What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts. LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA. Some storage controllers also support LUN Masking. LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN's. This can render the LUN's unusable by other operating systems and can result in data loss. What is SAN zoning? SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric. SAN zoning may be utilized to implement compartmentalization of data for security purposes. Each device in a SAN may be placed into multiple zones. What are hard and soft zoning? Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software. Hard zoning uses a routing table, also located in the director, which assigns devices to zones only by WWN. This is more limited since it doesn't take the port number into consideration, which makes it harder to shift devices between ports. Hard zoning physically blocks access to a zone from any device outside of the zone. Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address As the name implies, soft zoning is the most permissive. This is also called name server zoning because it is done using a name server databases in the SAN director. Since the database can contain both port numbers and WWN numbers and translates between them, administrators can shift devices among ports without changing the zoning configuration. One problem with soft zoning is that some HBAs (Host Bus Adapters) won't cooperate with soft zoning. What is port zoning? Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to. With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap. Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning. .

What is WWN zoning? WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric. A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information. WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA. What is a World Wide Name (WWN)? A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks to uniquely identify each element in a Fibre Channel network. Soft Zoning utilizes World Wide Names to assign security permissions. The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter. For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command. What are the classes of attacks against SANs? Snooping: Mallory reads data Alice sent to Bob in private Allows access to data Spoofing: Mallory fools Alice into thinking that he is Bob Allows access to or destruction of data Denial of Service: Mallory crashes or floods Bob or Alice Reduces availability