Académique Documents
Professionnel Documents
Culture Documents
Towards Securing Information End-to-end: Networked Storage Security Update and Best Practices
A White Paper
by Arthur B. Edmonds, Jr.
February 2003
Executive Summary
Organizations rely on their accumulated information and need to distribute it to people who can mine, distill, and make decisions based on volumes of data. The result of exploiting information may be embodied in a newly created market or a different way to approach an existing business issue. In either case, the information is proprietary to the organization and protected within the confines of the company. Or is it? If the intellectual property is truly controlled and released, the result is increased revenue for the organization. If a competitor steals trade secret information, however, the result could be increased revenue for the opposition. The original idea company would also lose time-to-market advantage. 1 Lost data and revenue puts company officers and their organization at financial risk to stakeholders, partners, suppliers, and customers. Access to data has evolved from in-house only to regional and global levels. In short, information has been made more accessible from where the users, partners, and customers are located. However, more access points mean more chances for unauthorized eyes to discover and exploit sensitive data. Trade secret information can be exploited from inside the company as well as outside the company. And there is no expectation that these volumes of data will ever decrease. In fact, the volumes of data and access requirements to information have grown rapidly in a few short years. The Storage Networking Industry Association (SNIA) observes that the amount of storage capacity needed to house this data doubles every 12 months. Networked storage has forced many companies to re-think their information access strategies, increasing business requirements for continuity, performance, and security. Hitachi Data Systems has participated in managing and protecting data in these arenas through the deployment of its Hitachi TrueNorth vision and strategy. The TrueNorth strategy employs such products as Hitachi ShadowImage and Hitachi SANtinel software and enables remote copy over MANs and WANs via Hitachi TrueCopy software and NanoCopy technology, to help customers simplify, optimize, and protect their information infrastructures. Also, Hitachi Data Systems protects one servers data from another via virtual storage ports (host storage groups). This means that Hitachi Data Systems offers true multi-tenant support on one physical storage array. The complete picture of securing information does not stop at the storage array. It must go from the array to the application level, through the Internet, and back again in a secure, protected fashion. Hitachi Data Systems is therefore participating in standards body groups in order to develop, recommend, and deploy security technologies that are comprehensive, while maintaining simplicity and performance, and keeping the cost of implementation low. To realize the benefits of safely expanding resource utilization and data accessibility from the disk array to the application, organizations must tackle known networked storage security challenges. This paper will review key network storage security issues, current standards, best practices, and how to gravitate towards secure end-toend information access without disruption of an organizations current environment.
1 Avery Dennison lost over $40M and market advantage. Lucent lost untold revenues for stolen source code to its PathStar product to Beijing-based Datang Telecom [Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002 (page 7)].
Contents
Introduction Enterprise Security Challenge Networked Storage and TCO Traditional Security in the Data Center Security in a Distributed Storage Environment New Vulnerabilities: Networked Storage What do Customers Require? The Need for Security in a Networked World: How Much Security Do You Need?
Security versus Access Threat Profiles and Types of Attacks Denial of Service (DoS) Man-in-the-middle Attacks Spoofing Hijacking Summary of Attacks and Threat Profiles When a Breach Occurs
1 2 3 3 4 6 6 10
10 11 13 14 15 16 16 16
18 19 20 23
Towards Securing Information End-to-end: Networked Storage Security Update and Best Practices
A White Paper
by Arthur B. Edmonds, Jr.
Introduction
Data must be accessible to authorized users so that business may be conducted wherever and whenever necessary. Data must therefore be protected from unauthorized people. This is the balancing act information technology professionals need to perform daily. Obviously, somewhere in between the spectrum of no access and unrestricted access, lies the answer. But where? Each company will need to decide where in the spectrum their answer lies via corporate agreements on who gets access, what they can do with the access, and, finally, what was done when the user was interacting with the information. Statistics show that the number of reported incidents (not all will be reported due to loss of reputation, theft of transaction, financial fraud, or plain inappropriate behaviors) is on the rise due to increased sophistication of tools used to crack a companys site (see Figure 1).
Figure 1: Security Threats Growth. (Security threats are increasing in number and sophistication. This isnt due to the sophistication of the attacker, but, rather, the tools used by the cracker. Source: www.cert.org/stats/cert_stats.html)
$300
$200
$100
0
98 19 97 19 99 20 00 19 20 01
Figure 2: Reported Loss. Financial loss due to trade secret theft has rapidly increased in recent years. (Source: Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002.)
In addition to creating a trusted environment for corporate trade secrets and protecting intellectual property valuations, medical and merged financial and insurance services have regulatory oversight. The Health Insurance Portability and Accountability Act (HIPAA) was enacted to focus on an individuals medical privacy and is seeking to provide National Standards to Protect the Privacy of Personal Health Information. Similarly, the Gramm-Leach Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act (GLBA), has specified 13 Safe Harbors focused on consumer protection, which will be implemented by depository institutions that sell insurance products.
ibid. Computer Security Institutes Computer Security Issues & Trends, Vol. VIII, No. 1, Spring 2002.
For ROI case studies and TCO discussions, refer to Developing Return on Investment and Business Case Support for Storage Area Networks, by David R. Merrill, July 2001, at www.hds.com.
Edge Router
Internet
Dirty
Firewall VPN
Enterprise Perimeter
sFTP, ssh, Web: https/SSL
DMZ
Clean
Data at this inner level is normally stored and transmitted in CLEAR-TEXT Management Interface (MI)
Figure 3: Current or Traditional Security Approaches. These methods focus on the perimeter or untrusted side of the corporate network. Whenever a new service is needed, a tunnel or hole must be created through the security barrier. If a connection to the Internet is enabled to the storage environment, in-flight data cannot be distributed in clear-text. Data should also be stored encrypted as well (at rest).
The technology described above aids in the protection of a companys information. One of the most important security best practices approaches is to employ the principle of least privilege: That which isnt expressly permitted is denied. So, starting with unbroken lines (no access), each service [e.g. secure Web access (Secure Sockets Layer or SSL), file access, etc.] is configured by the security administrator one at a time and tested. This results in known services access, represented by the broken lines.
Attaching a network to a set of storage resources is also a departure from the past. There, besides being directly attached to a server or SAN fabric, multiple layers of security could stand between the companys valuable information and the outside world at an access point closer to the storage array itself. This may no longer be the case, especially if a storage network is directly connected and extended over a public network such as the Internet. Then it is critical to ensure the integrity (data is unchanged between sender and receiver) and privacy (encrypted and compartmentalized). It is equally important to protect this data in flight as well as at rest as approximately 50 percent of intentional and uninten tional intrusions originate from inside the company. 4 For example, payroll data needs to remain private between those on a need-to-know basis.
Applications
Application Servers Campus, MAN/WAN, Wireless
Data-at-Rest
Firewalls, VPNs
Data-in-Flight
Managed Services
DR
0
Consolidation
Vaulting
Storage Networks
Figure 4: Access Vulnerability. More access points means a greater potential for exploiting sensitive data. This includes unauthorized outsider and insider access.
Management access points and the people allowed to use them must also be protected. In fact, it is the multitude of management interfaces that are the most vulnerable to intentional and unintentional access and alteration of data from either inside (trusted) or outside (untrusted) sources. Changes made here may prevent access to information by legitimate users (a form of DoS or denial of service), mask an intruders access, or change access to a legitimate profile, and erase all presence of the visit in the audit logs. Worse, missteps in the use of the management interface could result in loss or corrupted data.
ibid. CSI/FBI
In order for any security implementation to be accepted by the user and administrative community is it must be: Simple Comprehensive Easy to use Easy to manage Furthermore, it must demonstrate low TCO. Simple Simple to install means including as many security mechanisms in the environment without human intervention and management as possible or practical. For example, auto-loads in the operating system build and port driver(s) in the download phase could be employed. It is best to hide the complexity from the administrator wherever possible (or at least make it easy to implement security tools), especially for those not trained or experienced in security practices and procedures. It is also possible to inject a special-purpose security appliance into a production environment without redesigning the data center topology. Security services such as authentication, authorization, auditing, data integrity checks, and privacy mechanisms may be made available within minutes to the organizations environment. 5 Note that the user community will resist participating in the secure environment, especially if the chosen mechanisms inhibit reasonable access to resources these individuals need to get their jobs done. Comprehensive A complete end-to-end security implementation requires not only participation by each discrete element, but also building blocks of technology and the people to manage and monitor the implementation. 1. Authentication. In order for the identities of a sender and receiver to be verified, information about each must be sent to ensure that each party is who they say they are. This first step should be taken before any data is sent. Authentication between computers can be achieved in a manner similar to a notarized signature on a piece of paper via certificate-based (common trusted authority) and password-based (shared secret) protocols. 6 2. Authorization. Once identity is verified, the profile of the authenticated parties is logged. This step establishes what the trusted parties have been given permission to do once logged in.
Security mechanisms, including authentication, authorization, auditing, integrity, and encryption, are also appearing in the Fibre Channel.
For definitions of this nature and more, search http://www.google.com or The Free On-line Dictionary of Computing (FOLDOC), 1993-2001 Denis Howe at http://wombat.doc.ic.ac.uk/foldoc/.
3. Auditing. This critical step builds upon the first two steps. An audit tracks activity of the authenticated and authorized user by session. After logout, the log is kept in a safe place. For example, UNIX stores activities (if enabled) in /var/adm/syslog. Audit trails are more than simply machine-tracked evidence, and they are needed for more than just detection of intrusions and unauthorized or inappropriate access. They involve human oversight by trusted insider and regulatory bodies. The requirements vary by institution: financial institutions, healthcare facilities, and government departments. 4. Integrity. This protects both data and management traffic via digital signature technologies. Checksums provide the means to verify that the data transferred by the sender wasnt altered in transit or before arriving at the receivers location. 5. Privacy. Finally, confidentiality of the information, especially over a public network or between trusted departments is guaranteed by supplementing secret key agreements. Various implementations of this capability have differing degrees of performance. Two such technologies are Data Encryption Standard (DES or Triple-DES) and the Advanced Encryption Standard (AES) from the National Institute of Standards and Technology (NIST). AES is replacing Triple-DES for performance and better use of resources. 7 The order of implementation is important. Verification of the identity is first, followed by what the user can do when authenticated. Next, a record of what the user did when authorized is important. Any unintentional mistakes or intentional actions could be backed out in order to protect the trusted information. Ensuring that what I sent is what you received is extremely important, so no misunderstanding or unauthorized tampering with the data occurs without our knowledge. Finally, it is essential to encrypt the data so only those who are intended to receive the data may view it. Think of the above set of five steps as being synonymous to building a house. Authentication forms the foundation of a home. The other elements form the walls, doors, windows, and roof of the home. The doors and the key that unlocks them may be analogous to authorization and integrity (although the analogy breaks down a bit in that authentication requires interaction with keys). The walls and roof may be loosely analogous to integrity and privacy. Levels of security may take on the form of multiple, separate locks on the door, bars on the windows, or burglar alarms. Link- or transport-level encryption is important and is currently in use with VPNs running over public networks, e.g. the Internet. It is very important to encrypt data at rest as well as to prevent unauthorized exploitation of the information. This can take on the form of actually encrypting the data itself, encrypting or hiding the file system structure, or both. 8 Each level of security comes with a cost of implementation and consequence to implement. This leads to the question of total cost of ownership or TCO.
The National Institute of Standards and Technology (NIST) selected Rijndael (pronounced rain doll), the combined work of Belgian researchers Vincent Rijmen and Joan Daemen, as the basis for AES. Triple-DES, created in the 1970s, is still used by the U.S. Government. Management of encryption standards now falls under the U.S. Department of Commerce.
See [Riedel 2002], which prefers encrypt-on-disk over encrypt-over-wire for better performance and security. 8
Low TCO Just as network and systems management platforms have not remained a luxury to implement, storage management has come into the spotlight as a must-have addition to the data center floor. Complexity and the need to expand the reach of an administrators support capabilities are the main motivators. Returns on investment are quantifiable due to the cost of personnel, maintenance costs, and growth of an organizations resources. This is still the case, even in a slow-growth economic environment. Similarly, its no longer a luxury to add security systems to a companys environment. Still, the total cost needs to be justified. This is usually done by quantifying the cost of the data or intellectual propertydetermining what would happen if it were stolen or lost, and the cost to replace or recover it (if possible). Lets look at two TCO scenarios. Both involve protection of information in a data center. However, each has widely varying outcomes. TCO Scenario 1: Power Outage When choosing a site for the data center, a power outage lasting more than a few seconds at data center is 0.5 percent probability. The expected conservative losses are: Personnel idle = $200,000 Recovery (downtime + personnel) = $100,000 Therefore, the expected loss and recovery cost is: $(200,000+100,000) x 0.005 = $1,500/year The cost of an uninterruptible power supply (UPS) system is typically $150k with an expected 10-year lifetime. The cost of avoidance is $15k/year. Comparing $1,500/year with $15k/year cost of prevention, this is
Practical UNIX & Internet Security, Simson Garfinkel and Gene Spafford, OReilly & Associates, April 1996. Ch. 8.
Expected loss (no recovery is possible, as trade secret data is permanently lost): $(1,000,000+0) x 0.59 = $590,000/year Cost of password card for each user and software is: $100 x 100 + $20k license with expected three-year lifetime. Add yearly maintenance of $10k and training of $2.5k. Doing the math yields: $(100 x 100 + 20,000)/3 + $12,500/year = $22,500/year So, with a cost of avoidance = $22.5k/year, it is easy to see that when comparing the above figure with $590,000/year, that this is
The Need for Security in a Networked World: How Much Security Do You Need?
Security versus Access Granting ready access to authorized users has its benefits and its reasons for caution. Information thats accessible from anywhere and at any time gives headquartered and mobile decision-makers the freedom to get their projects and tasks accomplishedagain from any place and any time zone on the planet. The consequence of this freedom is that competitors, governments, industrial and economic espionage agents, and even disgruntled employees may be able to take advantage of the known and unknown holes or access points to your companys privileged data. Besides copying the information, they may deny legitimate access to the corporate repositories, or worse, alter or destroy valuable pieces of the datasets. Now, it is not always the case that some sinister or unauthorized party is trying to gain access to your data house. The opened access point or points may be due simply to a misconfiguration or incorrectly attached cable. People are human; as such, they do make mistakes.
10
Balancing data accessgranting access to those who are authorized and require it to get their jobs done and denying it to those who have no business even trying to gain accessis an ongoing act. Security best practices require a corporate-wide plan that results in a Security Policies and Procedures Manual. The usual steps in the manuals creation are: 1. Determine what you have (asset tagging and tracking) 2. Identify the cost of corporate information assets (trade secrets valuation) 3. Determine which threats exist and which threats are possible (threat model analysis) 4. Quantify probability of threats to corporate intellectual property (threat risk analysis and prioritization) 5. Lay out the cost of a security solution and what it protects you from (cost/benefit analysisTCO) 6. Develop and distribute the Corporate Security Policies and Procedures Manual (everybody gets one and everyone understands what to do on a daily basis and in case of a breach) This paper has already given an example of trade secret valuation in a previous section (TCO Scenario 2: Password Compromise). The rest of the discussion will consider possible types of threats, the state of the Standards Groups, what Hitachi Data Systems is doing as a participant in these Groups, and current Hitachi technology (where possible, identifying where it may be headed with its own technology and the technology of its partners). Threat Profiles and Types of Attacks In order for a comprehensive profile to be generated, a threat model needs to be captured. In the storage-networking world, focus is placed on the access points in the environment. Now that storage networks can be directly connected to public networks, a back door has been created to an organizations information. Special care needs to be taken when deciding on a comprehensive security solution, since a company can no longer rely on the layered protections given to its storage when the storage network had no direct outside connections. Figure 3 showed the traditional approach to storage access. A similar example in Figure 5 depicts the possible access points. 10
10 This is the Fibre Channel Security Protocols (FC-SP) Threat Model, which is being used as a template to develop standard approaches to securing the Fibre Channel fabric. Details of this model and more security documents may be found on the American National Standards Institute Fibre Channel Web site (ANSI/T11): http://www.t11.org. Threat type 5 in this paper is described differently than the FC-SP type 5 for purposes of expanding discussion on certain threat topics. Similar security discussions for the Internet and iSCSI appear on the Internet Engineering Task Force (IETF) site: http://www.ietf.org.
11
4 4 Non-Fibre Channel
Internet, Telenet, RS-232, etc. Gateway/Bridge
4 5 # Threat Type 1 2 3 4 5 Server or Storage Array to Network Connection Switch to Switch Server to Storage Array Management Interface DoS, Man-in-Middle, Spoofing, Hijacking Risk Level MEDIUM MEDIUM MEDIUM HIGH MEDIUM
Figure 5: Security Threats. Types of threats between devices connected on a storage network and externally connected (non-fibre channel) network. DoS refers to Denial of Service and is described in more detail later. The highest risk to at-rest or in-flight data is via the management interfaces.
The types of threats in a storage network environment are listed above. The highest ranked risk levelnumber 4, the Management Interfaceis not due to the sheer number of possible ingress points. It is rated as a HIGH risk due to its ability to disrupt a connection to the networked environment, add illegal accounts, copy data to an illegal recipient, and destroy the data altogether. 1. Server or Storage Array to Storage Network Connection. An attachment could result in an inside or outside party access to data they shouldnt receive. Another means of exploitation is hijacking a legal address and collecting data and addresses for future exploitation (spoofing). Or, an attacker may choose to flood the environment with login requests or make changes to the switchs ability to forward data contained in frames to legitimate recipients (denial of service). 2. Switch to Switch. Here, a switch may attempt to illegally join a fabric or change the fabric topology. This is usually accomplished by having physical access to the SAN fabric. However, a management interface may enable this as well from a remote location. An unauthenticated switch may be able to change the layout of the environment or cause denial of resource access to legitimate users.
12
3. Server to Storage Array. An unauthorized communication link may be set up by allowing a device to send frames to another device that isnt in its database of allowed communication devices (soft zone). Another way to bypass security is to introduce virus code into the environment. Also, making requests for large amounts of data and then refusing the receipt of the request may accomplish a Denial of Service scenario. 4. Management Interface. This represents the highest threat level of all. An outsider who has compromised a server may install a vendor or third-party management interface on a server accessible to an insider. Without strong authentication mechanisms installed, a legitimate activity from an illegal management request is very hard to detect and contain. This activity may be accomplished on the Fibre Channel fabric or via the Internet. 5. DoS, Man-in-middle, Spoofing, Hijacking. These will be described in more detail in the subsections immediately following. Denial of Service (DoS) This attack is represented by any activity that prevents authorized parties from logging into their data center or getting to the data to do work. The attacker can accomplish this in a number of ways: issuing repeated login requests, joining two fabrics to make one large fabric that may reduce performance, resetting the resource map (such as adding a device and removing it repeatedly), or going online and offline itself.
13
Man-in-middle Attacks Unknown to the sender and receiver, an intermediary sends out a modified address to log in to the environment. This modified address usually contains a trusted entity on the fabric, such as a switch. All information originally destined for the real switch or fabric is delivered to the attacker first. The man-in-middle attacker then delivers the data to the legitimate switch. During this undetected re-routing of the information, the attacker may passively read, copy, or actively alter the real data. A replay attack may also be possible in this scenario. In this case, the attacker, already reading data, intercepts a session key with a time and date stamp. This can be stored and used later to establish a future real session. The attacker is depending on human nature not to change the key very often, just as in the house analogy (described in a previous section). If the intrusion(s) were not detected, why would anyone periodically change the house locks? In the data center environment, though, a bestpractices approach is to change the key frequently and challenge the connection established at any given moment. The more random the time element is, the better. Session keys are acceptable; they simply need to depend on parameters other than a detectable time sequence.
Figure 7: Man-in-middle Attacks. This scenario applies to any network (e.g. telephone dialup, Wireless Link Ethernet, LAN, MAN, WAN, Internet) that lies between a sender and receiver.
14
Spoofing The term spoofing means to fool or misrepresent ones identity (address) when requesting services or information from the storage network environment. The most potentially damaging interface is gaining access to the management interface. There, configurations may be changed and data may be lost or copied without the knowledge of the security administrators. This scenario is synonymous to receiving mail that is not intended for your address and not returning it to the rightful owner. Either the mail was actively pilfered from the correct house or the mail carrier unintentionally delivered it to your house. One of the sub-scenarios carries penalties. The other carries none. The mail carrier simply redelivers the mail to the rightful owner.
Figure 8: Spoofing the Real Data Interaction. Unauthorized recipient steals or manipulates data.
15
Hijacking In this variation of spoofing, a hijacker takes over an existing, trusted session by sniffing or reading certain signs in a data flow unencrypted or protected by another means, such as VPN technology.
Established Trusted Session Management Interface or User Data
Fibre Channel Fabric Resource Suddenly Unavailable Attacker Takes Over Session
Summary of Attacks and Threat Profiles All of the above attack scenarios have their analog in the Internet environment. Technologies that are used to address these attacks have been and are being addressed by the Internet Engineering Task Force (IETF). Methods of prevention or minimizing the level and frequency of threat exist there. Similarly, the American National Standards Institute (ANSI) Fibre Channel Protocol Standards Working Groups, along with the Security Protocols Working Group (FC-SP), have developed standards and proposals for the prevention of the above types of attacks. Regardless of the environment (Internet, Fibre Channel fabric), the types of attacks profiled above are being addressed and mitigated. For example, the use of strong authentication, as currently proposed by the FC-SP, will eliminate the possibility of spoofing, hijacking, and man-in-middle attacks simply because the keys used would not match. The attacker would not be able to enter the house to begin with, let alone read or make changes to the data. When a Breach Occurs What do you do when a breach occurs? A security break-in is not a question of if. It is a question of When? Or it could be a question of Did it already happen? And it may be the realization I never knew it happened . The methods of involving Interpol, the FBI, or taking legal or company-internal action are country, state, and company dependent. There may be a corporate or government institution decision as to what the level of response or responses will be, if any. Part of this decision is based on possible publicity, the level of the loss, or how clear and provable the potential break-in or fraudulent use of resources is.
16
In the United States, an older section of the U.S. Code, Title 18: Fiduciaries, chapters 18-16 (section 18-16-4) dealt with provisions surrounding chattels (property) and goods. Seeing that this section was in need of updating with respect to the Information Age, a Presidential letter, dated October 11, 1996, amended the U.S. Code. The revised code is now contained in Title 18, Part I, Chapter 47, Section 1030: Fraud and Related Activities in Connection with Computers. 11 A company in the U.S. may use this tool as a means to prosecute a traceable breach, if proper chains of evidence are preserved with the chosen authorities (law enforcement or FBI). Or, the company may choose only to take civil action. Finally, the company may choose to take no action at all. No matter what the course, action taken by your organization is beyond the scope of this paper to advise. The author is also not a legal professional and thus may not offer or imply direction regarding actions to be taken or avoided. The above is offered for informational purposes only.
11 U.S. Code may be found on the URL: http://www.usdoj.gov. Also, The National Infrastructure and Intellectual Property Section relating to Computer Crime (CCIPS) may be found on http://www.usdoj.gov/criminal/cybercrime/compcrime.html#NIFPA.
17
Conclusion
There is no question that securing intellectual property in an organizations data center and extended storage network is important. It is. The protection of information, whether at rest or in flight now ranks as one of the top five areas of concern for CIOs, corporate executive staff, and boards of directors. A company begins by defining its environment via an audit (assets) and assessment of the environment. This forms the basis of discussion by departments in the organization to determine the access points to information, risks, risk mitigation, and costs associated with protecting intellectual property. Once the information is captured, the beginnings of a Security Policies and Procedures Manual may be formed. This manual doesnt have to be complex or large, as it needs to be understood by all members in the corporate environment to be effective. Technology alone does not solve the overall security problem. It is a combination of humans, practices, processes, and technology that help a company to better protect itself. The manual also is revised many times, as it is a living document. After the Security Policies and Procedures Manual is nearing reasonable stability, appropriate technology may be introduced. The technology added to the environment must match the cost of the information protected (TCO), must be simple enough for employees to use without the technology preventing them from being productive, and must be comprehensive enough to protect the intellectual property on a need-to-know basis from insiders as well as partners or outsiders. Next, the building blocks of any security solution must begin with authentication. Verifying a persons identity is important to the protection of the data. Once this step has been proven, then a persons authorization may be granted. This is, once again, the permissions given to the authenticated person or entity: What am I allowed to access or do once Ive been given the right to stay? The next and ongoing step is to audit the session. Just what did this person do while he/she was logged in and what was done after the session was over? This step alone forms the basis for evidence collection (if needed) or simply serves to correct some mistake made by the user when he/she was logged into the session. The above steps help expand upon the zone of trust so that the remaining two may be supported: integrity and privacy. Integrity ensures that information sent by one party was collected whole and intact by the receiving party. That is, no intermediary party, authorized or not, tampered with the information flow. Finally, privacy represents the encryption step of the information flow. Only the receiving party is allowed to read the data. All other parties see (if anything at all) are streams of unrepeated alphanumeric characters. The stream of encrypted data renders the information flow useless to all except the intended recipient. Hitachi Data Systems is committed to providing end-to-end security via its original research and development (R&D), participation in the Standards Groups, and by providing the best-of-breed solutions in conjunction with partners. The overall solution is only made possible via the cooperation of the members representing the R&D teams in the storage network environment. A comprehensive, extensible solution from all is coming soon and will leverage known technologies from the Internet Protocol Security Group (IPsec). In this way, interoperability will be ensured from day one of implementation.
18
Afterword
Standards Update At the October 2002 meetings held in New Orleans, Louisiana, the INCITS/ANSI/T11 Fibre Channel Security Protocols Technical Working Group (FC-SP TWG) voted unanimously to adopt the IETF Challenge Handshake authentication Protocol (CHAP [RFC 1994]) with Diffie-Hellman enhancements (DH-CHAP with NULL DH option) as the first fabric interoperable authentication mechanisms. Others are in discussion and will not be mutually exclusive of the above technology. What this means is that fabric Fibre Channel switches will use the same security mechanisms from day one. The switch vendors therefore guarantee interoperability. As of the end of 2002, INCITS/ANSI/T11 FC-SP TWG also adopted (among other items) two additional and optional authentication mechanisms: Fibre Channel Authentication Protocol (FCAP). This authentication mechanism is employed between any two devices or entities on a Fibre Channel network using certificates or optional keys. Fibre Channel Password Authentication Protocol (FCPAP). This is similar to FCAP in operation, but it uses a different key authority. Here, secure remote password (SRP) is used, whereas FCAP may use a public key interchange (PKI) mechanism. Again, FCAP and FCPAP are optional authentication mechanisms. DH-CHAP is a mandatory or required approach to authentication. Vendors may implement more than one method.
19
References
Books [Chapman 1995] Building Internet Firewalls, D. Brent Chapman and Elizabeth D. Zwicky, OReilly & Associates, Sebastopol, California, 1995, ISBN 1-56592-124-0 [Garfinkel 1996] Practical Unix & Internet Security, 2nd edition, Simson Garfinkel and Gene Spafford, OReilly & Associates, Sebastopol, California, 1996, ISBN 1-56592-148-8 [Garfinkel 2001] Web Security, Privacy & Commerce 2nd edition, Simson Garfinkel and Gene Spafford, OReilly & Associates, Sebastopol, California, November 2001, ISBN 0-596-00045-6 [Hunt 2002] TCP/IP Network Administration, 3rd edition, Craig Hunt OReilly & Associates, Sebastopol, California, April, 2002, ISBN 0-596-00297-1 [Norberg 2000] Securing Windows NT/2000 Servers for the Internet: A Checklist for Systems Administrators, Stefan Norberg OReilly & Associates, Sebastopol, California, November, 2000, ISBN 1-56592-768-0 http://security.oreilly.com [Cheswick 1994] Firewalls and Internet Security, Bill Cheswick and Steve Bellovin Addison-Wesley, Reading, Massachusetts, 1994, ISBN 0-201-63357-4 [Clark 2002] IP SANs, Tom Clark, Addison-Wesley, Reading, Massachusetts, 2002, ISBN 0-201-75277-8 [Bishop 2003] Computer Security: Art & Science, Matt Bishop, University of California, Davis, Addison-Wesley Professional Series, Reading, Massachusetts, 2003 (Available 11/29/2002), ISBN 0-201-44099-7 (textbook) http://www.aw.com Papers [Riedel 2002] A framework for evaluating storage system security, Erik Riedel, Mahesh Kallahalla, and Ram Swaminathan, Hewlett-Packard Laboratories, Palo Alto, California. { riedel,maheshk,swaram}@hpl.hp.com USENIX Proceedings of the FAST 2002 Conference on File and Storage Technologies, Monterey, California, USA. January 28-30, 2002. Internet Engineering Task Force (IETF) Background information on the adoption of DH-CHAP by INCITS/ANSI/T11 can be found at: [Black 2002] DH-CHAP: Diffie-Hellman Enhanced CHAP for iSCSI, Internet Draft Document : draft-black-ips-iscsi-dhchap-01.txt D. Black, EMC. April 2002. Expires: October 2002 This draft describes an authentication mechanism based on enhancing CHAP [RFC 1994] with a Diffie-Hellman Exchange (see Section 22.1 of [ Schneier]) in order to prevent a passive eavesdropper from acquiring sufficient information to perform an off-line dictionary attack on the CHAP secret. The use of this authentication mechanism with iSCSI [iSCSI] is discussed, along with a brief comparison to the existing CHAP and SRP authentication mechanisms in iSCSI.
20
A list of Internet Request For Comments ( RFCs) documents may be found by accessing the URL http://www.ietf.org/. Furthermore, the Internet Protocol Storage technical working group may be located at http://www.ietf.org/html.charters/ips-charter.html The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html Other Resources and Comments EU Data Privacy Directive (95/46/EC) mandates personal data be secured (A.17) Similar provisions in Directive 2002/58/EC, in force July 31, 2002 EU to mandate Telcos to keep data for 12-24 months Retained data will surely have to be encrypted Condeleeza Rice, U .S. National Security Advisor, March 23, 2001, speech to Partnership for Critical Infrastructure of U .S. Chamber of Commerce: Today the cyber economy is the economy . Corrupt those networks and you disrupt this nation. Canadian Department of Justice propose s forcing ISPs to retain traffic data for six monthsusually keep data for billing only . Cadbury Report in the UK mandates Board protection of corporation assets, including information assets . Ethical hackers performed physical penetration attack on U.S. military target, dressed as PLO, entered and left and were saluted by guards Often all it takes is nerve. Organization for Economic Cooperation and Development (OECD) Guidelines for Security of Information Systems Adopted as Recommendation of OECD Council to Member States, July 25, 2002 at 1037th Session http://www.oecd.org/pdf/MOOO33000/M00033182.PDF Set of 9 voluntary principles, highly representative of global trends in security Promote Culture of Security , build in from ground up Emphasizes increased interconnectivity and interdependencies amongst sundry stakeholders Need for cooperation and information sharing Respect personal privacy
21
Computer Security Institute Richard Power, Editorial Director (rpower@cmp.com ) http://www.gocsi.com FBI nccs-sf@fbi.gov Sysadmin, Audit, Network, Security (SANS) Institute http://www.sans.org/ Computer Information Systems Security Professionals http://www.cissps.com/ USENIX (good reports on file and storage technologies, and has link to SAGE) http://www.usenix.org / The White House (Homeland Security) http://www.whitehouse.gov/ Richard Clark is heading the effort. A preliminary document appears on this web site. Other http://www.greatcircle.com http://ciac.llnl.govhttp://www.cs.purdue.edu/coast/coast.html http://www.sei.cmu.edu/technology/trustworthy.html
22
Glossary
Acronyms and definitions for the security industry are as prevalent as the networking and network management industries. A number of the more frequently used ones are included below. For more definitions of this nature, search the following Web sites: http://www.google.com or The Free On-line Dictionary of Computing (FOLDOC), 19932001 Denis Howe, at http://wombat.doc.ic.ac.uk/foldoc/ ACL AES Access Control List. Limits and controls access to systems. Advanced Encryption Standard. The National Institute of Standards and Technology (NIST) held a competition to develop the Advanced Encryption Standard (AES) as a replacement for DES. NIST was pleased to announce the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard, FIPS-197. This standard specifies Rijndael (pronounced rain doll) as a FIPS-approved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. Please see: http://csrc.nist.gov/encryption/aes/ The AES is stronger than Triple DES and approximately 50 times faster. Many security systems will probably use both Triple DES and AES for at least the next five years. After that, AES may supplant Triple DES as the default algorithm on most systems if it lives up to its expectations. But Triple DES will be kept around for compatibility reasons for many years after that. 3DES ANSI Bastion See DES. American National Standards Institute. Projecting fortification that protects those inside the walls from those outside the walls. Certificate Authority. Trusted, digitally signed certificate containing user identification and authentication levels. Cipher Block Chaining (for DES or AES encryption). Command Descriptor Block (SCSI commands and parameters specified there). Computer Emergency Response Team. Computer Oracle Password and Security. A collection of p rograms that provides some monitoring and detection of potential problems in /etc/passwd and /etc/group, /etc/ hosts.equiv, and ~/. rhosts files. It also checks permissions and changes in SUID status. Obtainable from ftp:cert.sei.cmu.edu (pubs/cops/ cops.tar.Z).
CA
CBC CDB CERT COPS
23
DES
Data Encryption Standard. Algorithm developed by IBM for the U.S. National Bureau of Standards for encrypting and decrypting data. Uses a 56-bit encryption key. Triple-DES (3DES) has a longer key length and encrypts in the following manner (similar to DES): The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key. The reuse of the same key in any of the three steps is allowed. De-militarized Zone. Usually a separate LAN connected to a firewall containing proxy application servers. These servers present themselves to less trusted users while isolating the actual application servers logically situated deeper within the security framework. In the OSI/RM 7-layer Model, an entity w ithin a layer provides services to the layers immediately above and below it via service access points. It also refers to a device on the fabric (e.g. switch) or at its edge (e.g. server or storage array). International Data Encryption Algorithm. Internet Engineering Task Force. The International Committee for Information Technology Standards (INCITS) is the forum of choice for information technology developers, producers, and users for the creation and maintenance of formal de jure (by law) IT standards. INCITS is accredited by, and operates under rules approved by, the American National Standards Institute (ANSI). These rules are designed to ensure that voluntary standards are developed by the consensus of directly and materially affected interests. The mission of the International Committee for Information Technology Standards is to produce market-driven, voluntary consensus standards. International Telecommunications Union (formerly known as CCITT). Message Authentication Code. Message Digest. Authentication code that cryptographically guarantees that data has not been forged or tampered with (prevents man-in-the-middle attack). Public Key Infrastructure. An authentication mechanism that uses asymmetric (public/private) key exchange technology. Preliminary Message Security Protocol. Used for unclassified but confidential information (Mosaic). Variable-key size encryption algorithms (Rons CodeRon of RSA Data Security, Inc.). Rivest
DMZ
Entity
ITU MAC MD
Public-key algorithm nam ed after its co-inventors: Ron Rivest, Adi Shamir, and Leornard Adelman. Simple Key-management for Internet Protocols. Public-key certificate-based key-management method. Simple Public Key Infrastructure.
24
Subnet
A logically separate part of an or ganizations network. Defining a subnet mask identifies the host portion and the subnetwork portion of the network address. This tells the network what part of the IP address is a node or host, which part belongs to the subnet, and what belongs to the network address. The T11 Technical Committee is the committee within INCITS responsible for Device Level Interfaces. T11 has been producing interface standards for high-performance and mass storage applications since the 1970s. Virtual LAN. Access con trol that allows logical groupings of workstations, switches, routers, or servers. Can be extended over the Internet. Virtual Private Network. Encapsulating mechanism that allows for private traffic to be transported securely over a public network such as the Internet. ITU standard for certificate definition (a certificate is a data structure that binds the identity of an entity with a public-key value).
T11
VLAN
VPN
X.509
25
Corporate Headquarters
750 Central Expressway Santa Clara, California 95050-2627 U.S.A. (408) 970-1000 info@hds.com
Asia Headquarters
Suite 3301-6, Shell Tower Times Square, 1 Matheson Street Causeway Bay Hong Kong 2525-2385 infoasia@hds.com
Canada Headquarters
2550 Victoria Park Avenue Suite 601 Toronto, Ontario M2J 5A9 (416) 494-4114 www.hds.com Cananda.Sales@hds.com
Europe Headquarters
Sefton Park Stoke Poges Buckinghamshire SL2 4HD United Kingdom +44 (0) 1753-618000 info.eu@hds.com www.eu.hds.com
U.S. Headquarters
750 Central Expressway Santa Clara, California 95050-2627 U.S.A. (408) 970-1001 ussalesinfo@hds.com
Hitachi Data Systems is registered with the U.S. Patent and Trademark Office as a trademark and service mark of Hitachi, Ltd. The Hitachi Data Systems logotype is a trademark and service mark of Hitachi, Ltd. Freedom Storage, TrueNorth, ShadowImage, NanoCopy, SANtinel, TrueCopy, Lightning 9900 and Thunder 9500 are trademarks of Hitachi Data Systems Corporation. All other trade names, trademarks, and service marks used herein are the rightful property of their respective owners. Notice: This document is for informational purposes only, and does not set forth any warranty, express or implied, concerning any equipment or service offered or to be offered by Hitachi Data Systems. This document describes some capabilities that are conditioned on a maintenance contract with Hitachi Data Systems being in effect, and that may be configuration-dependent, and features that may not be currently available. Contact your local Hitachi Data Systems sales office for information on feature and product availability. 2003, Hitachi Data Systems Corporation. All Rights Reserved. WHP-129-00 February 2003