UNIT V

STORAGE SECURITY AND

MANAGEMENT
TOPICS
⚫ Securing Storage Infrastructure

⚫ Risk Triad

⚫ Storage Security Domains

⚫ Implementation in Storage Networking

TOPICS
⚫ Managing the storage Infrastructure

• Monitoring the storage Infrastructure

• Storage management activities

• Storage management challenges

• Developing an ideal Solution

Implementation in Storage
Networking
⚫ SAN

⚫ NAS

⚫ IP SAN
Security implementation in SAN
SAN
SAN PORTS
Security implementation in SAN
⚫ Fibre Channel Security Protocol (FC-SP) standards

⚫ It aligns security mechanisms and algorithms between

IP and FC interconnects

⚫ Guidelines for authenticating FC entities, setting up

session keys, negotiating the parameters required to
ensure frame-by-frame integrity
Security implementation in SAN
Most commonly used SAN security methods,

⚫ LUN masking (basis of source FCIDs ) and zoning

(logical partitioning of the SAN )

⚫ Security in FC switch port

⚫ Switch-wide and fabric-wide access control

⚫ Logical partitioning of a fabric (Virtual SAN)

Security implementation in SAN
Additional security mechanisms

⚫ Port binding

⚫ Port lockdown and Port lockout

⚫ Persistent port disable (switch ports)

Security implementation in SAN
⚫ Port binding : Limits the number of devices that can
attach to a particular switch port and allows only the
corresponding switch port to connect to a node for
fabric access

⚫ Port lockdown and port lockout: Restrict a switch

port’s type of initialization. Port lockout ensure that
the switch port cannot function as an E-Port and
cannot be used to create an ISL

⚫ Persistent port disable: Prevents a switch port from

being enabled even after a switch reboot
Security implementation in SAN
⚫ Network security can be configured on the FC switch
by using access control lists (ACLs) and on the fabric
by using fabric binding

⚫ ACLs incorporate the device connection control and

switch connection control policies and preventing
from unauthorized devices accessing

⚫ Fabric binding prevents an unauthorized switch from

joining any existing switch in the fabric.
Security implementation in SAN
⚫ Role-based access control provides additional security
to a SAN by preventing unauthorized activity on the
fabric for management operations

⚫ It enables the security administrator to assign roles to

users that explicitly specify privileges or access
rights after logging into the fabric
Security implementation in SAN
⚫ VSANs enable the creation of multiple logical SANs
over a common physical SAN

⚫ It provide the capability to build larger consolidated

fabrics and still maintain the required security and
isolation between them

⚫ VSANs minimize the impact of fabric wide disruptive

events because management and control traffic on the
SAN
SAN Security Architecture
SAN Security Architecture
⚫ Storage networking environments are target for
unauthorized access, theft, and misuse

⚫ Security strategies are based on the defense-in-depth

concept, it recommends multiple integrated layers of
security

⚫ It ensures that the failure of one security control will

not compromise the assets under protection
SAN Security Architecture
⚫ Zone A (Authentication at the Management
Console)

(a) Restrict management LAN access to authorized

users (lock down MAC addresses)

(b) Implement VPN tunneling for secure remote access

to the management LAN

(c) Use two-factor authentication for network access

SAN Security Architecture
⚫ Zone B (Firewall)
(a) filtering out addresses that should not be allowed on
LAN
(b) Screening for allowable protocols—block ports that
are not in use

⚫ Zone C (Access Control-Switch)

Authenticate users/administrators of FC switches using
Remote Authentication Dial In User Service (RADIUS)
and DH-CHAP (Diffie-Hellman Challenge Handshake
Authentication Protocol)
SAN Security Architecture
⚫ Zone D (Host to switch)
(a) ACLs: known HBAs can connect on specific switch
ports only
(b) a secure zoning method such as port zoning (also
known as hard zoning)

⚫ Zone E (Switch to Switch/Switch to Router)

(a) using E_Port authentication
(b) encrypting the traffic in transit
(c) implementing FC switch controls
SAN Security Architecture
⚫ Zone F (Distance Extension)
(a) FC-SP for long-distance FC extension
(b) IPSec for SAN extension via FCIP

⚫ Zone G (Switch to Storage)

⚫ Protect the storage arrays on your SAN via
(a) WWPN-based LUN masking

(b) S_ID locking: masking based on source FCID

Security implementation in NAS
NAS
COMPONENTS OF NAS
Security implementation in NAS
⚫ NAS is open to multiple exploits including viruses,
worms, unauthorized access, snooping, and data
tampering

⚫ Various security mechanisms are implemented in

NAS,

⚫ Permissions ACL (Windows and Unix)

⚫ Authentication and Authorization mechanism
⚫ Kerberos
⚫ Firewalls
Security implementation in NAS
⚫ Windows: ACLs are applied to directory objects
known as security identifiers (SIDs).

⚫ It is automatically generated by a Windows server or

domain when a user or group is created, and they are
abstracted from the user

⚫ A user may identify his login ID as “User1,” it is a

textual representation of the true SID, which is used
by the operating system
Security implementation in NAS
⚫ UNIX system: Privileges of the user to perform
specific operations . Identifies each user by a user ID
(UID) and a username

⚫ Users can be organized into one or more groups. The

concept of group serves the purpose to assign sets of
privileges for a given resource and sharing them among
many users that need them.

⚫ For example, a group of people working on one project

may need the same permissions for a set of files
Security implementation in NAS
Authentication and Authorization mechanism
Security implementation in NAS
⚫ NAS devices use standard file-sharing protocols, NFS
and CIFS

⚫ Authentication requires verifying the identity of a

network user, uses a login credential lookup on a
Network Information System (NIS) server in a UNIX
environment

⚫ Windows client is authenticated by a Windows

domain controller that houses the Active Directory.
 Security implementation in NAS
⚫ Kerberos is a network authentication protocol, which is
designed to provide strong authentication for
client/server applications by using secret-key
cryptography.

⚫ It uses cryptography so that a client and server can

prove their identity to each other across an insecure
network connection

⚫ After the client and server have proven their identities,

they can choose to encrypt all their communications to
ensure privacy and data integrity
Security implementation in NAS
⚫ Network firewalls are implemented in NAS
environments to protect the NAS devices from
security threats

⚫ Firewalls can examine network packets and

comparing them to a set of configured security rules

⚫ DMZ environment, servers that need to be accessed

through the Internet are placed between two sets of
firewalls.
Security implementation in NAS
Security implementation in
IPSAN
IP SAN
Security implementation in IP SAN
⚫ Challenge-Handshake Authentication Protocol (CHAP) is a
basic authentication mechanism that has been widely adopted
by network devices and hosts

⚫ CHAP provides a method for initiators and targets to

authenticate each other by utilizing a secret code or password

⚫ CHAP secrets are usually random secrets of 12 to 128

characters. The secret is never exchanged directly over the
communication channel

⚫ One-way hash function converts it into a hash value, which is

then exchanged. A hash function, using the MD5 algorithm
Security implementation in IP SAN
Security implementation in IP SAN
⚫ iSNS discovery domains function in the same way as
FC zones

⚫ Discovery domains provide functional groupings of

devices in an IP-SAN

⚫ Devices to communicate with one another, they must

be configured in the same discovery domain

⚫ State change notifications (SCNs) inform the iSNS

server when devices are added or removed from a
discovery domain.
Security implementation in IP SAN