HUAWEI OceanStor UDS Massive Storage System V100R002C01 Issue 01 Date 2014-06 HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://enterprise.huawei.com i
Security Technical White Paper Contents Contents 1 Overview... 4 1.1 Introduction to the UDS... 4 1.2 Security Threats to the UDS... 5 2 UDS Security Solution... 8 2.1 Overall Security Architecture of the UDS... 8 2.2 Device Security... 9 2.3 Network Security... 10 2.4 Service Security... 11 2.5 Management Security... 13 3 Security Assurance... 16 3.1 Security Statement and Certificates... 16 3.2 Security Assurance Process... 16 4 Glossary... 18 ii
Figures Figures Figure 1-1 UDS system architecture... 5 Figure 2-1 UDS security solution architecture... 8 Figure 2-2 UDS logical network... 11 Figure 2-3 AK/SK authentication process... 12 Figure 2-4 UDS slice storage process... 12 Figure 3-1 Huawei IPD security assurance process... 17 iii
Overview 1 Overview 1.1 Introduction to the UDS HUAWEI OceanStor UDS Massive Storage System (the UDS) is a cloud storage product. Cloud storage is an innovative storage service that provides cost-efficient and on-demand storage resources for users and third parties. Users can utilize cloud storage resources without purchasing any storage equipment, and they are charged only at the data volume that they have used. A cloud storage system provides various interfaces for different application scenarios such as object storage, block storage, and file storage. Figure 1-1 shows the UDS system architecture. The UDS is a distributed object-based storage system with high scalability and large capacity. It provides object storage interfaces and supports various applications including unstructured data storage (for example, web disks), cloud backup, and cloud archiving. The UDS consists of two internal clusters: an access cluster made of access nodes (A-Nodes) and a storage cluster made of universal distributed storage nodes (UDSNs). The access cluster provides access interfaces for the external and the storage cluster implements data storage. Users' data objects are divided into slices of a specific size and evenly allocated to the smart disks on UDSNs. Each data slice has multiple copies for high data reliability. 4
Overview Figure 1-1 UDS system architecture 1.2 Security Threats to the UDS Traditional Security Threats 1. Security threats from the Internet include: Traditional network IP attacks: port scanning, IP address spoofing, Land attacks, IP option attacks, IP route attacks, IP fragment packet attacks, and teardrop attacks Bugs of operating systems and software Many bugs that can reduce system security are hidden in computer software, including thirdparty software, business software, and open-source software. Hackers can control operating systems and do anything at will by manipulating errors in programming or context dependency relationship. Common bugs in operating systems and software include cache overflow, privilege abuse, and download of code that does not pass completeness tests. Viruses, Trojan horses, and worms SQL injection attack Attackers inject SQL commands to entry fields of web sheets or query character strings of page requests to enable servers to execute malicious SQL commands. In some sheets, contents entered by users are directly used to generate (or influence) dynamic SQL commands, or those contents are used as storage parameters. Those sheets are prone to the SQL injection attack. Phishing attack The phishing attack is a process in which attackers disguise themselves as trusted legal entities to obtain personal information such as user names, passwords, and credit card details 5
Overview through electronic communication, for example, email or instant messages. Those emails or instant messages usually claim that they are sent by famous social networking sites, auction websites, network banks, e-payment websites, or network administrators to win trust. Zero-day attack Nowadays, it takes a very short time for hackers to detect and utilize security vulnerabilities. If a vulnerability is maliciously used to initiate attacks within 24 hours after it is disclosed, the vulnerability is zero-day vulnerability and those attacks are zero-day attacks. To fix a vulnerability, vendors need to confirm the vulnerability existence, assess risks, work out fixing methods, verify fixing methods, and evaluate the fixing effect. The process takes some time. Therefore, vendors can hardly develop a patch for a vulnerability on the same day when it is disclosed. Without a patch and risk awareness, users may suffer great loss caused by zeroday attacks. Storage Security Threats 2. Security threats from intranets include: Fast-changing attacks, endangering intranet security Intranet hosts under new attacks, such as ARP spoofing and malicious add-ins, may be planted with Trojan horses or other malicious programs and become zombies controlled by hackers. Hackers can use zombies to attack other devices over intranets and steal commercial secrets. Zombies may be used as distributed denial of service (DDoS) tools to send lots of attack packets. Untimely patch upgrade and antivirus library update, leaving loopholes to attackers If the latest patches are not installed on devices and hosts running on different platforms, software configurations of hosts and devices have defects, antivirus libraries are not updated in a timely manner, or the update of antivirus libraries lags behind the emergence of new viruses, viruses and worms may spread. The worm outbreak may paralyze intranets and interrupt services. Illegitimate access to the Internet, causing frequent leakage of internal confidential information If employees of an enterprise access the Internet through telephone dial-up, virtual private network (VPN) dial-up, and general packet radio system (GPRS) dial-up, firewalls cannot monitor the access. As a result, IT resources on the intranet of the enterprise are exposed to hackers. Dial-up Internet connections may open the door for attackers and viruses, and give channels for employees to leak commercial secrets. Illegitimate Internet access brings great loss to enterprises, but evidence is difficult to obtain. Loose management of peripherals, leaking data and spreading viruses Peripherals, such as USB disks, CD-ROMs, printing devices, infrared ports, serial ports, and parallel ports, are important channels for data communication. Since those peripherals are easy to use, they have become main sources of data leakage and virus spreading in recent years. Peripherals, especially USB ports, cannot be effectively managed through port sealing or rigid regulations. Therefore, technical measures are in urgent need to flexibly manage peripherals. Storage security must be safeguarded by technical measures. Storage resources and data must be protected from unauthorized access. Data security is particularly important for cloud storage due to the features of cloud storage. The UDS provides standard S3 object-based 6
Overview storage interfaces to offer services to the external, achieving mass data storage. The following describes some typical service security threats and challenges to the UDS: 1. Security threats to data transfer Although data can be encrypted during transfer, the data must be decrypted before being processed in the cloud. All data being processed is not encrypted. Most web applications do not use HTTPS and are performance- and bandwidth-intensive. Therefore, there are eavesdropping risks when data is being transferred from users' terminals to the cloud data center. 2. Security threats to static data Static data can be encrypted before storage. For example, users can encrypt data of simple object storage services on clients and then store the encrypted data to the public cloud. The encryption keys are stored in the clients and cannot be obtained from the cloud for data decryption. This method is secure. However, this method limits the data processing in the cloud and applies only to simple storage services in the cloud. Storing keys in the cloud or a third-party organization requires more strict security management measures in privacy and security. In multi-tenant applications, if users' data is incorrectly isolated, access-controlled, or authorized, data leakage may occur. Furthermore, storage medium damage or unexpected power failures may cause data loss. 3. Data origination proof Data origination is different from data integrity protection. Data integrity protection only proves that data is not tampered maliciously or unintentionally. Data origination contains not only data itself, but also the environment that the data relies on. In different environments, the data meaning may be different. The data origination technology can trace the original data and derived data in a storage system. It has the following functions: Assesses data quality and reliability. Queries the data source, and audits and traces the data source when necessary. Reproduces the data generation, reconstruction, and test processes, facilitating data sharing and process optimization. Protects the copyright and intellectual property rights of data management. Quickly locates faults, analyzes fault causes, and determines the personnel responsible for fault rectification. Explains the cause of current data status. In the cloud environment, the environment on which data depends varies according to the data migration and distributed processing, which poses a much more serious challenge on the proof of data origination than traditional methods. 4. The UDS storage services must comply with related laws and regulations. For example, the Regulatory Compliance of Data Storage of European Union specifies that some information must be physically stored in its own nation. 7
2 UDS Security Solution 2.1 Overall Security Architecture of the UDS To fight against the security threats and risks facing the UDS, a comprehensive security solution is available to safeguard the UDS from four security dimensions. Figure 2-1 shows the overall architecture of the security solution. Management security protects the security of these four dimensions. Figure 2-1 UDS security solution architecture Device security Operating system hardening Patch management System antivirus Web security Network security Plane isolation Channel security Firewall Service security Transfer security Data integrity Identity authentication Data access control Data confidentiality Management security Log management Password management Role management Permission management Audit support 8
2.2 Device Security Operating System Hardening Security Patches As we have mentioned before, the UDS consists of UDSNs (creating a storage cluster) and A- Nodes (creating an access cluster). The UDSN operating system inherits security compliance from the Huawei hardware platform. The security of the A-Node operating system is specially hardened from the following aspects: 1. Simplified operating system. The "minimum operating system", that is, the operating system with only necessary components to meet service requirements is installed. By default, when an operating system is installed, many services and components are simultaneously installed. However, a large part of these services and components are unnecessary and will compromise system performance and affect the security of the operating system. Therefore, unnecessary services and components must be removed based on site requirements to improve the startup speed and system security without affecting the operating system's support for normal services and existing features. The UDS operating system simplification principle is that only modules and services required for service loading are initially installed, and the kernel configuration file is downsized as well. After the simplification, the file system volume is greatly reduced, minimizing the threats and risks to the operating system. 2. Operating system security configuration. Incorrect operations and configurations, insecure accounts and passwords, unnecessary services, software, and ports, as well as uncontrolled sharing open the door for viruses, hackers, worms, and Trojan, and expose the storage system to security threats and risks. Correct operating system security configuration can reduce the previous threats. The surveys conducted by the Center for Internet Security (CIS) show that the basic security configuration can eliminate 80% to 90% known vulnerabilities, which cannot be achieved by installing antivirus software and security patches. The security configuration principles for the A-Node operating system include the following: Password security: Unnecessary users and user groups must be deleted. The complexity, length, and validity period of passwords must comply with specific requirements. Passwords must be changed within a specific period. System service security: Insecure services such as Telnet, Simple Network Management Protocol (SNMP V1 or V2), and Network File System (NFS), and unnecessary or risky background processes and services must be disabled. The communications and transfer protocols must be secure, such as Secure Shell (SSH). Operating system kernel security: Execution stacks are protected against buffer overflow attacks. Functions such as IP address forwarding, response to broadcast requests, and Internet Control Messages Protocol (ICMP) redirection requests receiving are disabled. IP address spoofing prevention is available. Socket sequences are guarded against attacks. File and directory permissions: Permissions for files and directories must be strictly limited. Logs and auditing: The run logs of services and kernel processes must be recorded. Log servers can be connected to the UDS. Deletion of files without owners: Idle links and globally writable files are not allowed in the operating system. Due to internal design defects, software has various vulnerabilities. Customers need to periodically install security patches to fix these vulnerabilities and prevent viruses, worms, 9
Antivirus Web Security and hackers. Huawei updates security patches every half a year or upon emergency vulnerabilities. The UDS uses the previous patching policy and provides security patches for users based on their requirements. The UDS software (including the operating system) has been scanned for viruses before release, and the released UDS software (including the operating system) is guaranteed to contain no virus. The UDS provides the following functions to protect web security: 1. Uses mainstream web security scanning software to scan the UDS web server and web applications, eliminating highly-risky security vulnerabilities. 2. Supports HTTPS access, enhancing access security. 3. Provides service interfaces that can identify attacks and implement the punishment of users who frequently send error requests to prevent malicious error requests from using up system resources and eliminate brute force attacks. 4. Supports background verification, anti-malicious code, anti-sql injection, and cross-site script attack prevention. 2.3 Network Security Plane Isolation The UDS logical network is divided into a service plane, storage plane, and management plane, which reside on different VLANs for security isolation. The jobs of these planes are as follows: 1. The service plane is a network plane for cloud storage to provide storage interfaces externally and for communicating with external devices. 2. The storage plane is a network plane for the internal communication and for the management and data communication among internal nodes. 3. The management plane is a channel for administrators and maintenance engineers to access storage management systems. Figure 2-2 shows the UDS logical network. 10
Figure 2-2 UDS logical network Channel Security Firewall 1. Secure transmission protocols, such as SSH and HTTPS, are used for remote system management. 2. The external APIs provided by the UDS support SSL authentication and encryption, preventing data interception and tampering. The UDS egresses employ firewalls (as shown in Figure 2-2) to defend against DDoS attacks and hide the internal network. The firewalls allow only necessary ports to be opened for external services. Therefore, the management ports cannot be accessed from the service plane. 2.4 Service Security Data transfer Identity authentication The UDS provides Amazon-compatible S3 APIs. Users can use a Huawei or third-party terminal tool to upload user data to the cloud object-based storage system. Data is encrypted by SSL during transfer. The UDS uses access key (AK) and secret key (SK) to authenticate user identities. During the authentication, the keyed-hash message authentication code algorithm (HMAC) is performed. During the HMAC algorithm, a key and a message are input and a message summary is output. Each client user has a pair of AK and SK. The AK is public and identifies a unique user. The SK is used for calculating signatures. Client users must keep the SK safe. An operation request sent by a client user contains the user's AK and a signature calculated by the SK (the 11
signature is calculated using the HMAC-SHA1). Upon receiving the request, the UDS checks the AK and SK stored on it and calculates a signature using the SK. Then the UDS compares the obtained signature with the one in the request. If the two signatures are consistent, the authentication succeeds. Figure 2-3 AK/SK authentication process Access control on objects and buckets Static data confidentiality The UDS provides a flexible and secure data access mechanism that allows customers to set different access control policies based on bucket and object configurations. Available access control policies are: READ, WRITE, READ_ACP (users are granted the permission to read the access control policy), WRITE _ACP (users are granted the permission to write the access control policy), and FULL_CONTROL. Object data uploaded to the UDS is stored in slices and then randomly distributed to smart disks of UDSNs. The maximum size of each slice is 1 MB, as shown in Figure 2-4. Therefore, even though a disk is stolen, the data cannot be restored. Users can also encrypt data before uploading it to the UDS. In this scenario, the keys are managed on the clients. Figure 2-4 UDS slice storage process 12
Data integrity Data durability The UDS uses digital signatures to ensure data integrity during transfer. The integrity of a data slice is automatically verified by the UDS and the integrity verification of a data object must be supported by client applications. The process of object integrity verification is as follows: Uploading an object (PUT) A. The client invokes an interface for uploading the object. You can add the 128-bit MD5 summary of the object to the request header field. The A-Node receives the object, computes the MD5 value of the object, and compares the value with that in the request. If the two values are inconsistent, the service node returns an error message. Downloading an object (GET) A. The client invokes an interface for obtaining the object. B. The A-Node returns the object and the MD5 value (ETag value of the header field) of the object. C. The client computes the MD5 value of the object and compares the value with that returned by the A-Node. If the two values are consistent, the data is correct and the object is successfully downloaded. The integrity of a data slice is verified using the cyclic redundancy check (CRC) consistency verification algorithm. When writing slice data into a smart disk, the A-Node uses the specified CRC algorithm to compute the verification value of the slice data and stores both the verification value and slice data into the smart disk. When reading slice data, the A-Node computes the CRC verification value of the slice and compares the verification value with that returned by the A-Node. The data can be read only when the two values are consistent. This mechanism not only prevents data damage in data storage and transfer, but also protects data from malicious tampering by employees of cloud storage service providers, improving data security. The UDS provides 99.999% data availability and 99.9999% data durability. These indicators are the basic standards. The actual data availability and durability vary according to the number of copies, object size, disk type, and the application of multiple data centers (MDC). The redundancy design and high-quality hardware types can improve data reliability. 2.5 Management Security Log management The UDS supports the following logs: Operation logs Operation logs record management and maintenance operations performed on the management plane, including users, operation types, client IP addresses, key parameters, operation time, and operation results. The operation logs are stored in the database of the A-Node. Auditors can export and view operation logs on the OceanStor DeviceManager and periodically audit operations performed by operation and maintenance personnel to find out improper or 13
malicious operations in a timely manner. Operation logs can be used to prevent repudiation and must be stored for at least 12 months (when the disk space is sufficient). Run logs Run logs record the running status of each node and have four levels: debug, info, warning, and error (arranged in ascending order of priority). Log levels can be used to control log output. Run logs of each node are summarized using the rsyslog component. In addition, the rsyslog component can filter out the logs of the debug and info levels. As a result, high-level logs (logs of the warning and error levels) and complete logs (including all log packages whose output level has been set) are obtained. High-level logs are periodically summarized and stored in the log server through FTP. Complete logs are stored in the local storage devices. Users can upload complete logs of a specific node in a specific period of time to the log server using the script. Run logs contain log levels, thread names, and running information. Administrators can view run logs to learn about and analyze the running status of a system, and then find out and handle exceptions and faults in a timely manner. Run logs must be stored for at least 3 months (when the disk space is sufficient). Black box logs Password management Black box logs record fault information when serious system faults occur and are used for fault diagnosis and rectification. Black box logs of UDSNs are stored in local storage devices. Central password change for internal accounts The UDS provides a unified platform to centrally change the passwords of internal accounts. Only the super administrator has the permission to access the platform and perform related operations. The system can check the password complexity. Account hardening The UDS locks out an account after incorrect password retries and prevents brute-force cracking attacks. Password hardening A password can be changed upon an initial login and has a fixed validity. This mechanism prevents a password from being used for a long period of time. The mechanism forcibly generates and saves passwords, avoiding the cracking, leakage, and illegitimate use of passwords. Encrypted password transfer and storage When the passwords of internal accounts are changed on the management platform, the new passwords are encrypted and transferred to each A-Node. On the management platform and A-Nodes, the passwords must be encrypted before being stored. Operation logs of internal accounts The internal account management platform records all operations on the passwords of internal accounts in logs, which can help users locate faults and implement audit 14
Role management Permission management Audit support User management provides security management based on user, user group, and permission. In user management mode, the role of a user determines the permission of the user. If the permission of a user needs to be changed based on site requirements, a different role can be assigned to the user. User information permissions are controlled by role. Users can access only the data that they have permissions for. The output logs cover the management and service planes. Their contents are accurate and they allow secure access and storage. 15
3 Security Assurance 3.1 Security Statement and Certificates With profound understanding of the importance of security for customers and products, Huawei actively promotes the research and development (R&D) of secure products. In July 2004, Huawei obtained certificate BSS7799. In August 2007, the certificate was updated to ISO/IEC27001. Huawei integrates security assurance into its Integrated Product Development (IPD) process. Security issues involved in product functions and qualities are deliberated in each phase, such as concept, design, verification, and installation, throughout the product life cycle. Besides, Huawei sets up a Technology Management Group (TMG) to monitor and guide security activities during the product development. The TMG provides consulting and assessment for the development of professional security solutions. For details about Huawei's security policies and laws compliance, see Huawei Network Security White Paper and Network Security Laws Compliance Manual. 3.2 Security Assurance Process Customers are attaching great importance to product security. A single accident may result in absolute failure. The most effective way to ensure the product security is to follow a correct methodology throughout the R&D process of products. Figure 3-1 shows the process that Huawei adopts during its product development process. 16
Figure 3-1 Huawei IPD security assurance process Huawei builds a professional security team to provide advanced security solutions for customers. Besides, the team provides support, guidance, and monitoring in security issues of all products. Within the product lines and product development teams, Huawei has dedicated teams and roles be responsible for security issues and ensure the product security. Every year, each product teams adjust their short-term and long-term security plans based on the industrial development and service changes. Besides, the quality assurance (QA) department is responsible for auditing the security plans and execution progress. With its professional teams and strict process management, Huawei meets the security requirements of every customer, and provides them sustainable and high-quality security assurance. 17
4 Glossary Acronym and Abbreviation UDS AK SK HTTPS S3 Full Spelling UDS massive storage system Access Key ID Secret Access Key Hypertext Transfer Protocol over Secure Socket Layer Amazon S3 18