S 5.130 Protection of SANs by segmentation

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator

A storage area network is often implemented as a Fibre Channel (FC-SAN). It consists of one or several switches, storage subsystems such as disk subsystems, or backup devices, e.g. tape drives. One or more switches connected to each other form a fabric. Servers with storage assigned from the resources of the SAN are connected to the switches.

Storage subsystems, servers, and their operating systems can be assigned independently of each other, meaning they can be assigned several times. For example, different servers are assigned to different (logical) storage resources on a storage system, but a server may also be assigned to several (physically isolated) storage components to attain server redundancy and therefore redundancy of its applications.

Consequently, the administration and rights assignment for the storage resources in the SAN must be modified. In doing so, it must be ensured that no data is destroyed due to any incorrect access and that the servers only work with "their" section of the storage units in the SAN. This is achieved by dividing the SAN into segments or groups so that only the devices located in the same segment can communicate with each other.

Segmentation also provides the following additional advantages:

To ensure reasonable segmentation, a concept for the assignment of the SAN resources should be drawn up. Information on the current SAN resource assignments must always be documented and available in case of an emergency. The current resource assignment should be easily available and displayed clearly with the help of the administration tools.

Segmentation for FC-SANs

The internal administration and assignment of the devices in an FC-SAN is performed using World Wide Names (WWN). They are similar in some ways to the MAC addresses of Ethernet network adapters.

An FC-SAN is segmented by dividing it into zones (zoning). The zoning functions are configured on the switches of the SAN. A zone may contain servers, storage subsystems, and other switches as members.

Soft Zoning

SAN devices have a unique WWN. In soft zoning, the zones are formed by grouping WWNs together. The switch ports and SAN devices are assigned to the zones by an internal name server in the SAN. When a SAN device logs in to the fabric, the name server only provides the WWNs of those devices in the same zone.

Soft zoning is flexible because it is independent of how the system is wired. For this reason, changes to the location of SAN devices do not need to be entered when soft zoning is used.

However, it must be noted that data transfers to valid WWNs are not prevented. Since some operating systems store the WWNs internally and hold them in a cache, such systems may be able to access storage devices which are not even in the same zone any more due to a change in the meantime by an administrator. This means that data could be lost.

Hard Zoning

Hard zoning is usually defined using ports, but sometimes using the WWN method as well. The term hard zoning is used because the zoning is often hard-wired into the circuits (ASICs) in the SAN switch, i.e. into the hardware. Soft zoning on the other hand is implemented at all levels by software.

Hard zoning is often also referred to as port zoning. Segmentation in the SAN is established by only allowing zones to be formed in routing tables on SAN switches using the port numbers of the switches. This means precisely those devices whose port numbers are collected in a zone are members of that zone. This static assignment prevents data from being transferred between two ports in different zones. The limitation that changes made to the hardware configuration or changes in the locations of SAN devices require the tables to be changed manually is almost always tolerable in practice.

Since storage networks are seldom subject to frequent changes, hard zoning or an adequate manufacturer-specific method should be preferred to protect against a loss of data.

Furthermore, the smallest number of devices possible should be placed in a single zone.

LUN Binding and Masking

Hard disk subsystems in a SAN make the installed disks available as logical units. These units can be addressed using their LUNs (Logical Unit Numbers). LUN binding and LUN masking can be used to prevent every computer stationed in a zone together with a hard disk subsystem from seeing all logical or physical disks in this system.

LUN binding permanently assigns access to the particular LUNs over certain fibre channel ports of the storage system and therefore only allows the LUNs to be addressed through certain network access points.

In LUN masking, access tables are also defined on the disk subsystem that contains the unique WWN addresses of the servers authorised for access. All other (masked) disks are invisible to the computer.

In this manner, a faulty configuration or incorrect operation of a computer connected to the SAN will only affect the disks visible to it.

Zoning and LUN masking should always be combined when assigning servers and storage systems in the SAN.

Virtual SANs (VSANs)

Similar to the segmentation of LANs into virtual sub-networks (VLANs), it is also possible to segment a SAN. This concept extends the concept of zoning and also offers better access control for the data and applications as well as protection against the wide-ranging effects of malfunctions, meaning they can be restricted to just part of the network.

In a VSAN, several ports and therefore several terminal devices of a fibre channel fabric are grouped to form a virtual fabric. This means that several separate virtual fabrics are created on one and the same physical network infrastructure. In this case, a switch may belong to several virtual SAN sub-networks. Separate fabric services like name servers and zoning are implemented for each VSAN. VSANs therefore not only limit the visibility of the terminal devices like in pure zoning, but also the visibility of the fabric configurations among each other.

Zoning is performed independently of the division into VSANs. A zone cannot span several VSANs.

Zoning regulates the access and flow of data between the devices. VSANs also permit the services provided in a sub-network to be isolated and "encapsulated" in the VSANs.

If only zoning is used, the entire hardware of the storage network forms a "security domain". If VSANs can be configured on the network hardware of the storage network, the hardware is logically divided into different "security domains". "Internal" domain mechanisms such as zoning and port binding can then be used in these domains.

Segmentation for iSCSI

Segmentation in the iSCSI storage network is performed in the storage device in the same manner as for a device connected through the FC-SAN. The only difference is in the connection assignment between the server and the storage device.

The iSCSI-HBA (Host Bus Adapter) is referred to as the initiator and the port on the storage device as the target. Using the management software supplied, they announce their existence using their IP address.

To ensure that the connection is established and to ensure the authenticity of the initiator (= server) and target (= hard disks), security protocols such as CHAP (Challenge Handshake Authentication Protocol)" or iSNS (Internet Storage Naming Service) are used internally.

Disks in the hard disk subsystem can be assigned to the connected computers using LUN binding and LUN masking, just like in FC-SANs.

Review questions:

© Federal Office for Information Security. All rights reserved.