WHITE PAPER ADVANCING SECURITY IN STORAGE AREA NETWORKS Brocade Secure Fabric OS provides a reliable framework for enhancing security in mission-critical SAN environments
As organizations continue to broaden their reach to business partners and customers around the globe, they expose their IT systems to a wider range of potential security threats. Today, data theft, eavesdropping, fraud, and hacker attempts increasingly threaten secure electronic information exchange within the enterprise and across public networks, such as the Internet. Because an organization s IT systems are only as secure as the weakest link in the network, Brocade has developed a comprehensive security framework that helps ensure safe, reliable data processing throughout a Storage Area Network (SAN). An integrated solution that addresses a wide variety of potential security threats, Brocade Secure Fabric OS provides a new level of SAN security enabling a robust, mission-critical SAN infrastructure. Today, organizations can implement Secure Fabric OS in all their SAN environments to safeguard data and alleviate a wide variety of security risks. 1
The Growing Security Concern The recent explosion in e-business activity and Internet commerce has provided organizations with unlimited opportunities for developing new information delivery channels. At a minimum, online expansion opens up a whole new world of possibilities such as increased efficiency, reduced costs, improved enterprise-wide communications, shorter time-to-market, and wider market reach. Although the benefits of e-business can be far-reaching, today s organizations must be careful to balance their need to expand with their ability to protect enterprise data. WHITE PAPER As the popularity of distributed client/server networks steadily rose throughout the 1990s, organizations found it much more difficult to effectively secure their critical business networks, applications, and data.the emergence and growth of public networks such as the Internet has only increased the potential frequency and severity of computer security incidents.as a result, information security is perhaps the greatest concern for organizations participating in the e-business arena. As new information delivery channels transcend traditional borders, locked doors are no longer sufficient to protect vital information. More than ever, organizations need to leverage advanced security solutions that minimize risk while enabling flexibility and growth to provide the proper balance for the corporate security strategy and policy. Today, Brocade is helping to safeguard one of the most strategic parts of many IT infrastructures: the SAN. Brocade has recently developed Secure Fabric OS, a flexible and scalable solution that meets a wide variety of SAN security requirements. Secure Fabric OS is the first product in the industry to provide such comprehensive security controls for networked storage environments. 2
Brocade Security Framework When designing high security for today s SANs, organizations must be aware of all the potential points where a security breach might occur. Identifying the points of vulnerability and implementing a reliable security solution are the keys to securing a SAN fabric infrastructure (see Figure 1).To help organizations identify and address their security exposures, the comprehensive Brocade SAN security framework provides the kind of security tools and controls commonly used in most other types of data networks. Figure 1. A typical SAN fabric infrastructure with potential points of vulnerability Hosts Storage Switches JBOD WAN (or Internet) Network Manager Potential Security Control Points 3
This security framework is based on Secure Fabric OS, which manages the Brocade SilkWorm family of Fibre Channel fabric devices in both new and existing SAN islands and heterogeneous SAN fabrics. Based on open industry standards, Secure Fabric OS is highly scalable, manageable, and extremely resilient.as a result, this integrated solution helps eliminate a variety of potential SAN security risks (see Table 1). SAN Security Risk Unauthorized and/or unauthenticated SAN access Secure Fabric OS Solution Multilevel password controls to prevent unauthorized and unauthenticated SAN access Table 1. SAN security risks and solutions at a glance WHITE PAPER Insecure management access World Wide Name (WWN) spoofing Management controls allowed from different access points Management Access Control Lists (ACLs) and encryption of passwords in certain interfaces Port-level ACLs Enhanced configuration architecture with trusted switches and secure management, as well as Public Key Infrastructure (PKI)-based authentication and security (digital certificates) Secure Fabric OS is especially useful for shared storage environments where security is critical. Secure Fabric OS is accessible through an open API that enables members of the Brocade Fabric Threads program to develop applications that optimize the wide variety of security features. In addition, organizations can develop their own internal security applications based on this API. Security Domains While identifying the potential points of vulnerability in their networks, organizations should fully define their security requirements for a SAN fabric by establishing a set of security domains.these domains typically define different categories of communications that must be protected by the fabric security architecture.these domains, described in detail below, include: Host-to-switch domain: between host servers and their Host Bus Adapters (HBAs), and the connected switches Administrator-to-security management domain: between administrators and their management applications Security management-to-fabric domain: between management applications and the switch fabric Switch-to-switch domain: between interconnected switches 4
Host-to-Switch Domain In host-to-switch communications, individual device ports are bound to a set of one or more switch ports using ACLs. Device ports are specified by WWN and typically represent HBAs. Special Secure Fabric OS Device Connection Controls enable binding by WWN (port) and ACL to secure the host-to-switch connection for both normal operations and management functions. Administrator-to-Security Management Domain Because security management impacts the security policy and configuration of the entire SAN fabric, administrator access controls work in conjunction with security management functions. In addition, administrator-level fabric password access provides primary control over security configurations. Security Management-to-Fabric Domain Secure Fabric OS secures certain elements of the management communications such as passwords on some interfaces between the security management function and a switch fabric.the security management function encrypts appropriate data elements (along with a random number) with the switch s public key.the switch then decrypts the data element with its private key. Switch-to-Switch Domain In secure switch-to-switch communications, the switches enforce security policy.the security management function initializes switches by using digital certificates and ACLs. Prior to establishing any communications, switches exchange these credentials during mutual authentication.this practice is designed to allow only authenticated and authorized switches to join as members of the SAN fabric or a specific fabric zone. This authentication process helps prevent an unauthorized switch (for example, a switch in a co-location scenario) from attaching to the fabric through an E_Port. Basic inter-fabric switch-to-switch security includes, but is not limited to: Mutual authentication performed between two switches using public key technology and digital certificates Switch alarms such as Simple Network Management Protocol (SNMP) trap notifications for authorized security management or other system managers 5
Secure Fabric OS Components Secure Fabric OS enables organizations to build highly secure SAN infrastructures through a set of powerful yet flexible security components (see Figure 2).This bestin-class solution includes the following security components: Fabric Configuration Servers: One or more switches act as trusted devices in charge of zoning changes and other security-related functions. Management Access Controls: Management policies and ACLs control access to the switch from different management services. WHITE PAPER Secure Management Communications: Secure management communications interface to the fabric by encrypting certain data elements, such as passwords. Switch Connection Controls: ACLs and digital certificates within the switch authenticate new switches and ensure that they can join the fabric. Device Connection Controls: Port-level ACLs lock particular WWNs to specific ports. Switch Connection Controls, Digital Certificates + ACLs Security Policy Flow Fabric Configuration Server (Trusted Switch) Figure 2. Secure Fabric OS components that protect the fabric against a variety of threats Management ACLs Port ACLs WAN (or Internet) Hard/Soft Zoning Zone Network Manager Secure Management Communications 6
The switch connection controls utilize the basis of PKI technology to provide the most comprehensive security solution available for SAN environments.table 2 compares PKI capabilities to other types of security solutions. Table 2. PKI compared to other electronic security options Firewalls X X Authentication Confidentiality Integrity Non-repudiation Access control X X Encryption X X Public Key Infrastructure X X X X Fabric Configuration Servers Management access from unsecured and unauthorized sources represents a major threat to fabric security.to address this threat, Fabric Configuration Servers enable sensitive administrative operations to be performed only from specified, trusted switches.these designated switches are responsible for managing the configuration and security parameters of all other switches in the fabric. Any number of switches within a fabric can be designated as Fabric Configuration Servers (as specified by WWN), and the list of designated switches is known fabric-wide. In this way, Fabric Configuration Servers secure the manager-to-fabric connection in-band as well as out-of-band. Within the set of Fabric Configuration Servers is the concept of a primary Fabric Configuration Server. Only the primary Fabric Configuration Server can initiate fabric-wide management changes.this capability helps eliminate unidentified local management requests initiated from untrusted switches. To increase administrator access control, a fabric-wide login name and password database replaces the previous model of switch-specific login names and passwords.this facility applies the same semantics to the SNMP community strings (which constitute a password-type facility to control access to SNMP functions). Organizations can disable this facility through two options, one for SNMP community strings and the other for the standard login name database. Disabling this new security policy results in a reversion to the original policy of unique logins and community strings on each switch. If the fabric-wide password and community string policies are enabled, any change in login name and/or password or SNMP community string is reflected on all switches in the fabric. In addition, when a new switch joins the fabric, its login/password database is changed to reflect the fabric view. 7
Secure Management Communications Brocade switches enable standard IP-based management communications between a switch and a manager. Certain elements of the manager-to-switch communications process such as passwords are encrypted to increase security. Management Access Controls Because certain management services such as SNMP, SES, API, and Telnet represent a potential threat of unauthorized access, Management Access Controls restrict their access to the fabric based on policy. If enabled, these policies control access by either IP addresses or WWNs, and the policies are known fabric-wide. WHITE PAPER Management Access Controls secure the in-band manager-to-fabric connection by controlling the HBA-to-fabric connections as well.these HBA-to-fabric controls apply to in-band access only.they can also turn off serial ports either individually or fabric-wide to limit access to trusted access points within the fabric. Organizations can use these controls to selectively disable management access and restrict facility access to a specified set of end points. For example, an end point might be a specific IP address for SNMP,Telnet, or API access or a specific port WWN for an HBA in a management service used for in-band methods such as SES or Management Server. In this way, Management Access Controls provide additional control beyond the secure management channels by restricting access to trusted access points within the network.these restrictions and any ACLs are known fabric-wide and are automatically installed in new switches that join the fabric.this capability helps prevent unauthorized users from manually changing fabric settings. 8
Device Connection Controls Because access control methods deployed in today s SANs use a requestor s WWN to verify access rights,wwn spoofing is a potential threat to SAN security. Secure Fabric OS addresses this vulnerability with port-level ACL controls known as Device Connection Controls.These controls secure the server (HBA)-to-fabric connection for both normal operations and management functions. Device Connection Controls enable organizations to bind a particular WWN to a specific switch port or set of ports preventing ports in another physical location from assuming the identity of an actual WWN.This capability enables better control over shared switch environments by allowing only a set of predefined WWNs to access particular ports in the fabric. Switch Connection Controls Switch Connection Controls enable organizations to restrict fabric connections to a designated set of switches, as identified by WWN.When a new switch is connected to a switch that is already part of the fabric, the new switch must be authenticated before it can join the fabric. Each switch has a digital certificate and a unique private key to enable secure switch-to-switch authentication. Switch Connection Controls address this security need by authenticating switches and providing specifications for an authorized switch list.the digital certificate authentication process ensures that an entity professing to be a switch is, in fact, a switch and that its WWN is correct. Each E_port connection between switches invokes a mutual authentication process by using digital certificates and private keys to enable a cryptographically secure multiphase authentication protocol. If the authentication process fails, the E_port is set to the segmented state, logically disconnecting the two switches.this authentication process validates that a specific E_port connects two legitimate switches, so it must be used on all E_ports even if many of them connect to the same pair of switches. 9
The authorized switch list (as specified by switch WWN) is used during fabric initialization and when a new switch attempts to join a fabric. New switches are configured with certificates and private keys at the time of manufacture. However, organizations with existing switches will need to upgrade them with certificate and key information at the installed location. Switch-to-switch operations are managed in-band, so no IP communications are required.this practice prevents users from arbitrarily adding switches to a fabric. WHITE PAPER A Strategic Framework for a More Secure SAN Environment Because a SAN fabric is only as secure as its weakest link, either the entire fabric is secure or none of the fabric is secure. As a result, all switches in the fabric must support Secure Fabric OS in order to achieve the highest level of security fabric-wide. Secure Fabric OS is the initial component of a comprehensive Brocade security framework designed to help ensure a secure fabric-wide enterprise without requiring redundant dual fabrics.this approach supports the need to centralize management tasks while helping to accelerate SAN growth and reduce the total cost of ownership. By implementing Brocade Secure Fabric OS throughout their SAN fabric infrastructures, organizations can achieve the high levels of data and system security that today s mission-critical business applications require. For more information about the advantages of Brocade SAN fabrics, visit www.brocade.com. 10
Corporate Headquarters 1745 Technology Drive San Jose, CA 95110 T: (408) 487-8000 F: (408) 487-8101 info@brocade.com European Headquarters 29, route de l Aéroport Case Postale 105 Geneva 15, Switzerland 1215 T: +41 22 799 56 40 F: +41 22 799 56 41 europe-info@brocade.com Asia Pacific Headquarters The Imperial Tower 15th Fl. 1-1-1 Uchisaiwaicho, Chiyoda-ku,Tokyo 100-0011 Japan T: +81 3 3507 5802 F: +81 3 3507 5900 apac-info@brocade.com 2002 Brocade Communications Systems, Inc.All Rights Reserved. 03/02 GA-WP-098-02 Brocade, the Brocade B weave logo, and SilkWorm are registered trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners. Notice:This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use.this informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.