A computer components & hardware forum. HardwareBanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » HardwareBanter forum » General Hardware & Peripherals » Storage & Hardrives
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

SAN (Storage Area Network) Security FAQ Revision 2004/10/30 - Part 1/1



 
 
Thread Tools Display Modes
  #1  
Old October 30th 04, 08:35 AM
Will Spencer
external usenet poster
 
Posts: n/a
Default SAN (Storage Area Network) Security FAQ Revision 2004/10/30 - Part 1/1

From: (Will Spencer)
Newsgroups: comp.arch.storage,comp.answers,news.answers
Subject: SAN (Storage Area Network) Security FAQ Revision 2004/10/30 - Part 1/1
Followup-To: comp.arch.storage
Approved:

Reply-To:
(FAQ Comments address)
Summary: This posting contains a list of Frequently Asked Questions (and their
answers) about SAN (Storage Area Network) Security.

Archive-Name: computer/arch/storage/san-security
Posting-Frequency: Monthly
Last-Modified: 2004/10/30
Version: 2004/10/30
URL:
http://www.sansecurity.com/san-security-faq.shtml

Welcome to the comp.arch.storage SAN (Storage Area Network) Security FAQ:
Answers to Frequently Asked Questions about SAN (Storage Area Network)
Security.

The SAN (Storage Area Network) Security FAQ is on the World Wide Web at
http://www.sansecurity.com/san-security-faq.shtml

The contents of the comp.arch.storage SAN (Storage Area Network) Security
FAQ include:

-----------------------------------------------------------------------

http://www.sansecurity.com/faq/lun-masking.shtml

What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a
LUN available to some hosts and unavailable to other hosts.

LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level.
LUN Masking implemented at this level is vulnerable to any attack that
compromises the HBA.

Some storage controllers also support LUN Masking.

LUN Masking is important because Windows based servers attempt to write
volume labels to all available LUN's. This can render the LUN's unusable
by other operating systems and can result in data loss.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/san-zoning.shtml

What is SAN zoning?

SAN zoning is a method of arranging Fibre Channel devices into logical groups
over the physical configuration of the fabric.

SAN zoning may be utilized to implement compartmentalization of data for
security purposes.

Each device in a SAN may be placed into multiple zones.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/hard-soft-zoning.shtml

What are hard and soft zoning?

Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning
which is implemented in software.

Hard zoning physically blocks access to a zone from any device outside of the
zone.

Soft zoning uses filtering implemented in fibre channel switches to prevent
ports from being seen from outside of their assigned zones. The security
vulnerability in soft zoning is that the ports are still accessible if the
user in another zone correctly guesses the fibre channel address.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/port-zoning.shtml

What is port zoning?

Port zoning utilizes physical ports to define security zones. A users access
to data is determined by what physical port he or she is connected to.

With port zoning, zone information must be updated every time a user changes
switch ports. In addition, port zoning does not allow zones to overlap.

Port zoning is normally implemented using hard zoning, but could also be
implemented using soft zoning.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/wwn-zoning.shtml

What is WWN zoning?

WWN zoning uses name servers in the switches to either allow or block access
to particular World Wide Names (WWNs) in the fabric.

A major advantage of WWN zoning is the ability to recable the fabric without
having to redo the zone information.

WWN zoning is susceptible to unauthorized access, as the zone can be bypassed
if an attacker is able to spoof the World Wide Name of an authorized HBA.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/wwn-w...ide-name.shtml

What is a World Wide Name (WWN)?

A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks
to uniquely identify each element in a Fibre Channel network.

Soft Zoning utilizes World Wide Names to assign security permissions.

The use of World Wide Names for security purposes is inherently insecure,
because the World Wide Name of a device is a user-configurable parameter.

For example, to change the World Wide Name (WWN) of an Emulex HBA,
the users simply needs to run the `elxcfg` command.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/san-s...-attacks.shtml

What are the classes of attacks against SANs?

Snooping: Mallory reads data Alice sent to Bob in private
Allows access to data

Spoofing: Mallory fools Alice into thinking that he is Bob
Allows access to or destruction of data

Denial of Service: Mallory crashes or floods Bob or Alice
Reduces availability

--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/fcp-f...-attacks.shtml

What are some attacks against FCP?

Node Name / Port Name spoofing at Port Login time
Source Port ID spoofing on dataless FCP commands
Snooping and spoofing on FC-AL
Snooping and Spoofing after Fabric reconfiguration
Denial of Service attacks can be made in User mode

--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/fcap-...protocol.shtml

What is FCAP (Fibre Channel Authentication Protocol)?

FCAP is an optional authentication mechanism employed between any two devices
or entities on a Fibre Channel network using certificates or optional keys.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/fcpap...protocol.shtml

What is FCPAP (Fibre Channel Password Authentication Protocol)?

FCPAP is an optional authentication mechanism employed between any two devices
or entities on a Fibre Channel network using secure remote password (SRP).


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/slap-...protocol.shtml

What is SLAP (Switch Link Authentication Protocol)?

SLAP is an authentication method for Fibre Channel switches which utilizes
digital certificates to authenticate switch ports.

SLAP was designed to prevent the unauthorized addition of switches into a
Fibre Channel network.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/fc-sp...protocol.shtml

What is FC-SP (Fibre Channel - Security Protocol)?

Fibre Channel - Security Protocol (FC-SP) is a security protocol for Fibre
Channel Protocol (FCP) and fiber connectivity (Ficon).

FC-SP is a project of Technical Committee T11 of the InterNational
Committee for Information Technology Standards (INCITS).

FC-SP is a security framework which includes protocols to enhance Fibre
Channel security in several areas, including authentication of Fibre
Channel devices, cryptographically secure key enchange, and cryptographically
secure communication between Fibre Channel devices.

FC-SP is focused on protecting data in transit throughout the Fibre Channel
network. FC-SP does not address the security of data which is stored on the
Fibre Channel network.


--------------------------------------------------------------------------------

http://www.sansecurity.com/faq/esp-e...-channel.shtml

What is ESP over Fibre Channel?

ESP (Encapsulating Security Payload) is an Internet standard for the
authentication and encryption of IP packets.

ESP is defined in RFC 2406: IP Encapsulating Security Payload (ESP).

ESP is widely deployed in IP networks and has been adapted for use in Fibre
Channel networks. The IETF iSCSI proposal specifies ESP link authentication
and optional encryption.

ESP over Fibre Channel is focused on protecting data in transit throughout the
Fibre Channel network. ESP over Fibre Channel does not address the security of
data which is stored on the Fibre Channel network.


--------------------------------------------------------------------------------
http://www.sansecurity.com/faq/dh-chap.shtml

What is DH-CHAP?

DH-CHAP (Diffie Hellman - Challenge Handshake Authentication Protocol) is a
forthcoming Internet Standard for the authentication of devices connecting
to a Fibre Channel switch.

DH-CHAP is a secure key-exchange authentication protocol that supports both
switch-to-switch and host-to-switch authentication.

DH-CHAP supports MD-5 and SHA-1 algorithm-based authentication.


--------------------------------------------------------------------------------
http://www.sansecurity.com/faq/iscsi...urity-ip.shtml

How are iSCSI, iFCP and FCIP secured over IP networks?

The IETF IP Storage (ips) Working Group is responsible for the definition of
standards for the encapsulation and transport of Fibre Channel and SCSI
protocols over IP networks.

The IPS Working Group's charter includes responsibility for data security:

Security including authentication, keyed cryptographic data integrity and
confidentiality, sufficient to defend against threats up to and including
those that can be expected on a public network. Implementation of basic
security functionality will be required, although usage may be optional.

The IPS Working Group has created RFC 3723: Securing Block Storage Protocols
over IP.

RFC 3723 defines the use of the existing IPsec and IKE (Internet Key Exchange)
protocols to secure block storage protocols over IP.



 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SAN (Storage Area Network) Security FAQ Revision 2004/04/11 - Part 1/1 Will Spencer Storage & Hardrives 0 April 11th 04 07:13 AM
SAN (Storage Area Network) Security FAQ Revision 2004/02/16 - Part 1/1 Will Spencer Storage & Hardrives 0 February 16th 04 10:02 PM
SAN (Storage Area Network) Security FAQ Revision 2004/02/12 - Part 1/1 Voyager Storage & Hardrives 0 February 12th 04 05:31 PM
Having problems in my local area network due.... Carlos Arruda Asus Motherboards 1 July 7th 03 02:33 PM


All times are GMT +1. The time now is 10:04 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 HardwareBanter.
The comments are property of their posters.