Feature

Stopping the Next Heist

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Best-of-breed: Security Products of the Year: 2006."

Download it now to read this article plus other related content.

Step 4:
Implement encryption solutions
The key to solving both of these problems is encryption. For out-of-band communication, more and more storage vendors are supporting secure communication protocols, such as SSH or HTTPS, on their management ports. For in-band support, there are host-based encryption systems and hardware encryption appliances. Only host-based encryption can encrypt data from the point of departure, but encryption software is very CPU-intensive. This can slow the transfer of data by as much as 50 percent. The other in-band choice is an encryption appliance that can go in the storage network and encrypt data as it's stored on the device, preventing readability even if a hacker is able to gain physical access.

Another vulnerability has to do with NFS and CIFS, which allow the sharing of files between multiple servers. This is collectively referred to as Network Attached Storage (NAS). A major challenge with NFS and CIFS is their simple host-based authentication mechanisms. If your IP address resolves to the appropriate hostname, you are given access to the shared directory. In addition, much of the authentication mechanism is sent in plaintext, telling a hacker exactly what addresses he or she needs to spoof.

Also vulnerable to spoofing are World Wide Names (WWNs) in a storage area network (SAN). WWNs are the Fibre Channel equivalent to MAC addresses. The ability to change the WWN is built right into the

    Requires Free Membership to View

driver. Therefore, the common practice of WWN-based authentication is easy to defeat.

The same host-based encryption software and appliances described above can help tackle these authentication issues surrounding WWNs and NFS/ CIFS. Two pieces of software--one running on the appliance and one running on the server to be authenticated--pass encrypted authentication information between each other to verify each other's identity. Someone simply spoofing the secure host's WWN wouldn't have this additional information. A recent advancement in Fibre Channel switches can also improve WWN-based authentication--the concept of port binding, where a WWN is bound to a particular port and is only granted access if it's seen at that port.

Step 5:
Turn off soft-zoning
But there's another authentication problem in Fibre Channel SANs--the use of soft-zoning. A zone is the Fibre Channel equivalent of a VLAN, with some differences. With hard-zoning, only members of a zone can access the devices in that zone. With soft-zoning, you can communicate with a device if you have its WWN, which is relatively easy to determine. While the solution to this seems simple--turn off soft-zoning--it hasn't been that easy. Usually, soft-zoning goes hand in hand with WWN-based authentication, and many people use WWN-based authentication to make easy changes. Today's switches let you pick and choose which authentication and zoning methods you want to use. The most secure combination, of course, would be hard-zoning with port-binding-based authentication.

This was first published in February 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: