Enterprise Storage

Towards Securing Information End-to-end: Networked Storage Security Update and Best Practices
A White Paper
by Arthur B. Edmonds, Jr.

February 2003

Executive Summary
Organizations rely on their accumulated information and need to distribute it to people who can mine, distill, and make decisions based on volumes of data. The result of exploiting information may be embodied in a newly created market or a different way to approach an existing business issue. In either case, the information is proprietary to the organization and protected within the confines of the company. Or is it? If the intellectual property is truly controlled and released, the result is increased revenue for the organization. If a competitor steals trade secret information, however, the result could be increased revenue for the opposition. The original idea company would also lose time-to-market advantage. 1 Lost data and revenue puts company officers and their organization at financial risk to stakeholders, partners, suppliers, and customers. Access to data has evolved from in-house only to regional and global levels. In short, information has been made more accessible from where the users, partners, and customers are located. However, more access points mean more chances for unauthorized eyes to discover and exploit sensitive data. Trade secret information can be exploited from inside the company as well as outside the company. And there is no expectation that these volumes of data will ever decrease. In fact, the volumes of data and access requirements to information have grown rapidly in a few short years. The Storage Networking Industry Association (SNIA) observes that the amount of storage capacity needed to house this data doubles every 12 months. Networked storage has forced many companies to re-think their information access strategies, increasing business requirements for continuity, performance, and security. Hitachi Data Systems has participated in managing and protecting data in these arenas through the deployment of its Hitachi TrueNorth vision and strategy. The TrueNorth strategy employs such products as Hitachi ShadowImage and Hitachi SANtinel software and enables remote copy over MANs and WANs via Hitachi TrueCopy software and NanoCopy technology, to help customers simplify, optimize, and protect their information infrastructures. Also, Hitachi Data Systems protects one servers data from another via virtual storage ports (host storage groups). This means that Hitachi Data Systems offers true multi-tenant support on one physical storage array. The complete picture of securing information does not stop at the storage array. It must go from the array to the application level, through the Internet, and back again in a secure, protected fashion. Hitachi Data Systems is therefore participating in standards body groups in order to develop, recommend, and deploy security technologies that are comprehensive, while maintaining simplicity and performance, and keeping the cost of implementation low. To realize the benefits of safely expanding resource utilization and data accessibility from the disk array to the application, organizations must tackle known networked storage security challenges. This paper will review key network storage security issues, current standards, best practices, and how to gravitate towards secure end-toend information access without disruption of an organizations current environment.

1 Avery Dennison lost over $40M and market advantage. Lucent lost untold revenues for stolen source code to its PathStar product to Beijing-based Datang Telecom [Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002 (page 7)].

Contents
Introduction Enterprise Security Challenge Networked Storage and TCO Traditional Security in the Data Center Security in a Distributed Storage Environment New Vulnerabilities: Networked Storage What do Customers Require? The Need for Security in a Networked World: How Much Security Do You Need?
Security versus Access Threat Profiles and Types of Attacks Denial of Service (DoS) Man-in-the-middle Attacks Spoofing Hijacking Summary of Attacks and Threat Profiles When a Breach Occurs

1 2 3 3 4 6 6 10
10 11 13 14 15 16 16 16

Conclusion Afterword References Glossary

18 19 20 23

Towards Securing Information End-to-end: Networked Storage Security Update and Best Practices
A White Paper
by Arthur B. Edmonds, Jr.

Introduction
Data must be accessible to authorized users so that business may be conducted wherever and whenever necessary. Data must therefore be protected from unauthorized people. This is the balancing act information technology professionals need to perform daily. Obviously, somewhere in between the spectrum of no access and unrestricted access, lies the answer. But where? Each company will need to decide where in the spectrum their answer lies via corporate agreements on who gets access, what they can do with the access, and, finally, what was done when the user was interacting with the information. Statistics show that the number of reported incidents (not all will be reported due to loss of reputation, theft of transaction, financial fraud, or plain inappropriate behaviors) is on the rise due to increased sophistication of tools used to crack a companys site (see Figure 1).

Computer Security Incidents

60,000 50,000 40,000 30,000 20,000 10,000 0
19 88 19 89 19 90 19 91 19 92 19 93 19 94 19 95 19 96 19 97 19 98 19 99 20 00 20 01 1Q 02

Figure 1: Security Threats Growth. (Security threats are increasing in number and sophistication. This isnt due to the sophistication of the attacker, but, rather, the tools used by the cracker. Source: www.cert.org/stats/cert_stats.html)

Enterprise Security Challenge

In the post-September 11 climate, increased focus has been placed on backup, restore, and disaster recovery. The cost of information and trade secrets is now included in any return on investment (ROI) or total cost of ownership (TCO) calculation. Security solutions, procedures, and policies also form the total ownership equation. Security is no longer a luxury; rather, it has become an operational necessity. No company can practice Security by Obscurity anymore. Fiscal responsibility to shareholders, regulators, and auditors is a key focus. Levels of risk and risk mitigation must be identified and demonstrated respectively. The number and size per-incident of reported losses have also increased. The average loss reported in 2002 was $6.5 million (M) United States dollars (USD). The highest single loss due to theft of intellectual property so far was $50M (USD). Compare this to 1997 numbers of $0.9M average loss and $10M highest reported loss. 2

Financial Impact of Security Breaches

$500

$400 Millions ($USD)

$300

$200

$100

0
98 19 97 19 99 20 00 19 20 01

Figure 2: Reported Loss. Financial loss due to trade secret theft has rapidly increased in recent years. (Source: Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002.)

In addition to creating a trusted environment for corporate trade secrets and protecting intellectual property valuations, medical and merged financial and insurance services have regulatory oversight. The Health Insurance Portability and Accountability Act (HIPAA) was enacted to focus on an individuals medical privacy and is seeking to provide National Standards to Protect the Privacy of Personal Health Information. Similarly, the Gramm-Leach Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act (GLBA), has specified 13 Safe Harbors focused on consumer protection, which will be implemented by depository institutions that sell insurance products.

ibid. Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002.

Networked Storage and TCO

Access to information used to be restricted to a single room or glass house data center. There, users would submit jobs to be executed by systems operators and wait for the output. Data used to reside primarily on storage subsystems directly connected to a mainframe or application server. Direct access storage devices (DASD) are connected to mainframes, minicomputers, and enterprise servers. The direct access means that all data can be accessed directly in about the same amount of time rather than having to progress sequentially through the data. Direct access units appear most often in the form of Redundant Array of Independent Disks (RAID) devices. The business challenge of this approach to server or direct attached storage is that once connected in this manner, other servers cannot access data stored on the array. In fact, there is more than likely unused space in excess of 3050 percent on such an array at any given time. Networking storage in storage area networks (SANs) became popular because they directly supported strategic corporate competitive goals. SANs also demonstrated a better ROI3, scalability, availability, and sharing of data between different application servers. In addition, SANs helped in the consolidation of server and storage resources without sacrificing high availability practices. The amount of storage utilized between this shared set of resources increased to 70 percent and better. Separate information silos could now be linked together, even across private or public networks such as the Internet. Networked storage provides a natural means of business continuity. A primary data center along with secondary or backup sites reduces or eliminates the downtime should any system or subsystem fail. With appropriate data movement software, such as Hitachi TrueCopy , NanoCopy technology, and other data movement technologies, consistent dataset images may be transferred between sites. At a moments notice, a secondary site may be moved to primary status, should an unforeseen or rolling disaster occur.

Traditional Security in the Data Center

Current security approaches in data center infrastructures are focused on protecting the perimeter surrounding the primary and secondary sites via the building itself, security personnel, firewalls, virtual private networks (VPNs), and edge router access control lists (ACLs). VPNs are useful in that they encapsulate or hide private traffic and ship it over public networks such as the Internet. Router ACLs provide a modicum of protection, but they should never be the sole layer of protection. If properly configured, firewalls authorize only those services expressly allowed to pass into the protected network. Permitted access is represented in Figure 3 by broken lines.

For ROI case studies and TCO discussions, refer to Developing Return on Investment and Business Case Support for Storage Area Networks, by David R. Merrill, July 2001, at www.hds.com.

Edge Router

Internet

Dirty
Firewall VPN

Enterprise Perimeter
sFTP, ssh, Web: https/SSL

DMZ

Internal IP Network (Intranet)

Web Services

Intrusion Detection System

Clean

Application Servers, File Servers, NAS Appliances

Data at this inner level is normally stored and transmitted in CLEAR-TEXT Management Interface (MI)

Fibre Channel Fabric

Data

KEY = allowed services or holes in security barriers

Figure 3: Current or Traditional Security Approaches. These methods focus on the perimeter or untrusted side of the corporate network. Whenever a new service is needed, a tunnel or hole must be created through the security barrier. If a connection to the Internet is enabled to the storage environment, in-flight data cannot be distributed in clear-text. Data should also be stored encrypted as well (at rest).

The technology described above aids in the protection of a companys information. One of the most important security best practices approaches is to employ the principle of least privilege: That which isnt expressly permitted is denied. So, starting with unbroken lines (no access), each service [e.g. secure Web access (Secure Sockets Layer or SSL), file access, etc.] is configured by the security administrator one at a time and tested. This results in known services access, represented by the broken lines.

Security in a Distributed Storage Environment

Greater storage accessibility means that more access points to the data will exist. This includes LAN, campus, MAN, WAN, and wireless access for both SANs and network attached storage (NAS). More access points mean that more attention must be paid to protecting information from those not authorized to see it.

Attaching a network to a set of storage resources is also a departure from the past. There, besides being directly attached to a server or SAN fabric, multiple layers of security could stand between the companys valuable information and the outside world at an access point closer to the storage array itself. This may no longer be the case, especially if a storage network is directly connected and extended over a public network such as the Internet. Then it is critical to ensure the integrity (data is unchanged between sender and receiver) and privacy (encrypted and compartmentalized). It is equally important to protect this data in flight as well as at rest as approximately 50 percent of intentional and uninten tional intrusions originate from inside the company. 4 For example, payroll data needs to remain private between those on a need-to-know basis.

Applications
Application Servers Campus, MAN/WAN, Wireless

Data-at-Rest

Firewalls, VPNs

Data-in-Flight

Managed Services

DR
0

Consolidation

Vaulting

Storage Networks

Data Storage Management

Figure 4: Access Vulnerability. More access points means a greater potential for exploiting sensitive data. This includes unauthorized outsider and insider access.

Management access points and the people allowed to use them must also be protected. In fact, it is the multitude of management interfaces that are the most vulnerable to intentional and unintentional access and alteration of data from either inside (trusted) or outside (untrusted) sources. Changes made here may prevent access to information by legitimate users (a form of DoS or denial of service), mask an intruders access, or change access to a legitimate profile, and erase all presence of the visit in the audit logs. Worse, missteps in the use of the management interface could result in loss or corrupted data.

ibid. CSI/FBI

Switches Transport Nodes

New Vulnerabilities: Networked Storage

Storage has made its debut on the network in recent years. This environment includes: Application servers (end client nodes of a storage network fabric) Host bus adapters (HBAs: how the server physically attaches itself to the fabric) Storage fabric switches and directors (basic Layer 2 switching functionality and Layer 4-7 or application-aware devices) Network interface cards (NICs) Storage arrays (end device nodes of a storage network fabric) Tape devices Virtualization abstraction layers and assistsboth in the network and in the array Remote mirroring and replication storage applications Backup and recovery software Storage management software and manager user interfaces Remote storage management access points Storage network management software Storage MAN/WAN connectivitybridges, routers, and gateways Security can play a part in any and all of the above discrete elements. For end-to-end protection of data, all elements listed above must play a role. Existing technology and experience from the Internet community will be leveraged wherever possible and appropriate. The original Cold War design goal of the Internet was to connect military sites, universities, and the five major super computing centers in the USA in such a distributed and redundant way so as to survive a nuclear attack. The Internet grew to be much more after the advent of easy-to-use browsers. Organizations saw this ease of use and access and exploited it for adding to their distribution choices such as e-commerce, business-to-business (B2B), and business-to-consumer (B2C).

What do Customers Require?

Even when the first connection was made active over 30 years ago on the Internet, security wasnt a priority. Trust amongst the connected sites was assumed, and encryption wasnt necessarily enabled. After all, to begin with, the links were private X.25 circuits. It was only when the links were expanded and included connections over public telephone lines that security became a consideration. Today, the first things that come to mind to an organization and its members when the concept of securing their environment is discussed are: It will be harder to get my job done This is going to be expensive Performance will go down Adding another responsibility as complex as security will be hard for me to manage

In order for any security implementation to be accepted by the user and administrative community is it must be: Simple Comprehensive Easy to use Easy to manage Furthermore, it must demonstrate low TCO. Simple Simple to install means including as many security mechanisms in the environment without human intervention and management as possible or practical. For example, auto-loads in the operating system build and port driver(s) in the download phase could be employed. It is best to hide the complexity from the administrator wherever possible (or at least make it easy to implement security tools), especially for those not trained or experienced in security practices and procedures. It is also possible to inject a special-purpose security appliance into a production environment without redesigning the data center topology. Security services such as authentication, authorization, auditing, data integrity checks, and privacy mechanisms may be made available within minutes to the organizations environment. 5 Note that the user community will resist participating in the secure environment, especially if the chosen mechanisms inhibit reasonable access to resources these individuals need to get their jobs done. Comprehensive A complete end-to-end security implementation requires not only participation by each discrete element, but also building blocks of technology and the people to manage and monitor the implementation. 1. Authentication. In order for the identities of a sender and receiver to be verified, information about each must be sent to ensure that each party is who they say they are. This first step should be taken before any data is sent. Authentication between computers can be achieved in a manner similar to a notarized signature on a piece of paper via certificate-based (common trusted authority) and password-based (shared secret) protocols. 6 2. Authorization. Once identity is verified, the profile of the authenticated parties is logged. This step establishes what the trusted parties have been given permission to do once logged in.

Security mechanisms, including authentication, authorization, auditing, integrity, and encryption, are also appearing in the Fibre Channel.

For definitions of this nature and more, search http://www.google.com or The Free On-line Dictionary of Computing (FOLDOC), 1993-2001 Denis Howe at http://wombat.doc.ic.ac.uk/foldoc/.

3. Auditing. This critical step builds upon the first two steps. An audit tracks activity of the authenticated and authorized user by session. After logout, the log is kept in a safe place. For example, UNIX stores activities (if enabled) in /var/adm/syslog. Audit trails are more than simply machine-tracked evidence, and they are needed for more than just detection of intrusions and unauthorized or inappropriate access. They involve human oversight by trusted insider and regulatory bodies. The requirements vary by institution: financial institutions, healthcare facilities, and government departments. 4. Integrity. This protects both data and management traffic via digital signature technologies. Checksums provide the means to verify that the data transferred by the sender wasnt altered in transit or before arriving at the receivers location. 5. Privacy. Finally, confidentiality of the information, especially over a public network or between trusted departments is guaranteed by supplementing secret key agreements. Various implementations of this capability have differing degrees of performance. Two such technologies are Data Encryption Standard (DES or Triple-DES) and the Advanced Encryption Standard (AES) from the National Institute of Standards and Technology (NIST). AES is replacing Triple-DES for performance and better use of resources. 7 The order of implementation is important. Verification of the identity is first, followed by what the user can do when authenticated. Next, a record of what the user did when authorized is important. Any unintentional mistakes or intentional actions could be backed out in order to protect the trusted information. Ensuring that what I sent is what you received is extremely important, so no misunderstanding or unauthorized tampering with the data occurs without our knowledge. Finally, it is essential to encrypt the data so only those who are intended to receive the data may view it. Think of the above set of five steps as being synonymous to building a house. Authentication forms the foundation of a home. The other elements form the walls, doors, windows, and roof of the home. The doors and the key that unlocks them may be analogous to authorization and integrity (although the analogy breaks down a bit in that authentication requires interaction with keys). The walls and roof may be loosely analogous to integrity and privacy. Levels of security may take on the form of multiple, separate locks on the door, bars on the windows, or burglar alarms. Link- or transport-level encryption is important and is currently in use with VPNs running over public networks, e.g. the Internet. It is very important to encrypt data at rest as well as to prevent unauthorized exploitation of the information. This can take on the form of actually encrypting the data itself, encrypting or hiding the file system structure, or both. 8 Each level of security comes with a cost of implementation and consequence to implement. This leads to the question of total cost of ownership or TCO.

The National Institute of Standards and Technology (NIST) selected Rijndael (pronounced rain doll), the combined work of Belgian researchers Vincent Rijmen and Joan Daemen, as the basis for AES. Triple-DES, created in the 1970s, is still used by the U.S. Government. Management of encryption standards now falls under the U.S. Department of Commerce.

See [Riedel 2002], which prefers encrypt-on-disk over encrypt-over-wire for better performance and security. 8

Low TCO Just as network and systems management platforms have not remained a luxury to implement, storage management has come into the spotlight as a must-have addition to the data center floor. Complexity and the need to expand the reach of an administrators support capabilities are the main motivators. Returns on investment are quantifiable due to the cost of personnel, maintenance costs, and growth of an organizations resources. This is still the case, even in a slow-growth economic environment. Similarly, its no longer a luxury to add security systems to a companys environment. Still, the total cost needs to be justified. This is usually done by quantifying the cost of the data or intellectual propertydetermining what would happen if it were stolen or lost, and the cost to replace or recover it (if possible). Lets look at two TCO scenarios. Both involve protection of information in a data center. However, each has widely varying outcomes. TCO Scenario 1: Power Outage When choosing a site for the data center, a power outage lasting more than a few seconds at data center is 0.5 percent probability. The expected conservative losses are: Personnel idle = $200,000 Recovery (downtime + personnel) = $100,000 Therefore, the expected loss and recovery cost is: $(200,000+100,000) x 0.005 = $1,500/year The cost of an uninterruptible power supply (UPS) system is typically $150k with an expected 10-year lifetime. The cost of avoidance is $15k/year. Comparing $1,500/year with $15k/year cost of prevention, this is

Not necessarily a cost-effective investment

TCO Scenario 2: Password Compromise Lets look at another form of data loss: theft of trade secrets due the theft of a password file while an employees laptop was connected to the Internet. A password compromise on an employees laptop resulting in trade secret information access by outsider has been demonstrated to have a 2 percent probability of happening when connected over the Internet. 9 Expected losses: Intellectual property = $1,000,000 (remember average 2002 loss = $6.5M) Assume 100 employees accessing remotely on Internet 240 days/year If one employees password sniffed, probability of it being stolen in a given year is: 1- ((1.0 0.02) x 100)/240 or 59 percent

Practical UNIX & Internet Security, Simson Garfinkel and Gene Spafford, OReilly & Associates, April 1996. Ch. 8.

Expected loss (no recovery is possible, as trade secret data is permanently lost): $(1,000,000+0) x 0.59 = $590,000/year Cost of password card for each user and software is: $100 x 100 + $20k license with expected three-year lifetime. Add yearly maintenance of $10k and training of $2.5k. Doing the math yields: $(100 x 100 + 20,000)/3 + $12,500/year = $22,500/year So, with a cost of avoidance = $22.5k/year, it is easy to see that when comparing the above figure with $590,000/year, that this is

A very good return on investment

Easy to Use and Manage Customers would prefer not to have to add another hardware box or software module to manage. If required, they would prefer that it could be managed by their existing framework or, barring that, easy to implement and definitely low in support overhead. This consideration needs to be balanced when adding to the number of devices and software in the data center environment. The increase in boxes is related to the cost (TCO) and increased complexity of managing the environment. A best practices approach to security is to consolidate profiles into one protected repository. This helps to keep the profiles and changes consistent. One repository makes it trivial to maintain database synchronization. As an example for the typical LAN installation, this approach means combining VPN and firewall functions into one device. Only the security administrator updates user profiles in one place. Now, shifting to the user community point of view, if the inclusion of security is too complex, the users will find a way around using the security procedure or procedures, Securities Policies and Procedures Manual or not. They are focused on getting work done, not supporting work prevention. Thus, a balance needs to be found as discussed previously.

The Need for Security in a Networked World: How Much Security Do You Need?
Security versus Access Granting ready access to authorized users has its benefits and its reasons for caution. Information thats accessible from anywhere and at any time gives headquartered and mobile decision-makers the freedom to get their projects and tasks accomplishedagain from any place and any time zone on the planet. The consequence of this freedom is that competitors, governments, industrial and economic espionage agents, and even disgruntled employees may be able to take advantage of the known and unknown holes or access points to your companys privileged data. Besides copying the information, they may deny legitimate access to the corporate repositories, or worse, alter or destroy valuable pieces of the datasets. Now, it is not always the case that some sinister or unauthorized party is trying to gain access to your data house. The opened access point or points may be due simply to a misconfiguration or incorrectly attached cable. People are human; as such, they do make mistakes.

10

Balancing data accessgranting access to those who are authorized and require it to get their jobs done and denying it to those who have no business even trying to gain accessis an ongoing act. Security best practices require a corporate-wide plan that results in a Security Policies and Procedures Manual. The usual steps in the manuals creation are: 1. Determine what you have (asset tagging and tracking) 2. Identify the cost of corporate information assets (trade secrets valuation) 3. Determine which threats exist and which threats are possible (threat model analysis) 4. Quantify probability of threats to corporate intellectual property (threat risk analysis and prioritization) 5. Lay out the cost of a security solution and what it protects you from (cost/benefit analysisTCO) 6. Develop and distribute the Corporate Security Policies and Procedures Manual (everybody gets one and everyone understands what to do on a daily basis and in case of a breach) This paper has already given an example of trade secret valuation in a previous section (TCO Scenario 2: Password Compromise). The rest of the discussion will consider possible types of threats, the state of the Standards Groups, what Hitachi Data Systems is doing as a participant in these Groups, and current Hitachi technology (where possible, identifying where it may be headed with its own technology and the technology of its partners). Threat Profiles and Types of Attacks In order for a comprehensive profile to be generated, a threat model needs to be captured. In the storage-networking world, focus is placed on the access points in the environment. Now that storage networks can be directly connected to public networks, a back door has been created to an organizations information. Special care needs to be taken when deciding on a comprehensive security solution, since a company can no longer rely on the layered protections given to its storage when the storage network had no direct outside connections. Figure 3 showed the traditional approach to storage access. A similar example in Figure 5 depicts the possible access points. 10

10 This is the Fibre Channel Security Protocols (FC-SP) Threat Model, which is being used as a template to develop standard approaches to securing the Fibre Channel fabric. Details of this model and more security documents may be found on the American National Standards Institute Fibre Channel Web site (ANSI/T11): http://www.t11.org. Threat type 5 in this paper is described differently than the FC-SP type 5 for purposes of expanding discussion on certain threat topics. Similar security discussions for the Internet and iSCSI appear on the Internet Engineering Task Force (IETF) site: http://www.ietf.org.

11

3 1 Fibre Channel Fabric 2 5

4 4 Non-Fibre Channel
Internet, Telenet, RS-232, etc. Gateway/Bridge

4 5 # Threat Type 1 2 3 4 5 Server or Storage Array to Network Connection Switch to Switch Server to Storage Array Management Interface DoS, Man-in-Middle, Spoofing, Hijacking Risk Level MEDIUM MEDIUM MEDIUM HIGH MEDIUM

Figure 5: Security Threats. Types of threats between devices connected on a storage network and externally connected (non-fibre channel) network. DoS refers to Denial of Service and is described in more detail later. The highest risk to at-rest or in-flight data is via the management interfaces.

The types of threats in a storage network environment are listed above. The highest ranked risk levelnumber 4, the Management Interfaceis not due to the sheer number of possible ingress points. It is rated as a HIGH risk due to its ability to disrupt a connection to the networked environment, add illegal accounts, copy data to an illegal recipient, and destroy the data altogether. 1. Server or Storage Array to Storage Network Connection. An attachment could result in an inside or outside party access to data they shouldnt receive. Another means of exploitation is hijacking a legal address and collecting data and addresses for future exploitation (spoofing). Or, an attacker may choose to flood the environment with login requests or make changes to the switchs ability to forward data contained in frames to legitimate recipients (denial of service). 2. Switch to Switch. Here, a switch may attempt to illegally join a fabric or change the fabric topology. This is usually accomplished by having physical access to the SAN fabric. However, a management interface may enable this as well from a remote location. An unauthenticated switch may be able to change the layout of the environment or cause denial of resource access to legitimate users.

12

3. Server to Storage Array. An unauthorized communication link may be set up by allowing a device to send frames to another device that isnt in its database of allowed communication devices (soft zone). Another way to bypass security is to introduce virus code into the environment. Also, making requests for large amounts of data and then refusing the receipt of the request may accomplish a Denial of Service scenario. 4. Management Interface. This represents the highest threat level of all. An outsider who has compromised a server may install a vendor or third-party management interface on a server accessible to an insider. Without strong authentication mechanisms installed, a legitimate activity from an illegal management request is very hard to detect and contain. This activity may be accomplished on the Fibre Channel fabric or via the Internet. 5. DoS, Man-in-middle, Spoofing, Hijacking. These will be described in more detail in the subsections immediately following. Denial of Service (DoS) This attack is represented by any activity that prevents authorized parties from logging into their data center or getting to the data to do work. The attacker can accomplish this in a number of ways: issuing repeated login requests, joining two fabrics to make one large fabric that may reduce performance, resetting the resource map (such as adding a device and removing it repeatedly), or going online and offline itself.

Expected Data Path Management Interface or User Data

Fibre Channel Fabric

Attacker Issues Repeated Requests, Monopolizing Switch Fabric Resources

Attacking Management Interface or Switch

Figure 6: Denial of Service Scenario.

13

Man-in-middle Attacks Unknown to the sender and receiver, an intermediary sends out a modified address to log in to the environment. This modified address usually contains a trusted entity on the fabric, such as a switch. All information originally destined for the real switch or fabric is delivered to the attacker first. The man-in-middle attacker then delivers the data to the legitimate switch. During this undetected re-routing of the information, the attacker may passively read, copy, or actively alter the real data. A replay attack may also be possible in this scenario. In this case, the attacker, already reading data, intercepts a session key with a time and date stamp. This can be stored and used later to establish a future real session. The attacker is depending on human nature not to change the key very often, just as in the house analogy (described in a previous section). If the intrusion(s) were not detected, why would anyone periodically change the house locks? In the data center environment, though, a bestpractices approach is to change the key frequently and challenge the connection established at any given moment. The more random the time element is, the better. Session keys are acceptable; they simply need to depend on parameters other than a detectable time sequence.

Expected Data Path Management Interface (MI) Data

Fibre Channel Fabric

Actual Data Path

Attacking Management Interface or Switch

Figure 7: Man-in-middle Attacks. This scenario applies to any network (e.g. telephone dialup, Wireless Link Ethernet, LAN, MAN, WAN, Internet) that lies between a sender and receiver.

14

Spoofing The term spoofing means to fool or misrepresent ones identity (address) when requesting services or information from the storage network environment. The most potentially damaging interface is gaining access to the management interface. There, configurations may be changed and data may be lost or copied without the knowledge of the security administrators. This scenario is synonymous to receiving mail that is not intended for your address and not returning it to the rightful owner. Either the mail was actively pilfered from the correct house or the mail carrier unintentionally delivered it to your house. One of the sub-scenarios carries penalties. The other carries none. The mail carrier simply redelivers the mail to the rightful owner.

Authorized Data Path Management Interface (MI) Data

Fibre Channel Fabric

Spoofed Data Path

Spoofing Management Interface Steals the MIs Address

Attacking Management Interface or Switch

Figure 8: Spoofing the Real Data Interaction. Unauthorized recipient steals or manipulates data.

15

Hijacking In this variation of spoofing, a hijacker takes over an existing, trusted session by sniffing or reading certain signs in a data flow unencrypted or protected by another means, such as VPN technology.
Established Trusted Session Management Interface or User Data

Fibre Channel Fabric Resource Suddenly Unavailable Attacker Takes Over Session

Attacking Management Interface or Switch

Figure 9: Hijacked Session Scenario.

Summary of Attacks and Threat Profiles All of the above attack scenarios have their analog in the Internet environment. Technologies that are used to address these attacks have been and are being addressed by the Internet Engineering Task Force (IETF). Methods of prevention or minimizing the level and frequency of threat exist there. Similarly, the American National Standards Institute (ANSI) Fibre Channel Protocol Standards Working Groups, along with the Security Protocols Working Group (FC-SP), have developed standards and proposals for the prevention of the above types of attacks. Regardless of the environment (Internet, Fibre Channel fabric), the types of attacks profiled above are being addressed and mitigated. For example, the use of strong authentication, as currently proposed by the FC-SP, will eliminate the possibility of spoofing, hijacking, and man-in-middle attacks simply because the keys used would not match. The attacker would not be able to enter the house to begin with, let alone read or make changes to the data. When a Breach Occurs What do you do when a breach occurs? A security break-in is not a question of if. It is a question of When? Or it could be a question of Did it already happen? And it may be the realization I never knew it happened . The methods of involving Interpol, the FBI, or taking legal or company-internal action are country, state, and company dependent. There may be a corporate or government institution decision as to what the level of response or responses will be, if any. Part of this decision is based on possible publicity, the level of the loss, or how clear and provable the potential break-in or fraudulent use of resources is.
16

In the United States, an older section of the U.S. Code, Title 18: Fiduciaries, chapters 18-16 (section 18-16-4) dealt with provisions surrounding chattels (property) and goods. Seeing that this section was in need of updating with respect to the Information Age, a Presidential letter, dated October 11, 1996, amended the U.S. Code. The revised code is now contained in Title 18, Part I, Chapter 47, Section 1030: Fraud and Related Activities in Connection with Computers. 11 A company in the U.S. may use this tool as a means to prosecute a traceable breach, if proper chains of evidence are preserved with the chosen authorities (law enforcement or FBI). Or, the company may choose only to take civil action. Finally, the company may choose to take no action at all. No matter what the course, action taken by your organization is beyond the scope of this paper to advise. The author is also not a legal professional and thus may not offer or imply direction regarding actions to be taken or avoided. The above is offered for informational purposes only.

11 U.S. Code may be found on the URL: http://www.usdoj.gov. Also, The National Infrastructure and Intellectual Property Section relating to Computer Crime (CCIPS) may be found on http://www.usdoj.gov/criminal/cybercrime/compcrime.html#NIFPA.

17

Conclusion
There is no question that securing intellectual property in an organizations data center and extended storage network is important. It is. The protection of information, whether at rest or in flight now ranks as one of the top five areas of concern for CIOs, corporate executive staff, and boards of directors. A company begins by defining its environment via an audit (assets) and assessment of the environment. This forms the basis of discussion by departments in the organization to determine the access points to information, risks, risk mitigation, and costs associated with protecting intellectual property. Once the information is captured, the beginnings of a Security Policies and Procedures Manual may be formed. This manual doesnt have to be complex or large, as it needs to be understood by all members in the corporate environment to be effective. Technology alone does not solve the overall security problem. It is a combination of humans, practices, processes, and technology that help a company to better protect itself. The manual also is revised many times, as it is a living document. After the Security Policies and Procedures Manual is nearing reasonable stability, appropriate technology may be introduced. The technology added to the environment must match the cost of the information protected (TCO), must be simple enough for employees to use without the technology preventing them from being productive, and must be comprehensive enough to protect the intellectual property on a need-to-know basis from insiders as well as partners or outsiders. Next, the building blocks of any security solution must begin with authentication. Verifying a persons identity is important to the protection of the data. Once this step has been proven, then a persons authorization may be granted. This is, once again, the permissions given to the authenticated person or entity: What am I allowed to access or do once Ive been given the right to stay? The next and ongoing step is to audit the session. Just what did this person do while he/she was logged in and what was done after the session was over? This step alone forms the basis for evidence collection (if needed) or simply serves to correct some mistake made by the user when he/she was logged into the session. The above steps help expand upon the zone of trust so that the remaining two may be supported: integrity and privacy. Integrity ensures that information sent by one party was collected whole and intact by the receiving party. That is, no intermediary party, authorized or not, tampered with the information flow. Finally, privacy represents the encryption step of the information flow. Only the receiving party is allowed to read the data. All other parties see (if anything at all) are streams of unrepeated alphanumeric characters. The stream of encrypted data renders the information flow useless to all except the intended recipient. Hitachi Data Systems is committed to providing end-to-end security via its original research and development (R&D), participation in the Standards Groups, and by providing the best-of-breed solutions in conjunction with partners. The overall solution is only made possible via the cooperation of the members representing the R&D teams in the storage network environment. A comprehensive, extensible solution from all is coming soon and will leverage known technologies from the Internet Protocol Security Group (IPsec). In this way, interoperability will be ensured from day one of implementation.

18

Afterword
Standards Update At the October 2002 meetings held in New Orleans, Louisiana, the INCITS/ANSI/T11 Fibre Channel Security Protocols Technical Working Group (FC-SP TWG) voted unanimously to adopt the IETF Challenge Handshake authentication Protocol (CHAP [RFC 1994]) with Diffie-Hellman enhancements (DH-CHAP with NULL DH option) as the first fabric interoperable authentication mechanisms. Others are in discussion and will not be mutually exclusive of the above technology. What this means is that fabric Fibre Channel switches will use the same security mechanisms from day one. The switch vendors therefore guarantee interoperability. As of the end of 2002, INCITS/ANSI/T11 FC-SP TWG also adopted (among other items) two additional and optional authentication mechanisms: Fibre Channel Authentication Protocol (FCAP). This authentication mechanism is employed between any two devices or entities on a Fibre Channel network using certificates or optional keys. Fibre Channel Password Authentication Protocol (FCPAP). This is similar to FCAP in operation, but it uses a different key authority. Here, secure remote password (SRP) is used, whereas FCAP may use a public key interchange (PKI) mechanism. Again, FCAP and FCPAP are optional authentication mechanisms. DH-CHAP is a mandatory or required approach to authentication. Vendors may implement more than one method.

19

References
Books [Chapman 1995] Building Internet Firewalls, D. Brent Chapman and Elizabeth D. Zwicky, OReilly & Associates, Sebastopol, California, 1995, ISBN 1-56592-124-0 [Garfinkel 1996] Practical Unix & Internet Security, 2nd edition, Simson Garfinkel and Gene Spafford, OReilly & Associates, Sebastopol, California, 1996, ISBN 1-56592-148-8 [Garfinkel 2001] Web Security, Privacy & Commerce 2nd edition, Simson Garfinkel and Gene Spafford, OReilly & Associates, Sebastopol, California, November 2001, ISBN 0-596-00045-6 [Hunt 2002] TCP/IP Network Administration, 3rd edition, Craig Hunt OReilly & Associates, Sebastopol, California, April, 2002, ISBN 0-596-00297-1 [Norberg 2000] Securing Windows NT/2000 Servers for the Internet: A Checklist for Systems Administrators, Stefan Norberg OReilly & Associates, Sebastopol, California, November, 2000, ISBN 1-56592-768-0 http://security.oreilly.com [Cheswick 1994] Firewalls and Internet Security, Bill Cheswick and Steve Bellovin Addison-Wesley, Reading, Massachusetts, 1994, ISBN 0-201-63357-4 [Clark 2002] IP SANs, Tom Clark, Addison-Wesley, Reading, Massachusetts, 2002, ISBN 0-201-75277-8 [Bishop 2003] Computer Security: Art & Science, Matt Bishop, University of California, Davis, Addison-Wesley Professional Series, Reading, Massachusetts, 2003 (Available 11/29/2002), ISBN 0-201-44099-7 (textbook) http://www.aw.com Papers [Riedel 2002] A framework for evaluating storage system security, Erik Riedel, Mahesh Kallahalla, and Ram Swaminathan, Hewlett-Packard Laboratories, Palo Alto, California. { riedel,maheshk,swaram}@hpl.hp.com USENIX Proceedings of the FAST 2002 Conference on File and Storage Technologies, Monterey, California, USA. January 28-30, 2002. Internet Engineering Task Force (IETF) Background information on the adoption of DH-CHAP by INCITS/ANSI/T11 can be found at: [Black 2002] DH-CHAP: Diffie-Hellman Enhanced CHAP for iSCSI, Internet Draft Document : draft-black-ips-iscsi-dhchap-01.txt D. Black, EMC. April 2002. Expires: October 2002 This draft describes an authentication mechanism based on enhancing CHAP [RFC 1994] with a Diffie-Hellman Exchange (see Section 22.1 of [ Schneier]) in order to prevent a passive eavesdropper from acquiring sufficient information to perform an off-line dictionary attack on the CHAP secret. The use of this authentication mechanism with iSCSI [iSCSI] is discussed, along with a brief comparison to the existing CHAP and SRP authentication mechanisms in iSCSI.

20

A list of Internet Request For Comments ( RFCs) documents may be found by accessing the URL http://www.ietf.org/. Furthermore, the Internet Protocol Storage technical working group may be located at http://www.ietf.org/html.charters/ips-charter.html The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html Other Resources and Comments EU Data Privacy Directive (95/46/EC) mandates personal data be secured (A.17) Similar provisions in Directive 2002/58/EC, in force July 31, 2002 EU to mandate Telcos to keep data for 12-24 months Retained data will surely have to be encrypted Condeleeza Rice, U .S. National Security Advisor, March 23, 2001, speech to Partnership for Critical Infrastructure of U .S. Chamber of Commerce: Today the cyber economy is the economy . Corrupt those networks and you disrupt this nation. Canadian Department of Justice propose s forcing ISPs to retain traffic data for six monthsusually keep data for billing only . Cadbury Report in the UK mandates Board protection of corporation assets, including information assets . Ethical hackers performed physical penetration attack on U.S. military target, dressed as PLO, entered and left and were saluted by guards Often all it takes is nerve. Organization for Economic Cooperation and Development (OECD) Guidelines for Security of Information Systems Adopted as Recommendation of OECD Council to Member States, July 25, 2002 at 1037th Session http://www.oecd.org/pdf/MOOO33000/M00033182.PDF Set of 9 voluntary principles, highly representative of global trends in security Promote Culture of Security , build in from ground up Emphasizes increased interconnectivity and interdependencies amongst sundry stakeholders Need for cooperation and information sharing Respect personal privacy

21

Computer Security Institute Richard Power, Editorial Director (rpower@cmp.com ) http://www.gocsi.com FBI nccs-sf@fbi.gov Sysadmin, Audit, Network, Security (SANS) Institute http://www.sans.org/ Computer Information Systems Security Professionals http://www.cissps.com/ USENIX (good reports on file and storage technologies, and has link to SAGE) http://www.usenix.org / The White House (Homeland Security) http://www.whitehouse.gov/ Richard Clark is heading the effort. A preliminary document appears on this web site. Other http://www.greatcircle.com http://ciac.llnl.govhttp://www.cs.purdue.edu/coast/coast.html http://www.sei.cmu.edu/technology/trustworthy.html

22

Glossary
Acronyms and definitions for the security industry are as prevalent as the networking and network management industries. A number of the more frequently used ones are included below. For more definitions of this nature, search the following Web sites: http://www.google.com or The Free On-line Dictionary of Computing (FOLDOC), 19932001 Denis Howe, at http://wombat.doc.ic.ac.uk/foldoc/ ACL AES Access Control List. Limits and controls access to systems. Advanced Encryption Standard. The National Institute of Standards and Technology (NIST) held a competition to develop the Advanced Encryption Standard (AES) as a replacement for DES. NIST was pleased to announce the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard, FIPS-197. This standard specifies Rijndael (pronounced rain doll) as a FIPS-approved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. Please see: http://csrc.nist.gov/encryption/aes/ The AES is stronger than Triple DES and approximately 50 times faster. Many security systems will probably use both Triple DES and AES for at least the next five years. After that, AES may supplant Triple DES as the default algorithm on most systems if it lives up to its expectations. But Triple DES will be kept around for compatibility reasons for many years after that. 3DES ANSI Bastion See DES. American National Standards Institute. Projecting fortification that protects those inside the walls from those outside the walls. Certificate Authority. Trusted, digitally signed certificate containing user identification and authentication levels. Cipher Block Chaining (for DES or AES encryption). Command Descriptor Block (SCSI commands and parameters specified there). Computer Emergency Response Team. Computer Oracle Password and Security. A collection of p rograms that provides some monitoring and detection of potential problems in /etc/passwd and /etc/group, /etc/ hosts.equiv, and ~/. rhosts files. It also checks permissions and changes in SUID status. Obtainable from ftp:cert.sei.cmu.edu (pubs/cops/ cops.tar.Z).

CA
CBC CDB CERT COPS

23

DES

Data Encryption Standard. Algorithm developed by IBM for the U.S. National Bureau of Standards for encrypting and decrypting data. Uses a 56-bit encryption key. Triple-DES (3DES) has a longer key length and encrypts in the following manner (similar to DES): The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key. The reuse of the same key in any of the three steps is allowed. De-militarized Zone. Usually a separate LAN connected to a firewall containing proxy application servers. These servers present themselves to less trusted users while isolating the actual application servers logically situated deeper within the security framework. In the OSI/RM 7-layer Model, an entity w ithin a layer provides services to the layers immediately above and below it via service access points. It also refers to a device on the fabric (e.g. switch) or at its edge (e.g. server or storage array). International Data Encryption Algorithm. Internet Engineering Task Force. The International Committee for Information Technology Standards (INCITS) is the forum of choice for information technology developers, producers, and users for the creation and maintenance of formal de jure (by law) IT standards. INCITS is accredited by, and operates under rules approved by, the American National Standards Institute (ANSI). These rules are designed to ensure that voluntary standards are developed by the consensus of directly and materially affected interests. The mission of the International Committee for Information Technology Standards is to produce market-driven, voluntary consensus standards. International Telecommunications Union (formerly known as CCITT). Message Authentication Code. Message Digest. Authentication code that cryptographically guarantees that data has not been forged or tampered with (prevents man-in-the-middle attack). Public Key Infrastructure. An authentication mechanism that uses asymmetric (public/private) key exchange technology. Preliminary Message Security Protocol. Used for unclassified but confidential information (Mosaic). Variable-key size encryption algorithms (Rons CodeRon of RSA Data Security, Inc.). Rivest

DMZ

Entity

IDEA IETF INCITS

ITU MAC MD

PKI PMSP RC2/RC4 RSA SKIP SPKI

Public-key algorithm nam ed after its co-inventors: Ron Rivest, Adi Shamir, and Leornard Adelman. Simple Key-management for Internet Protocols. Public-key certificate-based key-management method. Simple Public Key Infrastructure.
24

Subnet

A logically separate part of an or ganizations network. Defining a subnet mask identifies the host portion and the subnetwork portion of the network address. This tells the network what part of the IP address is a node or host, which part belongs to the subnet, and what belongs to the network address. The T11 Technical Committee is the committee within INCITS responsible for Device Level Interfaces. T11 has been producing interface standards for high-performance and mass storage applications since the 1970s. Virtual LAN. Access con trol that allows logical groupings of workstations, switches, routers, or servers. Can be extended over the Internet. Virtual Private Network. Encapsulating mechanism that allows for private traffic to be transported securely over a public network such as the Internet. ITU standard for certificate definition (a certificate is a data structure that binds the identity of an entity with a public-key value).

T11

VLAN

VPN

X.509

25

Hitachi Data Systems www.hds.com storage@hds.com

Corporate Headquarters
750 Central Expressway Santa Clara, California 95050-2627 U.S.A. (408) 970-1000 info@hds.com

Asia Headquarters
Suite 3301-6, Shell Tower Times Square, 1 Matheson Street Causeway Bay Hong Kong 2525-2385 infoasia@hds.com

Australia/New Zealand Headquarters

Level 3 82 Waterloo Rd. North Ryde, NSW 2113 Australia +61-2-9325-3300 info.australia@hds.com

Canada Headquarters
2550 Victoria Park Avenue Suite 601 Toronto, Ontario M2J 5A9 (416) 494-4114 www.hds.com Cananda.Sales@hds.com

Europe Headquarters
Sefton Park Stoke Poges Buckinghamshire SL2 4HD United Kingdom +44 (0) 1753-618000 info.eu@hds.com www.eu.hds.com

Latin America Headquarters

750 Central Expressway, MS 3468 Santa Clara, California 95050-2627 U.S.A. (408) 970-7447 infolatin@hds.com

U.S. Headquarters
750 Central Expressway Santa Clara, California 95050-2627 U.S.A. (408) 970-1001 ussalesinfo@hds.com
Hitachi Data Systems is registered with the U.S. Patent and Trademark Office as a trademark and service mark of Hitachi, Ltd. The Hitachi Data Systems logotype is a trademark and service mark of Hitachi, Ltd. Freedom Storage, TrueNorth, ShadowImage, NanoCopy, SANtinel, TrueCopy, Lightning 9900 and Thunder 9500 are trademarks of Hitachi Data Systems Corporation. All other trade names, trademarks, and service marks used herein are the rightful property of their respective owners. Notice: This document is for informational purposes only, and does not set forth any warranty, express or implied, concerning any equipment or service offered or to be offered by Hitachi Data Systems. This document describes some capabilities that are conditioned on a maintenance contract with Hitachi Data Systems being in effect, and that may be configuration-dependent, and features that may not be currently available. Contact your local Hitachi Data Systems sales office for information on feature and product availability. 2003, Hitachi Data Systems Corporation. All Rights Reserved. WHP-129-00 February 2003