What IT Auditors Should Know About SAN Security

1
What IT Auditors Should KnowAbout SAN Security

• Jose Carreon
• Security Technologies
• Brocade

2
Agenda

• The SAN Security Landscape
• SAN Security Principles
• SAN Security Myths
• Protecting Against Evolving Threats
• Defense Security Strategies
• Auditing Your SAN
• Other SAN Security Features and Functionality
• Fabric-based Encryption for Data-at-Rest
• Summary

3
Legal Disclaimer

• All or some of the products detailed in this
  presentation may still be under development and
  certain specifications, including but not limited
  to, release dates, prices, and product features,
  may change. The products may not function as
  intended and a production version of the products
  may never be released. Even if a production
  version is released, it may be materially
  different from the pre-release version discussed
  in this presentation.
• NOTHING IN THIS PRESENTATION SHALL BE DEEMED TO
  CREATE A WARRANTY OF ANY KIND, EITHER EXPRESS OR
  IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT
  NOT LIMITED TO, ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY, FITNESS FOR A PARTICULAR
  PURPOSE, OR NONINFRINGEMENT OF THIRD PARTY RIGHTS
  WITH RESPECT TO ANY PRODUCTS AND SERVICES
  REFERENCED HEREIN.
• Brocade, the Brocade B-weave logo, McDATA, Fabric
  OS, File Lifecycle Manager, MyView, Secure Fabric
  OS, SilkWorm, and StorageX are registered
  trademarks and the Brocade B-wing symbol and
  Tapestry are trademarks of Brocade Communications
  Systems, Inc. or its subsidiaries, in the United
  States and/or in other countries. FICON is a
  registered trademark of IBM Corporation in the
  U.S. and other countries. All other brands,
  products, or service names are or may be
  trademarks or service marks of, and are used to
  identify, products or services of their
  respective owners.

4
SAN Security The SAN Security Landscape

• SANs are evolving in parallel paths that LANs
  have evolved
  
• Security was not an issue in the early days of
  LANs either until
  
• Historically, security administrators have not
  considered storage and SANs
  
• Historically, storage administrators have not
  considered security
  
• There is a gap between storage and security

5
SAN Security Why SAN Security

• A SAN usually contains an organizations most
  critical data, all centralized into one
  convenient location
  
• The importance of this data is simply too high to
  ignore security even if the risk is perceived
  to be low
  
• There are vulnerabilities which can be exploited
  if not configured properly
  
• The biggest threats to a SAN are from insiders
  malicious or otherwise
  
• Legislation and compliance may drive
  organizations to address SAN security
  
• As Security breaches have to be made public (US),
  loss of trust is a big issue

6
Targets

• These are the devices and resources aimed during
  an attack, typically, the following elements are
  at risk in a SAN
  
• Management Interfaces
• IP can be sniffed easily
• Passwords/Accounts
• HBA
• WWN can be spoofed easily (intentionally or not)
• LUNs
• LUNs can be made visible to unauthorized users
• Dark Fiber
• Fiber optic cables can be sniffed undetected
• Switches/Directors
• New switches can be added to fabric easily
• Improperly configured switches can expose the SAN

7
Attackers

• The attacker mentality is multi-dimensional and
  complex but they usually have several common
  characteristics
  
• They do not want to get caught
• They will usually use the path of least
  resistance seek weakest link
  
• They want to get the most value for their
  efforts
  
• Personal satisfaction
• Bragging rights
• Financial gains

8
Attacker Motivation

• Not getting caught seems like an obvious
  characteristic but some attackers eventually get
  to a point where they are under such pressure
  from the authorities, they may actually seek to
  get caught. This could also provide them with
  notoriety in some cases (Frank Abagnale Catch
  Me If You Can).
• Seeking for the weakest link is part of an
  attackers methods to successfully penetrate a
  system. A system is only as strong as its
  weakest link

9
Attacker Motivation

• There are many motivational factors to conduct an
  attack. Script kiddies are renowned to just
  browse around and say that they broke into a
  system (MafiaBoy was eventually caught by
  bragging online).
• Today, organized crime and terrorists are getting
  involved in cybercrime since the financial gains
  can be highly rewarding (T.J. Maxx credit card
  scandal - Secret Service agents found TJX
  customers' credit card numbers in the hands of
  Eastern European cyber thieves Breach costs
  have been estimated at 216M as of October 2007)

10
SAN Security Principles

• Jose Carreon
• Security Technologies

11
SAN Security

• SANs using the FC protocol are more secure than
  TCP/IP-based LANs
  
• Physically isolated from the LAN and outside
  world
  
• FC protocol is less well known than TCP/IP
• Insider (malicious, non-malicious) attacks are
  the most prevalent forms of security threats in
  SANs.
  
• However, these are not the only vulnerabilities
  in SANs...In fact, there are many widely believed
  myths surrounding SAN security

12
SAN Security Myth 1

• Myth SANs are secure because they are an
  isolated network in a closed, physically secure
  environment.
  
• Reality Most security incidents are attributed
  to insiders, malicious or otherwise. Being
  isolated and closed does not protect against
  insiders.

13
SAN Security Myth 2

• Myth Fibre Channel SANs do not use IP, and the
  Fibre Channel protocol is not well known by
  hackers.
  
• Reality All Fibre Channel switches use IP for
  their management interface. Some SANs use FCIP
  over distance.

14
SAN Security Myth 3

• Myth You cant sniff optical fiber without
  cutting it first.
  
• Reality You can tap into optical fiber using a
  clip-on fiber coupler for around 500 (eBay). A
  microbend allows light to leak out, detected by a
  photosensor.

15
SAN Security Myth 4

• Myth SANs are not connected to the Internet so
  there is no risk from outside attackers.
  
• Reality Many organizations have mail and Web
  servers in a DMZ that have SAN-attached storage.

16
SAN Security Myth 5

• Myth You have to sniff and decode multiple
  protocol layers (FC, SCSI, Volume,
  Filesystem/Database, File) to get to some useful
  information.
• Reality How many credit card numbers fit into a
  single FC frame?

17
SAN Security Myth 5
18
Protecting Against External Threats

• All external threats are malicious
• Focus is on securing the management interfaces
  and properly isolating the SAN from the outside
  world
  
• SAN-attached servers in a DMZ can expose a SAN to
  the outside world

19
Protecting Against Internal Threats

• By far, insiders pose the greatest threat to a
  SAN malicious or otherwise
  
• Incidents caused by insiders usually cause the
  greatest damage and have the most impact on an
  organization
  
• Protecting against authorized insiders is very
  difficult
  
• Focus is on limiting opportunity, monitoring,
  controls and logging mechanisms

20
Protecting a SAN

• SAN security must address both people and
  technical vulnerabilities
  
• Identify the risks and vulnerabilities (audit)
• Develop a SAN security policy
• Develop and document secure SAN operations
  procedures
  
• Harden with multiple layers of protection
• Train staff on SAN security and raise storage
  security awareness

21
Defense-In-Depth Strategy

• Physical security
• Operation and management procedures
• Password and user management
• Create risk domains
• Control device access
• Logging and change management
• Auditing
• Security training and awareness
• Data encryption

22
Physical Access and Security

• Secure access to switches/directors
• Monitor and control access to computer room
• electronic access card (or other secure access
  methods)
  
• single sign-on
• piggyback prevention
• biometrics
• onsite personnel
• Alarm system (fire and break-in)
• Surveillance cameras
• Lock individual racks
• Dual fabrics should be in separate racks with
  physical separation

23
Operations and Management Procedures

• Develop a SAN security policy (integrate with IT
  security policy)
  
• Develop operation procedures
• Use tight employee hiring and dismissal
  procedures
  
• Secure all management interfaces
• Disable unused and unsecure services
• Use telnet timeout
• Back up configuration files automatically
• Review firmware levels regularly and read release
  notes
  
• DR/BC procedures
• Incident Response Plan

24
Password and User Management

• User Accounts
• Use strong password policies
• Use unique personalized accounts instead of
  shared super accounts (admin, root)
  
• Restrict roles (RBAC) where appropriate
• Password Policies
• Change default passwords
• Use strong password policies
• Centralize account management (RADIUS, LDAP)
• Threat example Time bomb on a management server

25
Create Risk Domains

• Physical
• Physically isolate critical or sensitive systems
  where appropriate using separate fabrics
  
• LSANs can provide isolation and controlled
  sharing
  
• Logical
• Use zoning (hardware-enforced pWWN)
• Use LUN masking
• Use Virtual Fabrics/Administrative Domains

26
Control Device Access

• Persistently disable unused ports
• Persistently disable E_Port connectivity
• Use Access Control Lists (ACLs) to define devices
  allowed to join fabric (FCS, DCC, SCC, IP
  Filter)
  
• Use device and switch authentication
  (DH-CHAP/FC-SP) for more sensitive environments
  to prevent WWN spoofing

27
Logging and Change Management

• Use NTP to synchronize logs
• Redirect syslogd to a central server
• Enable Event Auditing feature
• Enable Track Changes feature
• Back up logs and configuration files
  automatically
  
• Monitor logs regularly

28
Education and Awareness Training

• Raise SAN security awareness
• Entire team needs to understand the policies
• Entire team needs to be familiar with basic
  security concepts
  
• Continuing education to keep up with technology
  changes

29
Auditing Your SAN

• There are no established standards for SAN
  security although the SNIA SSIF has an excellent
  Current Best Practices (CBP) Guide
  
• The IT Security Policy should also include the
  SAN
  
• Audit against existing SAN security policy
  ideally integrated into existing IT Security
  Policy
  
• Self-audit develop a process and evaluation
  criteria based on policy
  
• Third Party Audit Outside agencies have a
  different, neutral perspective and established
  audit standards
  
• Recognized experts know the latest threats and
  countermeasures
  
• Audit regularly at least yearly

30
Other SAN Security Features
31
Data Destruction

• Risk Storage media containing data may be
  exposed to the outside world
  
• Data-critical mass
• Call-home disk repair can be an exploit
• Data destruction/retention policy
• Degaussing
• Electronic shredding
• Physical shredding/crushing

32
Data Encryption

• Stolen or lost laptops and tape media are making
  headlines
  
• By the time you are in the front page of any
  newspaper it is to late
  
• Protecting Personally Identifiable Information
  (PII) is a huge concern for corporations and
  government
  
• Unencrypted PII is highly vulnerable
• Legislation and compliance, such as HIPAA, GLBA,
  PCI and California SB 1386 (and the likes), may
  drive encryption of PII
  

33
What to Encrypt

• Encryption can occur in-flight or at-rest
• Data-in-flight encryption is used when exchanging
  information over distance
  
• Data-at-rest encryption is used to protect the
  confidentiality of information stored on a
  storage media (disk or tape)
  
• Business requirements will determine what you
  need to encrypt
  
• Biggest issue is how to manage the encryption
  keys
  
• Multiple key management solutions are usually
  required to manage data-in-flight, disk and tape
  encryption

34
Why encryption in the SAN?

• Protecting the most valuable corporate digital
  asset the Data
  
• Ensure the privacy and integrity of data while in
  flight and when at rest
  
• Choice to encrypt all data to increase the
  efficiency at the storage fabric level and reduce
  internal risks
  
• Achieve regulatory compliance
• Encrypting at the SAN provides
• Flexibility to encrypt anywhere on the network
• Storage vendor independence
• Single key management solution for tape, disk and
  data-in-flight

35
Brocade Fabric-Based Encryption for Data-at-Rest

• Brocade Solution
• All data moves through the SAN
• Central point of management
• Plug-in Encryption Services (Non-disruptive)
• Central key management is critical
• Deliver scalable solution via Encryption Switch
  or Blade
  
• Availability second half 2008

36
Brocade Security Engagements

• SAN Security Assessment and Training
• SAN Hardening
• Develop Secure Operations Procedures
• Design SAN Security Policy
• Design SAN Security Incident Response Plan
• SAN Security Resident Consultant
• SAN Encryption Solution Services

37
Summary

• SANs have similar security requirements as LANs
  and the SAN security policy should be integrated
  into the IT security policy
  
• Technical countermeasures are an important
  component of any security program however a
  holistic approach is better. A defense-in-depth
  strategy must be utilized to protect a SAN and
  the data it contains
• Importance of education and awareness
• Regular SAN security audits to keep up with
  technology
  
• SAN security policies integrated with IT
  policies
  
• Documented operations procedures

38
THANK YOU
Jose Carreon Security Technologies