Securing an IP SAN. Application Brief



Similar documents
Virtual Private Networks

Cornerstones of Security

Chapter 17. Transport-Level Security

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Computer Networks. Secure Systems

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Network Access Security. Lesson 10

Remote Access Security

How To Understand And Understand The Security Of A Key Infrastructure

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Security vulnerabilities in the Internet and possible solutions

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

VPN. Date: 4/15/2004 By: Heena Patel

Regulatory Compliance Solutions for Security and Privacy

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

SSL Overview for Resellers

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Security Technology: Firewalls and VPNs

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

The Benefits of SSL Content Inspection ABSTRACT

Best practices for protecting network data

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Deploying Firewalls Throughout Your Organization

Chapter 7 Transport-Level Security

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

Virtual Private Networks: IPSec vs. SSL

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Case Study for Layer 3 Authentication and Encryption

Sync Security and Privacy Brief

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Executive Summary and Purpose

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Introduction to Computer Security

Understand Wide Area Networks (WANs)

Technical papers Virtual private networks

High Performance VPN Solutions Over Satellite Networks

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Firewall Architecture

Steelcape Product Overview and Functional Description

Chapter 32 Internet Security

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Protocol Security Where?

PRIVACY, SECURITY AND THE VOLLY SERVICE

Site to Site Virtual Private Networks (VPNs):

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Policy Revision Date: 23 April 2009

ICTTEN8195B Evaluate and apply network security

White Paper. BD Assurity Linc Software Security. Overview

Using Application Layer Technology to Overcome the Impact of Satellite Circuit Latency on VPN Performance

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Overview. Protocols. VPN and Firewalls

How To Secure My Data

Tim Bovles WILEY. Wiley Publishing, Inc.

7.1. Remote Access Connection

Chapter 9 Integrating Security Services into Communication Architectures

Chapter 10. Network Security

How To Pass A Credit Course At Florida State College At Jacksonville

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Networking Security IP packet security

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006

Recommended IP Telephony Architecture

Wireless VPN White Paper. WIALAN Technologies, Inc.

Secure SCADA Network Technology and Methods

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

IPV6 vs. SSL comparing Apples with Oranges

Chapter 17 Determining Windows 2000 Network Security Strategies

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Introduction to Computer Security

Data-at-Rest Encryption Addresses SAN Security Requirements

SCADA/Business Network Separation: Securing an Integrated SCADA System

Guideline for setting up a functional VPN

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Security Digital Certificate Manager

Network Security Policy

CTS2134 Introduction to Networking. Module Network Security

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Cisco Certified Security Professional (CCSP)

Transcription:

Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time. This publication is copyright by StoneFly, Inc. and is intended for use only by recipients authorized by StoneFly, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of StoneFly, Inc., is in violation of U.S. copyright law.

Introduction Storage Area Networks (SANs) provide a high-speed network for storing and retrieving data. With storage networking, a dedicated high-speed network allows files and data to transfer between storage devices and client machines directly, bypassing the traditional server bottlenecks and network control. In this way, increased flexibility and performance are achieved by separating control from data. SANs deliver the capability for any server to access any storage device. Though this is extremely powerful and cost effective, it is obvious that security measures must be in place to prevent illegal access to data and to prevent accidental corruption or loss of data. Networked storage can introduce security vulnerabilities. To counter these weaknesses, it is important to adopt storage-specific security policies and practices. Network infrastructures and storage networks must be evaluated from end to end and secured at every point of vulnerability. Security and Compliance To add to the security complexity issue, compliance with regulatory requirements has proven difficult for many organizations. Regulations dramatically impact data security, retention and storage requirements. These regulations include, but are not limited to: HIPPA for insurance, healthcare and medical providers SEC 17a-3 and 17a-4 for brokers and dealers in the financial services industry The Sarbanes-Oxley Act for public companies and institutions to regulate corporate and public accounting practices to ensure that financial statements are accurate Significant penalties and fines can result from regulatory violations, such as the unauthorized viewing of private medical records (HIPAA). IT departments now must report to upper management the risk that their networks face as well as give assurances that their storage and security practices comply with appropriate laws. IP SAN Security While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. For security, IP offers easily deployed mechanisms such as Access Control Lists (ACLs) and Virtual Private Networks (VPNs) and is compatible with more sophisticated capabilities such as IP Security (IPSec) and advanced data encryption algorithms or public key infrastructure (PKI). Because iscsi must accommodate inflows, such as email, from untrusted IP environments, the iscsi specification allows for implementing multiple security methods. Given the vulnerability of corporate networks and the current regulatory climate, the good news is that you can reduce the risk to your storage network, protect your company's data assets, and better align security practices with the requirements of your environment. Considering Security Options There are two important considerations when evaluating IP storage security. First, the nature of Ethernet-based IP storage networks mean they are exposed to the same security vulnerabilities as those by traditional IP networks with connection to Internet traffic. As such, the same technologies and solutions may be used. The second consideration is performance degradation due to security measures. While performance for encrypted data may be acceptable for traditional LAN data traffic over IP networks, the level of degradation may be unacceptable for storage networks due to their high data rates and short time-out conditions. For example, data encryption of storage StoneFly, Inc. Page 2 of 7

traffic, performed by IPSec protocols, may induce significant delays for traffic between two high-speed SANs. Using IPSec, therefore, may require specialized hardware for the encryption/decryption process just to ensure acceptable performance. A sound security policy is an important tool for creating a secure LAN/SAN and may employ several different security mechanisms. Below is an overview of several security methods. Separate the LAN from the SAN At the very least, keep IP SAN storage on a physically separate network. Duplicate the key advantage of the Fibre Channel network: its physical separation from the IP network. Keep management of the IP SAN on a different subnet. StoneFly recommends both of these actions with its IP SAN. Firewalls Just as you place a firewall between your corporate LAN and the outside world, you can place a packet-filtering firewall between the IP SAN and the hosts. By restricting access to the IP SAN storage devices you can make it more difficult for an internal attacker to access the devices. Configure the filtering rules to only allow traffic to and from specific IP SAN ports and addresses. Use firewalls that support Network Address Translation to hide the real addresses and port numbers of the IP SAN devices from the outside world. One issue with firewalls is that they do not currently support the iscsi protocol so they can only be used for protection in the LAN. It will be highly desirable to have a firewall system built with the iscsi protocol because firewalls filter out multiple connections, which iscsi relies on for performance. Firewalls that support iscsi may become more common in the future. Virtual Private Networks (VPNs) For iscsi SANs behind a gateway, a VPN (virtual private network) could securely connect initiators and targets and differentiate between traffic that requires security and traffic that doesn't. The difference comes down to the risk of security threats and whether the network topology stresses security at the network edge or at each individual node. Security at the edge raises infrastructure costs but allows multiple nodes to share security resources. Security at each node means data is secure, but every device that handles secure data must have its own security-processing resources, potentially at a greater overall cost. Devices in which you can optionally implement security will cover the needs of the security market without raising costs for users that don't need or won't pay for security. This may mean building a virtual private network that makes a tunnel around the information and lets it be seen only by authorized users. Alternatively, some of the highspeed VPN appliances in the market may be deployed. VPNs are often combined with other cryptographic authentication methods. For example, IPSec support may be integrated in the initiator and the target, or be provided by a standalone device such as a VPN appliance. One solution for Organizations that want to prevent unauthorized internal LAN access to block level data is to install VPNs to prevent LAN access to the SAN. Some VPNs support additional security measures such as IPSec or another type of encryption. StoneFly, Inc. Page 3 of 7

For more IP SAN protection, especially to prevent insiders from gaining unauthorized access, VPNs can be located in the Storage Network as well. RADIUS The RADIUS protocol is a widely used protocol for performing network authentication, authorization, and accounting (AAA) functions. It is used to control remote and local user access - via dial-in, VPN, firewall, wireless, LAN, or any combination. RADIUS is primarily implemented by using a dedicated RADIUS server. RADIUS servers are designed to provide the foundation for network identity services in a secure and easy-to-manage implementation. Access Control The measures discussed so far, provide security within the physical storage network and storage subsystems. Another critical security aspect is the access to the logical volumes and its administration on the servers. This allows a hacker using a spoofed address to gain access to the IP storage device, without the additional challenge of obtaining root (or similar) access. At that point the intruder could read and write data with the same privileges as the spoofed host. With IP SANs this type of attack can be launched from anywhere inside or outside of the corporate network. Software that controls access to data volumes is an effective tool that manages potential data corrupting issues. Each user, application, or group can be assigned different access privileges for every storage volume. This is usually accomplished through the volume manager as part of the OS and file system environment on the server. A storage management solution should provide direction on storage provisioning to maintain these storage access rights of the volume manager on the host. Access Control for iscsi is volume or host-based rather than user-based. StoneFly supports Access Control Lists (ACLs) for both hosts and volumes. Access Control is strengthened by using CHAP. CHAP The iscsi protocol specifies a variety of security capabilities, including the use of Challenge Handshake Authentication Protocol (CHAP) during initial iscsi login to restrict access to targets. CHAP allows you to set a Password or Secret as a gatekeeper for communication between a host initiator and a volume. Combined, access control lists and CHAP provide a high degree of security to ensure that only specified hosts have access to Storage Concentrator volumes. StoneFly, Inc. Page 4 of 7

CHAP is supported at the Volume Level and at the Host level in the StoneFly Storage Concentrator. Depending on the host initiator, you may want to specify host CHAP, volume CHAP, both host and volume with the same or different secrets, or use neither. Encryption Once you have access controls in place, encryption is the next logical step in securing data stored in an IP SAN. Encryption provides restriction if access controls are circumvented. In other words, encryption should stop someone who has already broken through the first line of defense. Encryption forms the next barrier of entry for data at rest. Encryption is the conversion of data into a form that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a "code," was employed to keep the enemy from obtaining the contents of transmissions. Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that "undoes" the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to "break" the cipher. The more complex the encryption algorithm, the more difficult it becomes to decrypt the information without access to the key. The major downside to encryption is the substantial performance hit to servers and applications. Several storage security vendors, such as Decru, Kasten Chase, and Neoscale offer high-speed encryption solutions for storage traffic. Encryption solutions that reside below iscsi such as IPSec require no special negotiation between iscsi end devices and are transparent to the upper layers. For other authentication implementations such as Kerberos or Public/Private Key exchanges, the iscsi Login Phase provides text fields for negotiating the type of security supported by both end devices. If the negotiation is successful, the data exchanged between iscsi devices will be formatted for appropriate security validation required by the agreed upon security routine. An Internet Storage Name Server (isns) may also be used to assist this process by, for example, serving as a repository for public keys. IPSec The iscsi standard requires that IPSec be supported, but allows its use to be optional. Not all hardware vendors currently include support for IPSec. iscsi HBAs and storage systems are available both with and without IPSec security. Some solutions, such as the StoneFly Storage Concentrator can support the storage of encrypted data, but not the actual encryption/decryption process. IPSec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. StoneFly, Inc. Page 5 of 7

For IPSec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as IP Encapsulating Security Payload (ESP) and Internet Key Exchange (IKEv2) Protocol, which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Public Key Infrastructure (PKI) PKI is based on a pair of mathematically related public and private keys. While the private key is carefully safeguarded, the public key is linked to subject identifier information (e.g., name and other information) in a digitally signed public key certificate, where the subject is the owner of the public/private key pair. This linkage or binding is made possible by including specified data in the certificate, which is essentially a specially formatted file generated in accordance with industry standards. The certificate itself and the public and private keys are then used by systems to represent the individual or entity that is the subject identified by the certificate. In some cases, they will be used in the process of creating and verifying digital signatures. Therefore, it is critical for a relying party application (i.e., an application that relies on the use of a certificate) to have confidence that the certificate correctly and accurately identifies the subject and subject s public key, as well as the issuer of the certificate. The distinguishing feature of PKI is the use of the certificate published by a Certification Authority to confirm the identity, and other relevant information about the entity that holds the certificate. Secure Socket Layer Secure Sockets Layer (SSL) is a specially designed PKI protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http. SSL support is built into the StoneFly Storage Concentrator, which uses https and password protection. Application Software Security Many software applications support security, such as encryption. For example, StoneFly Backup Advantage allows encrypting data both for transmission over un-secure networks and for storage on third-party vaults. The data is always encrypted in the same manner (blowfish algorithm), but key management policies differ depending on the customer needs. For customers that need only network security the keys are randomly chosen for every session. Data is encrypted on Client and the keys are discarded at the end. The entire process is completely transparent to the user; all the user has to do is to enable encryption. Summary Since iscsi security is based on the same technology used for TCP/IP security today, a single SAN with secure iscsi initiators can easily span over a WAN with storage devices and servers in multiple locations. By providing security in iscsi end-nodes, the storage network and data network can eventually converge to maximize network bandwidth usage, lower network management costs, and share the same fabric switch equipment, without the concern of security breaches and illegal access to information. Protecting data in an IP SAN is relatively straightforward due to the iscsi specification, which allows for implementing multiple security methods. While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. Vendors such as StoneFly StoneFly, Inc. Page 6 of 7

support a variety of security methods both explicitly and implicitly, giving IP SAN users the means to form a sound security strategy. StoneFly, Inc. Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information