How to Finally Secure your Network Storage - PowerPoint PPT Presentation

About This Presentation

Title:

How to Finally Secure your Network Storage

Description:

A attacker sends out a modified frame to xFFFFFE with the 24-bit address of the ... All frames destined for the real switch are passed to the attacker first, then ... – PowerPoint PPT presentation

Number of Views:97

Avg rating:3.0/5.0

Slides: 40

Provided by: smcc52

Category:

more less

Transcript and Presenter's Notes

Title: How to Finally Secure your Network Storage

1
How to Finally Secure your Network Storage

Himanshu Dwivedi
Managing Security Architect
_at_stake, Inc.

2
Why is SAN Security Needed

Information
Unauthorized access or unintentional damage
Protection
Internal and External Threats
Competitors, ex-employees, future ex-employees,
etc.
Connectivity
SANs include all types of servers (Application,
Web, FTP, etc) that are attached to the Ethernet
and the existing storage network
A single compromised server may open the gateway
to the SAN

3
Importance of SAN Security

Importance
What we see Clients dedicating large budgets to
SANs
Protect intellectual property
SANs typically contain the keys to the kingdom
What we know Attacks rarely change, they get
modified
Management methods/networks are the primary
target
IP attacks will be used for Fibre Channel
What vendors know
Many SANs are only as secure as the hosts and
clients attached to the storage network --Scott
Robinson, CTO, Datalink Corp

4
Example SAN

5
Common Problems - Authentication

Limited access control
Limited concept of multi-user administration
Management tools do not provide a variety of
security profiles
Authentication Vulnerabilities
Username/Password is not enough!
Cisco Vulnerability It is possible to read
stored configuration files from the Storage
Router without any authorization

6
Common Problems Clear-text

Fibre Channel management
SCSI Enclosure Services (SES)
SES provides no extra security besides
username/password
FC-SNMP
SNMP is clear-text and provides no extra security
besides community strings
Browser-Based Management
HTTP, SNMP, SES may be managed via a browser
Username and password (pass in the clear), is the
only security provided
Again.Username/Password is not enough!!

7
Fibre Channel Layers

8
Attack Vector FC - Layer 2

9
Weaknesses - Sequence ID

SEQ_CNT and SEQ_ID
A Fibre Channel Sequence is a series of one or
more related frames transmitted unidirectionally
from one port to another.
All frames must be part of a Sequence. Frames
within the same Sequence have the same SEQ_ID
field in the header.
For each frame transmitted in a Sequence, SEQ_CNT
is incremented by 1.
This is similar to what? ISN in TCP/IP
Attacker can guess the SEQ_ID and attempt to
hijack the session

10
Weakness - Joining the Fabric

Pollute SNS when joining the fabric
N_Port send a Fabric login (FLOGI) to the well
know address of xFFFFFE (broadcast).
The switch receives the frame at xFFFFFE and
returning an accept frame (ACC). Service
information is exchange
Knowing there is no validation required to
receive an accept frame (ACC), an attacker could
send a modified 24-bit address to xFFFFFE in an
attempt to corrupt the SNS information
As soon as ACC is received, attacker knows that
SNS has been modified

11
Weakness - Flow control

Disruption of Flow Control
A device can transmit frames to another device
only when the other device is ready to accept
them. Before the devices can send data to each
other, they must login to each other and
establish credit.
Credit
Credit refers to the number of frames a device
can receive at a time. This value is exchanged
with another device during login, so each knows
how many frames the other can receive.
Disruption of Flow control
Injecting a high or low credit value disrupts the
service

12
Weakness - Switches

Cut-through switching
A switch only looks at the D_ID (24-bit
Destination address) to route the frame
Increases performance by reducing the time
required to make a routing decision
However, there is no verification of the S_ID
(Source address) and the frame is passed

13
Weakness - Simple Name Server

Simple Name Server
Simple Name Servers maps the 24-bit fabric
address and the 64-bit World Wide Name
IP Attack Polluting the ARP tables
Fibre Channel Attack Polluting the SNS

14
Weakness - HBA

World Wide Names
WWNs can be easily changed on an HBA
WWNs are used as unique identifiers that do not
get authenticated
WWNs can be spoofed to access different zones

15
LUN Masking and Zoning

Switch Features
LUNs Masking and Zoning
LUN masking creates subsets of storage within the
SAN virtual pool and allows only designated
servers to access the storage subsets.
Zoning restricts access to specific physical
devices such as RAID arrays or individual disks
(Equivalent to VLANs in the Ethernet world).
LUN masking and Zoning are NOT considered
security tools, but rather efficiency tools

16
LUN Masking

Types of LUN Masking
Server configuration
Host level drivers on HBA
Storage controllers are configured
Must be supported by the storage vendor
Storage Virtualization LUN Masking device
Works with any server and any HBA, added overhead
and performance issues

17
LUN Masking

Strengths
Provides segregation
Weaknesses
Design for segmentation, not security
Modifications at HBA are granted
LUNs broadcasting is built to be highly
available

18
Zoning

Zoning is separation
A method for separating fabric connected devices
in group over the same physical fabric
Similar to VLANs in the Ethernet world
Types of Zoning
Hard, Soft, and combination
Hard
Physical port address static fabrics
Soft
Node WWN and Port WWN dynamic fabrics

19
Hard Zoning

20
Soft Zoning

21
Future Problems

Ethernet attack techniques will soon be used for
FC
Man-in-the-Middle
Replay
Spoofing
Malformed Packets
Zone Hopping (VLAN hopping)
Cache Poisoning
Hijacked sessions
Sniffing
Denial of Service
Example to Follow

22
Future Attacks - MITM

Man-in-the-Middle
A attacker sends out a modified frame to xFFFFFE
with the 24-bit address of the legitimate switch.
The fabric assumes that the attacker is the
legitimate fibre channel switch
All frames destined for the real switch are
passed to the attacker first, then to the
legitimate switch.
However, tools need to be written to to pass the
traffic to the switch, otherwise the attack will
not work.

23
Future Attacks - MITM

Man-in-the-Middle

24
Future Attacks - Spoofing

Spoofing
A server is strictly given rights to zones from
the switch
An attacker changes (spoofs) its WWN to the WWN
of the server
The switch grants access rights to certain zones
because it is recognizes the WWN

25
Future Attacks - Spoofing

Spoofing

26
Future Attacks Session Hijacking

Session Hijacking
FC session hijacking could be conducted if a
third party takes control of an existing session
between two trusted machines by predicting the
Sequence ID (SEQ_CNT field) in FC-2
In FC-2, the SEQ_CNT field identifies individual
frames within a Sequence. For each frame
transmitted in a Sequence, SEQ_CNT is incremented
by 1.

27
Future Attacks Session Hijacking

Session Hijacking

28
Future Attacks Switch Attacks

Switch Attacks
E-port to E-port replication!

29
Short Term Solutions

Segmentation
Logical segmentation of management traffic from
data traffic
FC for data
Ethernet of FC-IP for management (with IPSec)
Create a separate SAN management network,
segmented from corporate/data network
Traffic segmentation will limit exposure of other
network segments in the event that a segment is
compromised.
It ensures individuals who require access to one
network segment (e.g. management) cannot access
other segments (e.g. data) thus limiting access
to business need.

30
Short Term Solutions

Switch Configurations
Simple Name Server (soft) Zoning and Hard Zoning
Regular zoning, both hard zoning and simple name
server (soft) zoning, will be required on all
switches. This will add a layer of security for
WWNs on all appropriate physical ports
Port Binding (locking)
Physical Port Binding enables only authorized
WWNs to access a particular port on each
front-end switch and the secure fibre switch.
Fabric Membership Authorization
Port-type Controls
Port-type Controls will lock each port to a
G-port, F-port, or E-port, according to their
appropriate specifications.

31
Fibre Channel Solutions

Fibre Channel Security
Andiamo Systems, Cisco, EMC, Qlogic, VERITAS
Requirements
Authentication (e.g. switch to switch)
Integrity (e.g. data integrity)
Encryption (e.g. ESP payload)

32
Fibre Channel Solutions

FCSec
Authentication and Encryption at the FC-2 Layer
Provides
Switch to Switch Authentication
Node to Switch Authentication
Node to Node Secure Channel
Defends
Spoofing
Session Hijacking
Man-in-the-Middle
Monkey-in-the-Middle?

33
Fibre Channel Solutions

FCSec
AH and ESP over FC-2
Authentication with AH will be once in a while,
meaning that overhead should be relatively low
What are the bandwidth concerns?

34
Fibre Channel Solutions

FCSec
Switch to Switch Authentication
After keys have been exchanged, frames exchanged
between the switches, will be authenticated to
ensure data integrity
SLAP (Switch Layer Authentication Protocol)
SA is inserted in E_Port Frames
Node to Switch Authentication
After key exchange, two nodes can exchange frames
to ensure integrity
Node to Node Secure Channel
After key exchange, FC-2 frames can be encrypted
with ESP

35
Fibre Channel Solutions

Switch Solutions
SLAP
Switch Layer Authentication Protocol
Security Associations between two E_Ports
Provides Authentication
Provides non-repudiation
Developed by Brocade
Currently in beta

36
Long Term Solutions

Switch Configurations
SLAP
Switch Layer Authentication Protocol. Switch to
switch authentication via digital certificates
and unique private keys
Fabric Membership Authorization
Fabric Membership Authorization incorporates an
internal database on each switch with a list of
authorized WWNs that may join the fabric.
Fabric Configuration Servers
This switch is the only device allowed to manage
the other switches. It uses its own database for
authentication, rather than SNMP or regular
username/password combination.

37
Long Term Solutions