security anspüche an san’s und storage systeme...fibre channel port, and is the name to be used...
TRANSCRIPT
Rheinlandtreffen 8. November 2006
www.decus.de 1
1© Copyright 2006 EMC Corporation. All rights reserved.
Security Anspüche an SAN’sund Storage Systeme
Rheinlandtreffen 7./8.11.2006Schloß Birlinghoven, St. AugustinRalf Sczepanski EMC Deutschland GmbH
2© Copyright 2006 EMC Corporation. All rights reserved.
Agenda
Security im SAN– Grundlagen, Begriffsbestimmung– SAN Security
Was tun die einzelnen Hersteller• Brocade• Cisco
– IP SecurityManagement der SwitcheiSCSI
Security auf Storage Systemen– LUN Masking– Datenverschlüsselung– Zukunft
Rheinlandtreffen 8. November 2006
www.decus.de 2
3© Copyright 2006 EMC Corporation. All rights reserved. 3
Networked Storage Technologies
Archives unchanging data
Allows servers to securely share storage (disk or tape)
Facilitates file sharing
Allows servers to securely share storage (disk or tape)
Frees up primary storage
Uses existing IP network
CASContent Addressed Storage
Consolidates storage
Uses existing IP network
iSCSI SAN
Consolidates servers and storage
Uses existing IP network
NASNetwork-attached storage
Consolidates storage
Dedicated storage network—Fibre Channel and IP
SANStorage-area network
Information Lifecycle Management
4© Copyright 2006 EMC Corporation. All rights reserved.
Deploying a SAN
Increases storage utilization– Scale servers separately from storage– Allocate storage to applications when needed– Improves storage utilization– Mix operating system environments
Increases flexibility– Leverage storage replicas for testing patches
and applications
Provides higher availability– Eliminate downtime caused by backups– Drastically reduce recovery time
Delivers highest performance
Eliminate “islands of storage” within physical servers using a SAN
Easily allocate more storage
UNIXWindowsFibre Channel
Rheinlandtreffen 8. November 2006
www.decus.de 3
5© Copyright 2006 EMC Corporation. All rights reserved.
Today’s SAN—Fibre Channel or IP
Saves money by improving storage usageImproves productivity by centralizing management
iSCSIFibre ChannelFCIP or iFCP
Servers/applications
Storage/application data
Remote mirror ofapplication data
Fibre Channel
SANIP
SAN WAN
6© Copyright 2006 EMC Corporation. All rights reserved.
Using Multi-Protocol Switches as iSCSI Gateway
Multi-Protocol SwitchingConnects servers to SAN using iSCSIConsolidate storage of small serversCan reduce attachment costConsolidate inside or outside the data centerUse excess array capacity
Ideal When You Have:An existing Fibre Channel SANStranded applications requiring storage consolidationNo file-server sprawl
IPFibre
Channel SAN
IP SAN
Rheinlandtreffen 8. November 2006
www.decus.de 4
7© Copyright 2006 EMC Corporation. All rights reserved.
SAN Security
8© Copyright 2006 EMC Corporation. All rights reserved.
SAN SecuritySAN Security Risk *
– Unauthorized and/or unauthenticated SAN access – Insecure management access – World Wide Name (WWN) spoofing – Management controls allowed from different access points
SAN security solution*– Secure roles-based management with centralized authentication,
authorization and logging of all changes – Centralized authentication of devices connected to the network to ensure
that only authorized devices can be connected to the network – Traffic isolation and access controls that ensures that a device connected
to the network can securely send/receive its data and is protected from activities of other devices in the network
– Encryption of all data leaving the storage network for business continuance, remote vaulting and backup
* Quelle: Brocade und cisco
Rheinlandtreffen 8. November 2006
www.decus.de 5
9© Copyright 2006 EMC Corporation. All rights reserved.
SAN Security
Zoning– Port Zoning– WWN Zoning (recommended)– Single HBA Zoning
Management der Switche (über IP)– Zugang zu den Managementports– Nicht benutzte SAN Ports der Switche und Router
VLAN, Virtual FabricsVerschlüsselung der Daten
– Im SAN– Auf einer IP Strecke
10© Copyright 2006 EMC Corporation. All rights reserved.
Port ZoningZoning by a switch's domain/port numbers forming the S_ID
Rheinlandtreffen 8. November 2006
www.decus.de 6
11© Copyright 2006 EMC Corporation. All rights reserved.
WWN Zoning Single HBA Zoning
Zoning by a WWN of the attached node. Each Fibre Channel node has two WWNs: a Port WWN (WWPN) and a Node WWN (WWNN). The WWPN is a unique number assigned to the physical Fibre Channel Port, and is the name to be used in creating WWN zoning. Single-HBA zoning specifies that in each individual zone there should be one (and only one) initiator (HBA) participating in that zone. The single-initiator (HBA) zone may contain more then one target Fibre Channel director port, up to the fan-in limit.
12© Copyright 2006 EMC Corporation. All rights reserved.
VSAN – Cisco Virtual Fabrics - Brocade
With the coming of higher port density switches, the desire for centralized management, and the mixture of multiple Business Unit Fabrics, there is a need for a greater degree of separationCreate multiple logical SANs over a common infrastructureVSANs, Virtual Fabrics may span ISLs to other switchesBenefits
Traffic isolationRedundancyReplication of fabric services
Green VF Purple VF
Rheinlandtreffen 8. November 2006
www.decus.de 7
13© Copyright 2006 EMC Corporation. All rights reserved.
cisco
VSANSAN Security
14© Copyright 2006 EMC Corporation. All rights reserved.
Virtual SANs (VSANs) Deliver Security and Scalability
Eliminate costs associated with separate physical fabricsOverlay isolated virtual fabrics on same physical infrastructure
– Each VSAN contains zones and separate (replicated) fabric services
Availability– Isolate virtual fabrics from fabric-
wide faults/reconfigurations
Scalability– Replicated fabric services per VSAN
Security– Complete hardware isolation
Department/Customer A
Department/Customer B
VSAN-enabledfabric
ManagementVSAN
VSANtrunks
Shared storage
Rheinlandtreffen 8. November 2006
www.decus.de 8
15© Copyright 2006 EMC Corporation. All rights reserved.
Intelligent SAN Security
Secure SAN managementvia role-based access
– 64 customizable roles– Roles apply to command-line
interface (CLI), SNMP, andWeb access
– Full accounting support
Secure-management protocols, including Secure Shell, SFTP, and SNMPv3Secure switch-control protocols, leveragingIPsec ESP to yield FC-SPPort and Worldwide Name (WWN) ZoningFull RADIUS support for switch and iSCSI host authentication
Device-/SAN-management security
via SSH, SFTP, SNMPv3, and user roles
SAN protocol security(FC-SP)
VSANs providesecure
isolation
iSCSI-attachedservers
Hardware-basedzoning via port
and WWN
RADIUS serverfor iSCSI
authentication
Shared physical storage
16© Copyright 2006 EMC Corporation. All rights reserved.
Brocade
Virtual FabricsAdministrative DomainsSAN Security
Rheinlandtreffen 8. November 2006
www.decus.de 9
17© Copyright 2006 EMC Corporation. All rights reserved.
Brocade Fabric OS Roadmap
18© Copyright 2006 EMC Corporation. All rights reserved.
Quantum Release, FOS 5.2.0 Manageability, Security, Scalability
Administrative Domains– Partition a fabric into separate management domains
Role-based Access Control– New switch logins with specific capabilities (admin, operator, zone mgr, etc)
Improved audit logging– Capture events or config changes along with user and content info.
Security features in standard FOS– Port binding (ACL). Enforce configuration – Authentication to edge devices (DH-CHAP)
FCIP enhancements (encryption, turbowrite)Switch Configuration Management
Rheinlandtreffen 8. November 2006
www.decus.de 10
19© Copyright 2006 EMC Corporation. All rights reserved.
Fabric Operating System 5.2.0 (Quantum) Enhanced Base Security - ACLs
Adding device and switch connection controls to the base Fabric OS
– Switch Connection Control (SCC) and Device Connection Control (DCC) policies
– FICON Cascading will no longer require Secure FabricOS
Adding policy distribution mechanisms to the base Fabric OS
– Opens the door for automated policies of all kinds, not just security policies
Ability to manually distribute passwords among participating switches (push)
Unable to join an SFOS Fabric– Interop with SFOS is through the MPR
DH-CHAP between switches– Certificates are no longer required
Non-disruptive Migration to the new ACL’s from SFOS
Future– Trusted switch and Management ACLs
future release
20© Copyright 2006 EMC Corporation. All rights reserved.
Fabric Operating System 5.2.0 (Quantum) Admin Domains
Admin Domains and fabric zoning are very complimentary
Relationship– Assign physical ports or WWNs
to Admin Domains– Then configure zones per Virtual Fabric
Admin Domains partitions the physical infrastructure
Zones are required to allow device sharing, just like today
Zones can change frequently (e.g., backup) just like today
Ports can be added/removed non-disruptively from a Admin Domain
AD_10
Physical Fabric
AD_1
Disk1
Host2Disk4
Host1
Disk2 Disk3
Disk6
Disk5
Host4
Host3
HR_Zone
ERP_Zone
Shared_Zone
Backup_zone
Sales _zone
Overview of Admin Domains vs. Zones
Rheinlandtreffen 8. November 2006
www.decus.de 11
21© Copyright 2006 EMC Corporation. All rights reserved.
Fabric Operating System 5.2.0 (Quantum) Virtual Fabrics
VF provides Management separation/partitioning across the SANAll devices are in AD0 by default
– Devices can be re-assigned to different AD’s non-disruptively
RSCN’s are still confined within a zoneAD’s are defined by WWN or PortAll ports on a physical switch shares one domain ID
– No need for complicated routing
22© Copyright 2006 EMC Corporation. All rights reserved.
Fabric Operating System 5.2.0 (Quantum) Virtual Fabrics - Continued
Each VF can have its own administrator and users
AD’s can overlap just like zoning– Flexible without any additional steps
Each VF has a separate zoning DB and distribution
Each VF has its own Nameserver view
All VF changes are non-disruptive
All ISL’s are still shared within the fabric
Zoning and VF = Complimentary– Zoning is for access control– VF is for management control/views
Green VF Purple VF
Rheinlandtreffen 8. November 2006
www.decus.de 12
23© Copyright 2006 EMC Corporation. All rights reserved.
IP Security
Management der SwitcheiSCSI
24© Copyright 2006 EMC Corporation. All rights reserved.
Security Vorgaben zum Management der Switche und iSCSI
Standard IP Security plusSeparates VLAN (Management LAN)
– Sollte durch einen Firewall geschützt sein
Secure TelnetSecure ShellSNMP V3…Unterschiedliche Accounts je nach benötigten Rechten
Rheinlandtreffen 8. November 2006
www.decus.de 13
25© Copyright 2006 EMC Corporation. All rights reserved.
iSCSI
iSCSI (Internet Small Computer System Interface) is a new IP-based storage networking standard for linking data storage facilities developed by the Internet Engineering Task Force. By transmitting SCSI commands over IP networks, iSCSI can facilitate block-level transfers over intranets (as opposed to the file sharing that is found in NAS). The iSCSI initiator issues commands to the target, which fulfills the client's request. The target typically has one or more logical unit numbers (LUNs) that process the initiator’s commands. These commands are contained in a Command Descriptor Block (CDB) that has been issued by the host operating system and translated by the iSCSI driver. In the case of a read, the target LUN begins transferring the requested blocks back to the initiator. The iSCSI driver then translates the data into a format the host operating system willrecognize.
26© Copyright 2006 EMC Corporation. All rights reserved.
iSCSI
1. Customer Application initiates I/O request to the iSCSI drive.2. ISCSI driver encapsulates CDB transaction and transmits I/O over a
10/100 or GE NIC card/TOE engine.3. Network switch routes packet to appropriate iSCSI router.4. ISCSI device decodes packet and routes I/O to appropriate LUN.5. LUN services application request.
Rheinlandtreffen 8. November 2006
www.decus.de 14
27© Copyright 2006 EMC Corporation. All rights reserved.
Sicherheit von Storagesystemen
LUN MaskingDatenverschlüsselungZukunft
28© Copyright 2006 EMC Corporation. All rights reserved.
LUN Masking
LUN masking is a Redundant Array of Independent (or Inexpensive)Disks (RAID) system-centric enforced method of masking multiple LUNsbehind a single port. By using World Wide Port Names (WWPNs) of server HBAs, LUN masking is configured at the RAID-array level. LUN masking also allows disk storage resource sharing across multiple independent servers. A single large RAID device can be sub-divided to serve a number of different hosts that are attached to the RAID through the SAN fabric with LUN masking. So that only one or a limited number of servers can see that LUN (e.g., disk slice, portion, unit), each LUN inside the RAID device can be limited. LUN masking can be done either at the RAID device (behind the RAID port) or at the server HBA. It is more secure to mask LUNs at the RAID device, but not all RAID devices have LUN masking capability. Therefore, in order to mask LUNs, some HBA vendors allow persistent binding at the driver-level.
Rheinlandtreffen 8. November 2006
www.decus.de 15
29© Copyright 2006 EMC Corporation. All rights reserved.
LUN Masking am Beispiel des EMC Symmetrix Storagesystems
30© Copyright 2006 EMC Corporation. All rights reserved.
Datenverschlüsselung
z.B.: von Decru
Rheinlandtreffen 8. November 2006
www.decus.de 16
31© Copyright 2006 EMC Corporation. All rights reserved.
Zukunft