Marketing Functional Review

1
Leveraging Enterprise Storage to Enhance
Information Assurance Initiatives
Chris Spirito Susan Labonte spirito_christopher_at_
emc.com labonte_sue_at_emc.com IEEE NASA
Workshop on Information Assurance The Storage
Security Perspective 04 DEC 2001
2
Enabling Technologies I

• Volume Mirroring and Projection

3
Enabling Technologies II

• Volume Status Reporting and Analysis

4
Target Research Areas

• Common Internet Security Vulnerabilities
• Migration from IP Data Flow to SAN Data Flow
• New Approaches to Existing IA Solutions

5
Common Internet Security Vulnerabilities

• SANS / NIPC Top Twenty (v 2.501)
• Default Installs of Operating Systems and
  Applications
• Non-existent or Incomplete Backups
• Non-existent or Incomplete Logging

6
G1- Default Installs of OS and Apps

• Problems
• OS and Application Installation is Time-Consuming
• Complexity of OS and Application Interactions
  often creates Additional Vulnerabilities
• Solutions
• Control and Accelerate OS and Application
  Deployment through Storage Technologies
• Enable the Creation of Test Environments while
  maintaining COOP

7
Gold OS Volume Deployment
8
Instant Test Environment
9
G3- Non-Existent or Incomplete Backups

• Problems
• Data are Compromised and/or Corrupted
• Backups are Compromised and/or Corrupted
• Backup Data is Archived without Verification
• Solutions
• Near Real-Time System Recovery
• Offline Data Verification without Operational
  Impact

10
On-Line Data Recovery
11
Data Verification
12
G6- Non-existent Logging

• Problems
• It is very difficult to ascertain what attackers
  have done without OS and application logs
• Duplication and protection of logs is critical
• Solutions
• Use volume-mirroring technologies to move logs to
  a safe place for processing and archival
• Enables the forensics process during compromise
  investigation.

13
Log Acquisition and Analysis
14
Enabling Forensics
15
Migration from IP Data Flow to SAN

• Problems
• Many well-known TCP/IP Attacks
• Confidentiality and Integrity of Data at Risk
• Potential for Compromise of Hosts and Network
  Availability
• Solutions
• Accomplish Data Transfer over the SAN
• Likely Improvements in Performance

16
Traditional Data Flow via IP
17
Alternate Path SAN Connectivity
18
Additional Validation by Trusted Host
19
Approaching Tripwire

• File Scanning Software that leverages the
  capabilities of the Symmetrix
• 1. Initial file scan (t0) completed
• 2. Subsequent file scan (t1, t2, etc) generates a
  list of files that have changed since the first
  scan ((t0)
• 3. This list could then be provided as input to
  another application (backup, virus scanning
  software, etc)

20
File Mapping

• Each track on disk in the Symmetrix for open
  systems is 32 KB
• Files can span multiple tracks
• SYMAPI returns
• files that have changed
• new files
• deleted files
• unchanged files if these files reside on a track
  where other files changed
• example files 2 and 3 will be listed even if
  unchanged if file 1 changes

Tracks
1
File 1/File 2
2
File 1/File 3
3
File 1
4
File 4/File 5
21
Analysis Engine Performance

• Number of files Time to complete scan
• 3100 files 15 secs
• 63,000 files 224 secs (3.73 minutes)
• 371,894 files 827 secs (13.78 minutes)
• 1,000,000 files 1 hour
• Process is host and CPU intensive
• 97 of CPU and memory of a 4 processor, 4 GB
  memory machine used during analysis

22
Contact Information

• Chris Spirito Susan Labonte
• spirito_christopher_at_emc.com labonte_sue_at_emc.com
• EMC Federal Sales
• Jim Young young_jim_at_emc.com