilles' heels, from authentication to transmission to encryption.

As storage networks grow from isolated data center environments to IP-enabled networks spanning the world, users are starting to consider issues with security. Along with greater flexibility and consolidation of storage, the networking of storage has brought along the other risks of networks: hacking, denial of service, data theft and network availability. This article looks at some of the fears and worries of storage managers, and emerging solutions they hope will keep security threats away from their networks.

Security concerns for storage
Until recently, security was rarely considered an issue in storage. Dedicated storage was secure by nature, and storage networks were mostly installed within the bounds of physically secure data centers. The issue hasn't been security, but ensuring data integrity and allocating storage. Even with the rapid growth of storage networks, security concerns have only increased incrementally, mostly to handle allocation of shared storage, which has been dealt with by implementing zoning and LUN access controls. Configuration control and keeping administrators from accidentally destroying data has been the main focus - as opposed to dealing with hostile threats and fears of the wrong people accessing or tampering with stored data.

Dan Tanner, an analyst at the Aberdeen Group, Boston, MA, says security is now becoming more important, "if transmission is beyond a data center or firewall."

Storage security solutions
Prevent unauthorized access to management interfaces Configurable interfaces, SSH, SSL Brocade
Protect data on disk Data encryption Paranoia, NeoScale
Protect data in transit Encrypting storage firewall appliances Cylix, NeoScale, Vormetric
End-to-end IP storage encryption IPsec silicon Hifn/Trebia, NetOctave
One major factor is shared storage requirements for multitenant networks - such as storage service providers or corporate customers - who want to subdivide their networks between customers or departments. According to Wes Garner, an engineer on the storage team at Application Service Provider (ASP) USinternetworking, Annapolis, MD, "We already have in place LUN level masking on storage implementation, and on the SAN we use hardware port-level zoning. Access to the data is pretty well defined within each data center." USi has about 75TB of storage in their data centers, and has a shared SAN environment between customers. However, Garner is worried about security because "there are switches out there that are accessible because they need to be managed." He adds, "we need to make sure the availability and integrity of our client data is not affected in any way."

Another reason which is pushing security to the forefront is the issue of transferring data over public networks. As users start to expand data traffic beyond the data center, to remote locations and across wide geographic distances, security has become an important issue. Aberdeen's Tanner says, "When storage is networked, security becomes more important, especially if the network isn't contained within a secure data center." With the advent of IP-based storage networking, data is now readily accessible as it travels over unsecured IP infrastructure. The ever-present threats of hackers and issues with the fundamentally insecure nature of public networks has made security a top priority in these IP-enabled solutions.

In fact, even with safe internal networks behind a firewall, there's still a need for securing storage data. On public networks, "Everyone understands that SSL/TLS [Transport Layer Security is based on Secure Sockets Layer, a commonly-used protocol for managing the security of a message transmission on the Internet] is needed to protect passwords, credit card numbers and the like," says David Black, an architect at EMC and one of the contributors to the iSCSI spec. "The problem is with less-than-public networks - it's very easy to assume that the entire corporate LAN behind the firewall[s] is secure, and that's not only just plain wrong, but dangerously so."

Finally, vendors cite recent legislation such as the Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach Bliley Act (GLBA), which mandates that certain industries must store and manage their data in a secure manner. These pieces of legislation require that these firms secure their data from unauthorized use or access to a much greater degree than they previously have been, including encryption on disk or tape and across network links.

Users' security concerns
The top threats to storage network security include modification, destruction or theft of data, denial of service or viruses, hacking - particularly through management interfaces such as Web interfaces and Telnet - and operator error/mistakes. However, depending on who you ask, some of these areas are more important than others.

Aside from the issues of preventing rogue or improperly configured servers from corrupting or accessing data in Fibre Channel (FC), security issues in storage networks in the data centers are mostly limited to access to Ethernet management ports. Roy Hall, director of storage engineering at GlaxoSmithKline points to hacking of management interfaces as the threat he worries most about. He says, "Some of our SAN management tools use Web interfaces, and thus are vulnerable in that they can be accessed via our LAN." According to Kamy Kavianian, product manager at Brocade, among their customer's top concerns is "secure management access." These companies often want to turn off features of their switches - for example, SNMP support or Telnet - to prevent access to too many management interfaces. Kavianian says their top customers for their security offerings are primarily in the government sector and government contractors, followed by banks and financial institutions and then by enterprise customers with strict security policies.

Security-conscious users have started demanding network-style security options for their storage network gear to minimize unauthorized use of their hardware. Many vendors are in the process, or are already offering support for secure-shell access to boxes (SSH), Secure Sockets Layer (SSL) communications with Web interfaces, as well as integration with secure user-authorization protocols such as RADIUS and TACACS+.

Some users, mostly government agencies, the health care industry and financial institutions, are worried about protecting stored data. The threat of modification or accessing data on disk is usually addressed by encrypting all data stored on disk or tape. Either through a special file system or backup software, data is usually encrypted at the host and stored in that encrypted form on tape or disk, preventing unauthorized users from reading that data.

Emerging security solutions
As users start to seriously think about securing their storage networks, companies are racing to address user concerns. For example, U.K.-based Digital Interactive Solutions provides a hardware-accelerated encryption device for SCSI tape, with plans to add FC capability to their device towards the end of the year. "The reason people go for a dedicated hardware solution boils down to speed, security and interchange ability," says Paul Howard, managing director of digital interactive.

Switch giant Brocade also has its eyes on the security space and completed a beta test of its Secure Fabric OS product in January, with product available now. Brocade's Kavianian says, "Secure Fabric OS is the first instance of our security architecture," and includes "secure management communications, management access controls, fundamental enhancements in interswitch links, port-level access policies and trusted switches." The company's Secure Fabric OS currently runs on all of the company's 1GB hardware as an add-on license, and mostly addresses security of management interfaces and log-in authentication. The company has also added public key-based certificates for authentication of switches, which prevents non-authorized switches from joining a FC network. However, the company currently has no plans for encryption of the data on the network.

Kavianian says, "Good security hygiene says that you encrypt at the source and destination. The server - not the network - should encrypt the data." In addition, he says, "Currently, there is nothing out there that can encrypt at 2GB/s. Encryption must be well thought out, because a SAN was designed to move large blocks of data in an efficient manner and you don't want to put anything in the way [that degrades the SAN's performance]." George Guethlein who manages enterprise storage and backup at USinternetworking, says "Brocade's Secure Fabric OS seems to fit our needs."

Startups are also trying to get into the game. NeoScale Systems, Milpitas, CA, is developing a network security appliance for FC networks, which works as part of the network to encrypt block-level storage data on-the-fly at wire speeds. Mike Alvarado, senior product manager at NeoScale says, "We have developed our own storage security processors, and also incorporate other complementary components, such as encryption processing from Hifn." NeoScale is targeting system integrators for its solution. "We expect to sell our solutions through system integrators because customers expect complete solutions to be delivered," Alvarado says.

On the iSCSI front, a number of companies are developing silicon, which provides hardware acceleration for IPsec, a necessity at gigabit speeds. EMC's Black says, "At the higher speeds that the IP Storage protocols can use [gigabit or a serious fraction of it], hardware acceleration of some form is required to use IPsec effectively." Aberdeen's Tanner concurs, saying "Wire-speed should be the standard. It will probably require storage security silicon." NetOctave, in Morrisville, NC, which has been developing SSL and IPsec security solutions for networking, is now working on specialized silicon to handle the processing of IPsec for IP storage protocols. According to NetOctave's marketing manager Dave Mountain, "Our ideal customer is someone who is building a host bus adapter or initiator or target device, that's an endpoint before it hits the public Internet." The company's focus is on low-cost IPsec silicon which can be incorporated into other companies' iSCSI hardware.

Similarly, security vendor Hifn and network processor firm Trebia, Acton, MA, have teamed up to create a security solution which the companies are also trying to sell to OEMs to support IPsec. Brendon Howe, Trebia's Product Marketing Manager, says, "Our storage processor products range from sub $100/port to over $200/port, depending on feature set and configuration."

Companies are also trying to develop appliances called storage firewalls that provide the security functionality to the network. Vormetric, San Jose, CA, is working on storage security appliances that encrypt data. According to Phil Grasso, co-founder and VP of Marketing at Vormetric, their device attaches to an IP network in front of an IP file server, encrypting storage data at wire-speed. Vormetric is targeting beta deployments to potential customers in Q3. Cylink, Santa Clara, CA, an existing provider of IPsec VPN solutions for IP networks, has recently qualified its standalone security appliance for encrypting data sent via FCIP, iFCP and iSCSI, and is targeted at securing long-distance links between SANs.

Waiting for the market
The biggest issue which faces companies in the security space is gauging how interested users really are in security and how much they're willing to pay for these solutions. GlaxoSmithKline's Hall says, "From a security standpoint, we need to isolate our FC-SAN from the rest of the LAN/WAN environment." He adds that "we're using security features that are built into our storage products, and are not currently looking at other layered security products for the FC-SANs."

Doug Ingraham, manager of product marketing for Cisco's Storage Router Business Unit, says that in the current data center networks, "Grand security requirements are not a product requirement," because those networks are adequately protected behind corporate firewalls. In fact, he says, "Our customers are happy with a subset of security features they already have."

Other vendors also echo this theme. Brocade's Kavianian reports that the company has had several beta sites for its Secure Fabric OS, and a few licenses have shipped already, but only expects volume deployment when they add security capabilities to their 2G hardware.

Trebia's Howe says, "Based on our customer experience to date, the biggest problem that needs to be solved is to somehow develop a system-level strategy to support a secure IP storage infrastructure. Customers are asking how security, as a policy, fits into the overall SAN infrastructure."

And in an era of tight budgets, customers are also concerned about the cost of adding additional security. NetOctave's Ardini says, "Providing IPSEC functionality in storage has very serious cost constraints. Storage security must be inexpensive and cost effective."

Cisco's Ingraham agrees, saying that in the short term, "putting IPsec in all of the [iSCSI] endpoints is going to make all the endpoints too expensive. Once IPsec is running in ASICs and doesn't substantially increase the product's cost, it will be great." However, he adds, "today, we must be careful not to put things into product that won't meet the needs of the marketplace."

Requirement for the future
Despite the hazy outlook for when the market for security will develop, vendors and users agree that security is becoming much more important. In particular, as storage networks grow out of the data center and into larger, global networks, security is sure to become a key part of the solution. Brocade's Kavianian says, "Users wouldn't put a LAN in place without a good security solution. They want security in place on their storage networks as well."

USinternetworking's Guethlein sums it up succinctly: "Security on our Ethernet network is controlled very tightly with VLANs, and more - managing security at the storage network level is next on our to-do list."

Article 14 of 20

Dig Deeper on SAN technology and arrays

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All