The Storage Security Industry Forum (the security forum in SNIA) recommends a five-step review for improved storage network security.
Standards for secure networks
Since a security strategy is only as good as its weakest link, interoperability is essential. Currently, there are two primary standards for storage network security: FC-SP (Fibre Channel Security Protocol), which applies to FCP and FICON; and IETF IPS (Internet Engineering Task Force IP Storage), which applies to iSCSI, iFCP and FCIP gateway specifications from IP block-based networks to Fibre Channel block-based networks.
Many other security attributes are covered by specifications such as FC-SW, FC-GS, FC-SB and other standards either approved or in development. Another key development for security is the Storage Networking Industry Association’s (SNIA’s) Storage Management Initiative Specification (SMI-S) standard, which includes a variety of security attributes.
ONE: Centralize and control management access
It doesn’t matter how good a security solution is unless the management of each security feature is managed from a single point of control by an administrator with designated authority to do so. Techniques used to lock down the management network and interfaces include centralizing management of the storage network to a single point of control using a management standard such as SMI-S, implementing basic security features such as IP membership lists for out-of-band management (which is proposed for the FC-SP standard), leveraging the security capabilities of CT-Authentication (FC-GS-3) for in-band management, secure device management through web interfaces or command line interfaces using SSH or SSL, and integrating into single-sign-on solutions using RADIUS (RFC 2865).
TWO: Common authentication standard for all fabric devices
Authentication for multi-protocol storage networks is covered by two standards: the iSCSI gateway and FC-SP. Both standards mandate CHAP (RFC 1994), or DH-CHAP with a NULL option, for interoperability. A single authentication solution provides companies with an end-to-end authentication technique that can be managed in a common way. For servers, storage and storage network appliances, DH-CHAP for Fibre Channel N_Ports is mandated by the FC-SP standard for interoperability. For iSCSI initiators, CHAP is the authentication standard for authentication in an iSCSI-to-FC gateway. Authentication between switches/directors in a storage network requires two-way DH-CHAP, as mandated in the FC-SP for E_Ports standard.
THREE: Authorize and control devices joining the fabric
Once the devices have been authenticated, the next steps involve access controls, authorization and binding for each device that participates on the fabric. These techniques either have been or are being defined in the form of policies, including fabric membership lists and switch connection controls.
Switch Connectivity Objects, also proposed for FC-SP, describe authorized topologies for the fabric. Fabric Binding, as a required security attribute in the FC-SB-3 specification, delivers a high-integrity fabric and controls the fabric topology and domain IDs that are used. These are in addition (and complementary) to software- and hardware-enforced zoning.
Authorization techniques that use worldwide numbers (WWNs) have added flexibility in that they can be installed and used without upgrading servers, storage devices or appliance firmware. This non-disruptive feature has accelerated the adoption of fabric binding.
FOUR: Encrypt the data
The encryption of block data (management data is discussed in Priority 1) can be executed for both data “at rest” and data “in flight.” Encryption for IP is well understood and commonly deployed. The standards require IPSec for iSCSI, iFCP, and FCIP. For Fibre Channel, FC-SP may use ESP encryption (similar to ESP in IPSec) for confidentiality. Encryption of data at rest requires an advanced key management system, for which there are several solutions on the market today.
FIVE: Auditing, logging, and forensics
The last piece of the security puzzle is to log, track and report on what happened in the storage network. Especially with the new regulations, companies will need to be able to track and document any security brach and report it from a centralized point of control.
It is essential that a security solution be implemented end-to-end. Standards for security need to be open, interoperable and easy to understand, learn and administer. By implementing the security techniques covered in this article, companies should have a good foundation of security for their storage networks.