Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time. This publication is copyright by StoneFly, Inc. and is intended for use only by recipients authorized by StoneFly, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of StoneFly, Inc., is in violation of U.S. copyright law.
Introduction Storage Area Networks (SANs) provide a high-speed network for storing and retrieving data. With storage networking, a dedicated high-speed network allows files and data to transfer between storage devices and client machines directly, bypassing the traditional server bottlenecks and network control. In this way, increased flexibility and performance are achieved by separating control from data. SANs deliver the capability for any server to access any storage device. Though this is extremely powerful and cost effective, it is obvious that security measures must be in place to prevent illegal access to data and to prevent accidental corruption or loss of data. Networked storage can introduce security vulnerabilities. To counter these weaknesses, it is important to adopt storage-specific security policies and practices. Network infrastructures and storage networks must be evaluated from end to end and secured at every point of vulnerability. Security and Compliance To add to the security complexity issue, compliance with regulatory requirements has proven difficult for many organizations. Regulations dramatically impact data security, retention and storage requirements. These regulations include, but are not limited to: HIPPA for insurance, healthcare and medical providers SEC 17a-3 and 17a-4 for brokers and dealers in the financial services industry The Sarbanes-Oxley Act for public companies and institutions to regulate corporate and public accounting practices to ensure that financial statements are accurate Significant penalties and fines can result from regulatory violations, such as the unauthorized viewing of private medical records (HIPAA). IT departments now must report to upper management the risk that their networks face as well as give assurances that their storage and security practices comply with appropriate laws. IP SAN Security While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. For security, IP offers easily deployed mechanisms such as Access Control Lists (ACLs) and Virtual Private Networks (VPNs) and is compatible with more sophisticated capabilities such as IP Security (IPSec) and advanced data encryption algorithms or public key infrastructure (PKI). Because iscsi must accommodate inflows, such as email, from untrusted IP environments, the iscsi specification allows for implementing multiple security methods. Given the vulnerability of corporate networks and the current regulatory climate, the good news is that you can reduce the risk to your storage network, protect your company's data assets, and better align security practices with the requirements of your environment. Considering Security Options There are two important considerations when evaluating IP storage security. First, the nature of Ethernet-based IP storage networks mean they are exposed to the same security vulnerabilities as those by traditional IP networks with connection to Internet traffic. As such, the same technologies and solutions may be used. The second consideration is performance degradation due to security measures. While performance for encrypted data may be acceptable for traditional LAN data traffic over IP networks, the level of degradation may be unacceptable for storage networks due to their high data rates and short time-out conditions. For example, data encryption of storage StoneFly, Inc. Page 2 of 7
traffic, performed by IPSec protocols, may induce significant delays for traffic between two high-speed SANs. Using IPSec, therefore, may require specialized hardware for the encryption/decryption process just to ensure acceptable performance. A sound security policy is an important tool for creating a secure LAN/SAN and may employ several different security mechanisms. Below is an overview of several security methods. Separate the LAN from the SAN At the very least, keep IP SAN storage on a physically separate network. Duplicate the key advantage of the Fibre Channel network: its physical separation from the IP network. Keep management of the IP SAN on a different subnet. StoneFly recommends both of these actions with its IP SAN. Firewalls Just as you place a firewall between your corporate LAN and the outside world, you can place a packet-filtering firewall between the IP SAN and the hosts. By restricting access to the IP SAN storage devices you can make it more difficult for an internal attacker to access the devices. Configure the filtering rules to only allow traffic to and from specific IP SAN ports and addresses. Use firewalls that support Network Address Translation to hide the real addresses and port numbers of the IP SAN devices from the outside world. One issue with firewalls is that they do not currently support the iscsi protocol so they can only be used for protection in the LAN. It will be highly desirable to have a firewall system built with the iscsi protocol because firewalls filter out multiple connections, which iscsi relies on for performance. Firewalls that support iscsi may become more common in the future. Virtual Private Networks (VPNs) For iscsi SANs behind a gateway, a VPN (virtual private network) could securely connect initiators and targets and differentiate between traffic that requires security and traffic that doesn't. The difference comes down to the risk of security threats and whether the network topology stresses security at the network edge or at each individual node. Security at the edge raises infrastructure costs but allows multiple nodes to share security resources. Security at each node means data is secure, but every device that handles secure data must have its own security-processing resources, potentially at a greater overall cost. Devices in which you can optionally implement security will cover the needs of the security market without raising costs for users that don't need or won't pay for security. This may mean building a virtual private network that makes a tunnel around the information and lets it be seen only by authorized users. Alternatively, some of the highspeed VPN appliances in the market may be deployed. VPNs are often combined with other cryptographic authentication methods. For example, IPSec support may be integrated in the initiator and the target, or be provided by a standalone device such as a VPN appliance. One solution for Organizations that want to prevent unauthorized internal LAN access to block level data is to install VPNs to prevent LAN access to the SAN. Some VPNs support additional security measures such as IPSec or another type of encryption. StoneFly, Inc. Page 3 of 7
For more IP SAN protection, especially to prevent insiders from gaining unauthorized access, VPNs can be located in the Storage Network as well. RADIUS The RADIUS protocol is a widely used protocol for performing network authentication, authorization, and accounting (AAA) functions. It is used to control remote and local user access - via dial-in, VPN, firewall, wireless, LAN, or any combination. RADIUS is primarily implemented by using a dedicated RADIUS server. RADIUS servers are designed to provide the foundation for network identity services in a secure and easy-to-manage implementation. Access Control The measures discussed so far, provide security within the physical storage network and storage subsystems. Another critical security aspect is the access to the logical volumes and its administration on the servers. This allows a hacker using a spoofed address to gain access to the IP storage device, without the additional challenge of obtaining root (or similar) access. At that point the intruder could read and write data with the same privileges as the spoofed host. With IP SANs this type of attack can be launched from anywhere inside or outside of the corporate network. Software that controls access to data volumes is an effective tool that manages potential data corrupting issues. Each user, application, or group can be assigned different access privileges for every storage volume. This is usually accomplished through the volume manager as part of the OS and file system environment on the server. A storage management solution should provide direction on storage provisioning to maintain these storage access rights of the volume manager on the host. Access Control for iscsi is volume or host-based rather than user-based. StoneFly supports Access Control Lists (ACLs) for both hosts and volumes. Access Control is strengthened by using CHAP. CHAP The iscsi protocol specifies a variety of security capabilities, including the use of Challenge Handshake Authentication Protocol (CHAP) during initial iscsi login to restrict access to targets. CHAP allows you to set a Password or Secret as a gatekeeper for communication between a host initiator and a volume. Combined, access control lists and CHAP provide a high degree of security to ensure that only specified hosts have access to Storage Concentrator volumes. StoneFly, Inc. Page 4 of 7
CHAP is supported at the Volume Level and at the Host level in the StoneFly Storage Concentrator. Depending on the host initiator, you may want to specify host CHAP, volume CHAP, both host and volume with the same or different secrets, or use neither. Encryption Once you have access controls in place, encryption is the next logical step in securing data stored in an IP SAN. Encryption provides restriction if access controls are circumvented. In other words, encryption should stop someone who has already broken through the first line of defense. Encryption forms the next barrier of entry for data at rest. Encryption is the conversion of data into a form that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a "code," was employed to keep the enemy from obtaining the contents of transmissions. Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that "undoes" the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to "break" the cipher. The more complex the encryption algorithm, the more difficult it becomes to decrypt the information without access to the key. The major downside to encryption is the substantial performance hit to servers and applications. Several storage security vendors, such as Decru, Kasten Chase, and Neoscale offer high-speed encryption solutions for storage traffic. Encryption solutions that reside below iscsi such as IPSec require no special negotiation between iscsi end devices and are transparent to the upper layers. For other authentication implementations such as Kerberos or Public/Private Key exchanges, the iscsi Login Phase provides text fields for negotiating the type of security supported by both end devices. If the negotiation is successful, the data exchanged between iscsi devices will be formatted for appropriate security validation required by the agreed upon security routine. An Internet Storage Name Server (isns) may also be used to assist this process by, for example, serving as a repository for public keys. IPSec The iscsi standard requires that IPSec be supported, but allows its use to be optional. Not all hardware vendors currently include support for IPSec. iscsi HBAs and storage systems are available both with and without IPSec security. Some solutions, such as the StoneFly Storage Concentrator can support the storage of encrypted data, but not the actual encryption/decryption process. IPSec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. StoneFly, Inc. Page 5 of 7
For IPSec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as IP Encapsulating Security Payload (ESP) and Internet Key Exchange (IKEv2) Protocol, which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Public Key Infrastructure (PKI) PKI is based on a pair of mathematically related public and private keys. While the private key is carefully safeguarded, the public key is linked to subject identifier information (e.g., name and other information) in a digitally signed public key certificate, where the subject is the owner of the public/private key pair. This linkage or binding is made possible by including specified data in the certificate, which is essentially a specially formatted file generated in accordance with industry standards. The certificate itself and the public and private keys are then used by systems to represent the individual or entity that is the subject identified by the certificate. In some cases, they will be used in the process of creating and verifying digital signatures. Therefore, it is critical for a relying party application (i.e., an application that relies on the use of a certificate) to have confidence that the certificate correctly and accurately identifies the subject and subject s public key, as well as the issuer of the certificate. The distinguishing feature of PKI is the use of the certificate published by a Certification Authority to confirm the identity, and other relevant information about the entity that holds the certificate. Secure Socket Layer Secure Sockets Layer (SSL) is a specially designed PKI protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http. SSL support is built into the StoneFly Storage Concentrator, which uses https and password protection. Application Software Security Many software applications support security, such as encryption. For example, StoneFly Backup Advantage allows encrypting data both for transmission over un-secure networks and for storage on third-party vaults. The data is always encrypted in the same manner (blowfish algorithm), but key management policies differ depending on the customer needs. For customers that need only network security the keys are randomly chosen for every session. Data is encrypted on Client and the keys are discarded at the end. The entire process is completely transparent to the user; all the user has to do is to enable encryption. Summary Since iscsi security is based on the same technology used for TCP/IP security today, a single SAN with secure iscsi initiators can easily span over a WAN with storage devices and servers in multiple locations. By providing security in iscsi end-nodes, the storage network and data network can eventually converge to maximize network bandwidth usage, lower network management costs, and share the same fabric switch equipment, without the concern of security breaches and illegal access to information. Protecting data in an IP SAN is relatively straightforward due to the iscsi specification, which allows for implementing multiple security methods. While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. Vendors such as StoneFly StoneFly, Inc. Page 6 of 7
support a variety of security methods both explicitly and implicitly, giving IP SAN users the means to form a sound security strategy. StoneFly, Inc. Page 7 of 7