security anspüche an san’s und storage systeme...fibre channel port, and is the name to be used...

Rheinlandtreffen 8. November 2006

www.decus.de 1

1© Copyright 2006 EMC Corporation. All rights reserved.

Security Anspüche an SAN’sund Storage Systeme

Rheinlandtreffen 7./8.11.2006Schloß Birlinghoven, St. AugustinRalf Sczepanski EMC Deutschland GmbH


Agenda

Security im SAN– Grundlagen, Begriffsbestimmung– SAN Security

Was tun die einzelnen Hersteller• Brocade• Cisco

– IP SecurityManagement der SwitcheiSCSI

Security auf Storage Systemen– LUN Masking– Datenverschlüsselung– Zukunft


www.decus.de 2

3© Copyright 2006 EMC Corporation. All rights reserved. 3

Networked Storage Technologies

Archives unchanging data

Allows servers to securely share storage (disk or tape)

Facilitates file sharing

Allows servers to securely share storage (disk or tape)

Frees up primary storage

Uses existing IP network

CASContent Addressed Storage

Consolidates storage


iSCSI SAN

Consolidates servers and storage


NASNetwork-attached storage

Consolidates storage

Dedicated storage network—Fibre Channel and IP

SANStorage-area network

Information Lifecycle Management


Deploying a SAN

Increases storage utilization– Scale servers separately from storage– Allocate storage to applications when needed– Improves storage utilization– Mix operating system environments

Increases flexibility– Leverage storage replicas for testing patches

and applications

Provides higher availability– Eliminate downtime caused by backups– Drastically reduce recovery time

Delivers highest performance

Eliminate “islands of storage” within physical servers using a SAN

Easily allocate more storage

UNIXWindowsFibre Channel


www.decus.de 3


Today’s SAN—Fibre Channel or IP

Saves money by improving storage usageImproves productivity by centralizing management

iSCSIFibre ChannelFCIP or iFCP

Servers/applications

Storage/application data

Remote mirror ofapplication data

Fibre Channel

SANIP

SAN WAN


Using Multi-Protocol Switches as iSCSI Gateway

Multi-Protocol SwitchingConnects servers to SAN using iSCSIConsolidate storage of small serversCan reduce attachment costConsolidate inside or outside the data centerUse excess array capacity

Ideal When You Have:An existing Fibre Channel SANStranded applications requiring storage consolidationNo file-server sprawl

IPFibre

Channel SAN

IP SAN


www.decus.de 4


SAN Security


SAN SecuritySAN Security Risk *

– Unauthorized and/or unauthenticated SAN access – Insecure management access – World Wide Name (WWN) spoofing – Management controls allowed from different access points

SAN security solution*– Secure roles-based management with centralized authentication,

authorization and logging of all changes – Centralized authentication of devices connected to the network to ensure

that only authorized devices can be connected to the network – Traffic isolation and access controls that ensures that a device connected

to the network can securely send/receive its data and is protected from activities of other devices in the network

– Encryption of all data leaving the storage network for business continuance, remote vaulting and backup

* Quelle: Brocade und cisco


www.decus.de 5


SAN Security

Zoning– Port Zoning– WWN Zoning (recommended)– Single HBA Zoning

Management der Switche (über IP)– Zugang zu den Managementports– Nicht benutzte SAN Ports der Switche und Router

VLAN, Virtual FabricsVerschlüsselung der Daten

– Im SAN– Auf einer IP Strecke


Port ZoningZoning by a switch's domain/port numbers forming the S_ID


www.decus.de 6


WWN Zoning Single HBA Zoning

Zoning by a WWN of the attached node. Each Fibre Channel node has two WWNs: a Port WWN (WWPN) and a Node WWN (WWNN). The WWPN is a unique number assigned to the physical Fibre Channel Port, and is the name to be used in creating WWN zoning. Single-HBA zoning specifies that in each individual zone there should be one (and only one) initiator (HBA) participating in that zone. The single-initiator (HBA) zone may contain more then one target Fibre Channel director port, up to the fan-in limit.


VSAN – Cisco Virtual Fabrics - Brocade

With the coming of higher port density switches, the desire for centralized management, and the mixture of multiple Business Unit Fabrics, there is a need for a greater degree of separationCreate multiple logical SANs over a common infrastructureVSANs, Virtual Fabrics may span ISLs to other switchesBenefits

Traffic isolationRedundancyReplication of fabric services

Green VF Purple VF


www.decus.de 7


cisco

VSANSAN Security


Virtual SANs (VSANs) Deliver Security and Scalability

Eliminate costs associated with separate physical fabricsOverlay isolated virtual fabrics on same physical infrastructure

– Each VSAN contains zones and separate (replicated) fabric services

Availability– Isolate virtual fabrics from fabric-

wide faults/reconfigurations

Scalability– Replicated fabric services per VSAN

Security– Complete hardware isolation

Department/Customer A

Department/Customer B

VSAN-enabledfabric

ManagementVSAN

VSANtrunks

Shared storage


www.decus.de 8


Intelligent SAN Security

Secure SAN managementvia role-based access

– 64 customizable roles– Roles apply to command-line

interface (CLI), SNMP, andWeb access

– Full accounting support

Secure-management protocols, including Secure Shell, SFTP, and SNMPv3Secure switch-control protocols, leveragingIPsec ESP to yield FC-SPPort and Worldwide Name (WWN) ZoningFull RADIUS support for switch and iSCSI host authentication

Device-/SAN-management security

via SSH, SFTP, SNMPv3, and user roles

SAN protocol security(FC-SP)

VSANs providesecure

isolation

iSCSI-attachedservers

Hardware-basedzoning via port

and WWN

RADIUS serverfor iSCSI

authentication

Shared physical storage


Brocade

Virtual FabricsAdministrative DomainsSAN Security


www.decus.de 9


Brocade Fabric OS Roadmap


Quantum Release, FOS 5.2.0 Manageability, Security, Scalability

Administrative Domains– Partition a fabric into separate management domains

Role-based Access Control– New switch logins with specific capabilities (admin, operator, zone mgr, etc)

Improved audit logging– Capture events or config changes along with user and content info.

Security features in standard FOS– Port binding (ACL). Enforce configuration – Authentication to edge devices (DH-CHAP)

FCIP enhancements (encryption, turbowrite)Switch Configuration Management


www.decus.de 10


Fabric Operating System 5.2.0 (Quantum) Enhanced Base Security - ACLs

Adding device and switch connection controls to the base Fabric OS

– Switch Connection Control (SCC) and Device Connection Control (DCC) policies

– FICON Cascading will no longer require Secure FabricOS

Adding policy distribution mechanisms to the base Fabric OS

– Opens the door for automated policies of all kinds, not just security policies

Ability to manually distribute passwords among participating switches (push)

Unable to join an SFOS Fabric– Interop with SFOS is through the MPR

DH-CHAP between switches– Certificates are no longer required

Non-disruptive Migration to the new ACL’s from SFOS

Future– Trusted switch and Management ACLs

future release


Fabric Operating System 5.2.0 (Quantum) Admin Domains

Admin Domains and fabric zoning are very complimentary

Relationship– Assign physical ports or WWNs

to Admin Domains– Then configure zones per Virtual Fabric

Admin Domains partitions the physical infrastructure

Zones are required to allow device sharing, just like today

Zones can change frequently (e.g., backup) just like today

Ports can be added/removed non-disruptively from a Admin Domain

AD_10

Physical Fabric

AD_1

Disk1

Host2Disk4

Host1

Disk2 Disk3

Disk6

Disk5

Host4

Host3

HR_Zone

ERP_Zone

Shared_Zone

Backup_zone

Sales _zone

Overview of Admin Domains vs. Zones


www.decus.de 11


Fabric Operating System 5.2.0 (Quantum) Virtual Fabrics

VF provides Management separation/partitioning across the SANAll devices are in AD0 by default

– Devices can be re-assigned to different AD’s non-disruptively

RSCN’s are still confined within a zoneAD’s are defined by WWN or PortAll ports on a physical switch shares one domain ID

– No need for complicated routing


Fabric Operating System 5.2.0 (Quantum) Virtual Fabrics - Continued

Each VF can have its own administrator and users

AD’s can overlap just like zoning– Flexible without any additional steps

Each VF has a separate zoning DB and distribution

Each VF has its own Nameserver view

All VF changes are non-disruptive

All ISL’s are still shared within the fabric

Zoning and VF = Complimentary– Zoning is for access control– VF is for management control/views

Green VF Purple VF


www.decus.de 12


IP Security

Management der SwitcheiSCSI


Security Vorgaben zum Management der Switche und iSCSI

Standard IP Security plusSeparates VLAN (Management LAN)

– Sollte durch einen Firewall geschützt sein

Secure TelnetSecure ShellSNMP V3…Unterschiedliche Accounts je nach benötigten Rechten


www.decus.de 13


iSCSI

iSCSI (Internet Small Computer System Interface) is a new IP-based storage networking standard for linking data storage facilities developed by the Internet Engineering Task Force. By transmitting SCSI commands over IP networks, iSCSI can facilitate block-level transfers over intranets (as opposed to the file sharing that is found in NAS). The iSCSI initiator issues commands to the target, which fulfills the client's request. The target typically has one or more logical unit numbers (LUNs) that process the initiator’s commands. These commands are contained in a Command Descriptor Block (CDB) that has been issued by the host operating system and translated by the iSCSI driver. In the case of a read, the target LUN begins transferring the requested blocks back to the initiator. The iSCSI driver then translates the data into a format the host operating system willrecognize.


iSCSI

1. Customer Application initiates I/O request to the iSCSI drive.2. ISCSI driver encapsulates CDB transaction and transmits I/O over a

10/100 or GE NIC card/TOE engine.3. Network switch routes packet to appropriate iSCSI router.4. ISCSI device decodes packet and routes I/O to appropriate LUN.5. LUN services application request.


www.decus.de 14


Sicherheit von Storagesystemen

LUN MaskingDatenverschlüsselungZukunft


LUN Masking

LUN masking is a Redundant Array of Independent (or Inexpensive)Disks (RAID) system-centric enforced method of masking multiple LUNsbehind a single port. By using World Wide Port Names (WWPNs) of server HBAs, LUN masking is configured at the RAID-array level. LUN masking also allows disk storage resource sharing across multiple independent servers. A single large RAID device can be sub-divided to serve a number of different hosts that are attached to the RAID through the SAN fabric with LUN masking. So that only one or a limited number of servers can see that LUN (e.g., disk slice, portion, unit), each LUN inside the RAID device can be limited. LUN masking can be done either at the RAID device (behind the RAID port) or at the server HBA. It is more secure to mask LUNs at the RAID device, but not all RAID devices have LUN masking capability. Therefore, in order to mask LUNs, some HBA vendors allow persistent binding at the driver-level.


www.decus.de 15


LUN Masking am Beispiel des EMC Symmetrix Storagesystems


Datenverschlüsselung

z.B.: von Decru


www.decus.de 16


Zukunft

security anspüche an san’s und storage systeme...fibre channel port, and is the name to be used...

Documents