Evaluation of Storage Area Network (SAN) security and performance

MASTER THESIS

Evaluation of Storage Area Network (SAN) security and performance

Siavash Hajirostam

Master thesis 15 ECT

Halmstad,Sweden 2013

__________________________________

School of Information Science, Computer and Electrical Engineering Halmstad University

PO Box 823, SE-301 18 HALMSTAD Sweden

Evaluation of Storage Area Network (SAN) Security and Performance

Master Thesis in Computer Network Engineering

November 2013

Author: Siavash Hajirostam Supervisor: Tony Larsson

Examiner: Tony Larsson

Evaluation of Storage Area Network (SAN) Security and Performance Siavash Hajirostam

© Copyright Siavash Hajirostam, 2013. All rights reserved.

Master thesis report IDE 1325

School of Information Science, Computer and Electrical Engineering Halmstad University

i

Preface

I w ou ld like to exp ress m y ap p reciation to m y su p ervisor, Professor Tony Larsson, for the m any u sefu l d iscu ssions, com m ents and su ggestions on this thesis and also m y thanks go to the staff of H alm stad University for giving m e the op portu nity to stu d y in the com p u ter netw ork engineering p rogram . Finally, m y sp ecial thanks to m y fam ily for their encou ragem ent and su p p ort d u ring m y stu d ies.

Siavash H ajirostam H alm stad , N ovem ber 2013

iii

Abstract

Du e to grow ing the nu m ber of Inform ation Technology (IT) u sers all arou nd the w orld , consequ ently the am ou nt of d ata that need s to be stor ed is increasing d ay by d ay. Single attached d isks and old storage technologies cannot m anage the storing these am ou nts of d ata. Storage Area N etw ork (SAN ) is a d istribu ted storage technology to m anage the d ata from several nod es in centralize p lace and secu re. This thesis investigates how SAN w orks, the file system and p rotocols that are u sed in im p lem entation of SAN . The thesis also investigate abou t other storages technologies su ch as N etw ork Attached Storage (N AS) and Direct Attached Storage (DAS) to figu re ou t the ad van tages and d isad vantages of SAN , The m ain focu s of the thesis p roject is on id entifying the secu rity vu lnerabilities in SAN su ch as p ossible attacks in d ifferent SAN p rotocols. The thesis finally id entifies the perform ance factors in SAN to figu re ou t how to im p rove the p erform ance w it h resp ect to secu rity solu tions aim ed to enhance the secu rity level in SAN .

v

Contents

Preface ... i

Abstract ... iii

1 Introduction ... 1

1.1 Societal and Ethical Aspects of SAN Technology ... 1

1.2 Problem ... 1

1.3 Thesis Goals ... 2

1.4 Thesis Questions ... 2

1.5 Thesis Methodology ... 2

1.6 Thesis Structure ... 2

2 Background ... 3

2.1 Storage Area Network (SAN) ... 3

2.1.1 Storage Area Network objectives ... 3

2.1.2 SAN File System ... 5

2.2 Storage Area Network protocols ... 6

2.2.1 Fibre Channel protocol (FC) ... 6

2.2.2 Fibre Channel Layers ... 7

2.2.3 Naming Mechanism in FC ... 9

2.2.4 Internet Small Computer System Interface (iSCSI) ... 9

2.3 Internet protocol over fibre channel SAN ...11

2.3.1 Fibre Channel over IP (FCIP) ... 12

2.3.2 Internet Fibre Channel Protocol (iFCP) ... 12

2.3.3 Internet Storage Name Services (iSNS) ... 13

2.4 ATA over Ethernet (AOE) ...13

2.5 Fibre Optic Cables ...13

2.5.1 Host Bus Adapter (HBA) ... 13

2.6 Network Attached Storages (NAS) ...14

2.7 Direct Attached Storage (DAS) ...14

3 Storage Area Network security issues ... 15

3.1 Storage Area Network access control ...15

3.2 Fibre Channel Storage Area Network attacks ...16

3.2.1 Session hijacking attack ... 17

3.2.2 Address Weakness attack ... 17

3.2.3 Man-In-The-Middle attack ... 17

3.2.4 Name Server Pollution attack ... 18

3.3 Internet Small Computer System Interface attacks ...18

3.3.1 Man-in-the-middle Attack ... 18

3.3.2 Internet Simple Name Server Domain Hopping ... 19

3.3.3 Authentication Attack ... 19

3.4 Fibre Channel security solutions ...19

3.4.1 Fibre Channel Zoning ... 20

3.4.2 Logical Unit Number masking ... 21

3.5.1 Challenge Hand Shake protocol ... 22

3.5.2 Remote Authentication Dial In User Services server ... 22

3.5.3 Kerberos V5 protocol ... 22

3.6 Results comparison ...23

4 Storage area network performance ... 24

4.1 Storage Area Network performance aspects ...24

4.1.1 Storage performance metrics ... 24

4.1.2 Redundant Array of Independent Disks ... 25

4.2 Internet Small Computer System Interface SAN performance ...25

4.2.1 TCP Offload Engine (TOE) ... 26

4.2.2 Back up task performance in iSCSI SAN ... 26

4.2.3 Caching in Storage Area Network ... 26

4.3 Fibre channel performance ...27

4.3.1 Performance comparison of SSL and IP Sec... 28

4.4 Results comparison ...29

5 Conclusion ... 31

6 References ... 34

7 Appendix ... 37

iSCSI SAN experiment ...37

vii

1

1 Introduction

With ad vancem ent of inform ation and com m u nication technology (ICT) the am ou nt of d ata that need s to be transferred and stored on d isks has grow n enorm ou sly in a com p u ter netw ork environm ent and grow th from Gigabyte in early 1990 to Exabyte in 2010. Many technologies have been d evelop ed to m anage and hand le this traffic of d ata for u se in d ifferent scales of netw orks su ch as LAN , MAN and WAN . Som e exam p les of these technologies inclu d e N etw ork Attach Storage (N AS), Direct Attach Storage (DAS) and Storage Area N etw ork (SAN ). Storage Area N etw ork (SAN ) is a high sp eed netw ork of storages and fabrics that connect to com p u ters and servers to p rovid e shared p ool of storages for d ifferent servers w ith d ifferent op erating system , all the servers all arou nd the netw ork access to SAN storages like a local attach d isk.

SAN m anages and stores d ata in high sp eed and centralized p lace w ith ease of m anagem ent. Secu rity has alw ays been highest p riority in su ch netw orks for netw ork ad m inistrators, w orking w ith inform ation and sensitive d ata of their com p anies. These netw orks encou nter d ifferent attacks and storages on their ow n d o not have any secu rity featu res. Another im p ortant elem ent for im plem enting SA N is p erform ance of the system . Know led ge abou t the key p erform ance elem ents as w ell as ad vantages and d isad vantages of this technology is cru cial to com p rehend the d ynam ics betw een secu rity and p erform ance. Know ing the vu lnerabilities is one of the critical tasks for m aking storage system s secu re, know led ge abou t secu rity elem ents and solu tions can help storage ad m inistrators to im p rove the level of secu rity and reliability of a netw ork. Secu rity, p erform ance and reliability m ake SAN as a good solu tion for storing d ata in a larger scale netw ork.

1.1 Societal and Ethical Aspects of SAN Technology

This thesis investigates SAN from secu rity (includ ing safe storage) and perform ance p ersp ectives. Esp ecially the secu rity issu e is im p ortant for the society since it d ep end s on the secu re storage and com m unication of large am ou nts of d ata. The p roblem w ith the rap id grow th of com p u ter and com m unication technology and access to inform ation is to gu arantee that they their d ata are safe and secu re from u nau thorized access.

1.2 Problem

This thesis analyses secu rity and p erform ance asp ects of SAN technology, m ore sp ecifically, the thesis ad d resses secu rity risks, vu lnerabilities, p erform ance factors and solu tions for im p roving secu rity of SAN in relation to p erform ance.

1.3 Thesis Goals

The m ain goal of this thesis is to find ou t the d ifferent secu rity risks and attacks in SAN . Investigate m ethod s that can im p rove secu rity, com p are betw een the secu rity asp ects, p erform ances factors in d ifferent p rotocols that are u sed to im plem ent the SAN su ch as iSCSI and FC, to find ou t w hich one is the m ost reliable and efficient in d ifferent scales of netw orks.

1.4 Thesis Questions

This thesis is aim ed to answ er the follow ing qu estions:

- What are the secu rity vu lnerabilities and p ossible attacks in SAN ?

- What are the p erform ance im p rovem ent m ethod s in the im p lem entation of SAN ?

1.5 Thesis Methodology

The m ethod ology of this thesis is d ivid ed into a literatu re stu d y p art and a p ractical p art. In the literatu re stu d y p art the d ifferent secu rity m ethod s of the SAN are investigated , to find ou t secu rity solu tions, vu lnerabilities and attacks in d ifferent SAN p rotocols, com p are betw een the functionality of these p rotocols and find ou t the p erform ance elem ents of SAN in d ifferent SAN p rotocols to im p rove the p erform ance. In the p ractical p art a m od el of iSCSI based SAN is sim u lated to m easu re the p erform ance and find ou t som e of the secu rity vu lnerabilities and the solu tions to m ake iSCSI SAN secu re.

1.6 Thesis Structure

The rest of this thesis w ork is organized as follow s: Chap ter tw o exp lains the fu nctionality of SAN and other technologies that is u sed in the stora ge area and m ake com p arison betw een them , exp lain d ifferent p rotocols that are alread y u sed for im p lem enting SAN and m ake a com p arison betw een them abou t the w orking stru ctu re. Chap ter three focu ses m ore on the secu rity asp ects in SAN and d iscu sses the secu rity risks, threats and vulnerabilities in SAN and d ifferent typ es of attacks in each of the p rotocols that alread y SAN im p lem ents on them , su ch as iSCSI and FC and verifies the d efence m ethod for each one of them u sed to increase the level of secu rity. Chap ter fou r d iscu sses the p erform ance asp ects in SAN and m akes com p arison betw een the p erform ance elem ents of the SAN p rotocols an d the effects of som e secu rity issu es on the p erform ance of the system . Chapter five contribu tes w ith a set of conclu sions from the thesis w ork. Ap p end ix show s the p ractical exp erim ent of an ISCSI SAN u sing an op en sou rce op erating system ‘‘Openfiler’’ for having d eep er und erstand ing of fu nctionality and secu rity risks of iSCSI SAN .

2 Background

Over the years storage n etw ork technology has been faced w ith significant changes and th ere are m any new innovation s try to im p rove the level of service and reliability in storage area. Inform ation and d ata are essential p art of any com p an y and bu siness tod ay. Besid es storing inform ation generated from m any ap p lications, u sers need to access to this inform ation in a fast and reliable w ay. Most com p anies need m ore storage cap acity d ay by d ay for storing their d ata; SAN is one of the storage technologies that are u sed cu rrently in d ifferent netw ork size for storing and accessing the d ata in faster sp eed and reliable w ay.

2.1 Storage Area Network (SAN)

The Storage N etw ork Ind u stry Association (SN IA) d efines SAN as a netw ork in w hich the m ain p u rp ose is to transfer d ata betw een servers and storages [3]. The netw ork consists of several com p u ters, servers and d evices that are interconnect ed w ith each other; this infrastru ctu re allow s d ifferent com p u ters to com m u nicate w ith each other [4]. The op eration of each SAN consists of basic elem ents for com m u nication , w hich m anages the p hysical connections, m anagem ent layers for organizing the available connections, com p u ter system and st orage d evices for reliable and secu re hand ling of d ata. SAN m anage the d ata at the block level and thu s not at the file level for keep ing track of and allocating free sp ace on d isk to the d ata. SAN s are u sed to m ake a high sp eed connection betw een storages and ser vers [3] [1].

2.1.1 Storage Area Network objectives

The m ain objectives that m ake SAN a p op u lar solu tion for storage netw orks are: d isk u tilization, d isaster recovery m ethod s, availability of d ata and fast backu p d ata ability. SAN help u sers to u se d isk resou rces in a m ore efficient w ay, since all the d isks in SAN are kep t together as one resou rce so the m anagem ent of d isks becom e easier and d isks can w ork better and m ore u tilized , resu lting in less w aste of free sp ace. One can therefor save p ow er and increase the p erform ance of the system . SAN s are cap able of ad d ing or rem oving new d isks for exp and ing the free sp ace to servers and ap p lications, w henever an ap p lication need m ore sp ace, it is thu s easier to m ake free sp ace available w ithou t tu rning servers d ow n or p ow er them off to allocate free sp ace to ap p lications. SAN has good d isaster recovery m ethod ; by m irroring the d ata to another d isk that located in another p lace and also u sed d ifferent typ es of Red u nd ant Array of Ind ep end ent Disk s (RAID) to p rovid e m irroring and d ata d u p lication , SAN im p rove the com m u nication I/ O by u sing fibre op tic cables and gigabit Ethernet LAN also red uce the physical sp ace that need for keep ing storage d evices and servers, becau se SAN hand le the d ata m anagem ent w ith low er nu m ber of servers and higher nu m ber of d isks. SAN com p onent s consist of basic elem ents su ch as connectivity p art that typically is fibre op tic in FC and fast or gigabit Ethernet for iSCSI, hu bs, sw itches, d irectors, connectors and routers are the

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

4

m ain com p onents of SAN . Com p onents can be from d ifferent storage d evices e.g.

tap e, Ju st a Bu nch of Disks (JBOD), Enterp rise Storage Servers (ESS), Serial Storage Architectu re (SSA) and IBM DS fam ily storages. Different servers in SAN can u se d ifferent op erating system s su ch as Wind ow s, UN IX and LIN UX. By help of d ifferent com m u nication techniqu es an d com m unication p rotocols su ch as iSCSI and Fibre Channel Internet Protocol (FCIP) SAN allow s the storage m anagem ent over long d istances w ith high sp eed s in centralized and efficient w ay. Trad itional storage d evices w ork w ith SCSI connectors for m aking com m u nication w ith host, th at m akes the connection length lim ited to 25 m eters bu t SAN w ith u sing fibre op tic technology overcam e to this lim itation and extend ed it u p to 10 kilom etres and increased the nu m ber of connection s that w as 16 in SCSI to unlim ited for FC [1], [8], [3].

Besid e all these ad vantages of u sing SAN , som e d isad vantages also exist in SAN w hich m akes SAN a less su itable solu tion for sm all installations since SAN d evices are rather exp ensive and p ersonnel su p p orting these d evices need s to have good know led ge of architectu re of SAN , bu d get and certain typ es of equ ip m ent t o su p p ort and trou bleshoot them . SAN cannot be a good solu tion if you need a file server to store and share files and d ata w ith others in you r entire netw ork, becau se there are several cheap er w ays that exist to have a file server, su ch as u sing N AS or u sing sharing featu res in w ind ow s and UN IX op erating system s. The cost of im p lem enting of very sim p le and sm all SAN is arou nd $100.000 so cost alw ays can be an issu e to u sing or not u sin g one technology, if ou r netw ork d oes not have a large nu m ber of servers w hich need to be reliable for w orking w ith several ap p lications and large am ou nt of d ata, SAN cannot be a good solution for sm all and m ed iu m sized com p anies [1], [8]. Figu re 1 show s the basic com ponents of SAN [35].

System Storage

ID 1 TB 1 TB 1 TB

1 TB

1 TB 1 TB 1 TB

UID

12345678

RISER POW ERSUPPLY POW ER SUPPLY DIMMS PROC PROC TPMSYSTEMTOP

RAID

IN IT

rx2660 HP Integrity

ID 1 TB 1 TB 1 TB

1 TB

1 TB 1 TB 1 TB

Storage Area Network (SAN) Tape

Storages

Storages

Fabrics

Windows

Windows mail server UNIX server

Linux

Disk arrays

Disk arrays

Disk arrays

LUNs

Fig 1-show s the SAN com p onents [35]

DAS and N AS are other storage technologies for storing d ata as cheap er and sim p ler alternatives to SAN . SAN m em bers su ch as servers and clients arou nd the netw or k

need to access to sam e d ata at the sam e tim e, clustered file system is the technology that u sed for accessing of m u ltiple servers to sam e d ata at the sam e tim e in SAN . Figu re 2 show the architectu re of SAN in netw ork.

System Storage

SAN

LAN WAN

Mail Server

Application

Server Data Base

Server

Tape

Storage Storage

HUBs/

Switches

UNIX NT Windows Netware

Fig 2- show s the architectu re of the netw ork that u ses SAN .

2.1.2 SAN File System

A techniqu e for hand ling of files is a p art of each op erating system and for this p u rp ose it also controls the allocations on d isk and has the task of creating and m od ifying the files and file d irectories. Each op erating system u ses its ow n file system , that each one of them has a d ifferent m ethod and algorithm for allocating free sp ace and creating and m od ifying files on d isk. Clu stering is the technology that u sed by file system s to im p rove the p erform ance and traffic balancing on d isk s and im p roves the availability of the system . Cluster file system u sed in storage technologies e.g. SAN and N AS that need s to access the sam e d ata at the sam e tim e [11].

Each storage d evice that connects to a server or com p u ter cannot d o anything alone and th u s it is the file system that m akes th e relation betw een d isk blocks and op erating system available to m od ify or create and changes any files on d isks. Each file system s has table of inform ation abou t the statu s of the d isk blocks for m anaging and allocating d isk blocks [12], [6], [2].

A SAN file system should enable any to any connection betw een all servers and all available d isks in a SAN netw ork. SAN in general is a shared d isk technology and not a shared file system . All servers m em bers of a SAN w ho connect to related shared d isks shou ld be able to m od ify and d o changes to any files at any tim e w ithou t conflict w ith other server m em bers w ork and it is not reachable w ith u sing of trad itional file system s like File Allocation Table (FAT) and N ew Technology File System (N TFS) [13].

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

6

The clu ster file system w as d evelop ed to solve com m u nication p roblem w ith d isk blocks. A clu ster file system is a com bination of trad itional file system s (e.g. FAT, N TFS) w ith the ability to m u lticast over the netw ork for u p d at e the inform ation abou t the changes that hap p en ed to other d isks blocks to all the m em bers in SAN by u sing the inter server connection betw een its m em bers. The Clu ster file system is aim ed to w ork as a shared file system betw een servers in a SAN and is also know n as a SAN file system (SFS). IF any nod e in a netw ork fails or has fu nctionality p roblem , other nod es on the netw ork can continu e their access to the blocks of d ata w ithout any p roblem . Each file system consists of som e basic elem ents e.g. sup er blocks, inod es and blocks of d ata. Su p er block has the task of keeping the inform ation about control of the system and inod es keep inform ation of ind ivid u al files and d ata blocks also store the d ata of the files. File system s are located in core of each op erating system to m anage d isk blocks allocation for d ifferent ap p lication s to share their resou rces w ith other ap p lications [12], [6], [2], [14].

2.2 Storage Area Network protocols

A p rotocol is d efined by a set of ru les that enables the com m u nication betw een tw o com p u ters in any netw orks, com m u nication betw een tw o d evices from d ifferent vend ors becom e cap able by u sing p rotocol, because the p rotocol acts as the translator that all the d evices talk to each other w ith the sam e langu age. There are several p rotocols for im p lem entation of SAN , the com m on are internet Sm all Com p u ter Interface (iSCSI) and Fibre Channel (FC).

2.2.1 Fibre Channel protocol (FC)

Fibre Channel (FC) Protocol m ap s the SCSI com m and s over FC. This p rotocol is p rim arily u sed for storage netw orking because FC can su p p ort the gigabit band w id th sp eed on netw ork. This p rotocol becam e a stand ard by an International Com m ittee of Inform ation Technology Stand ard (IN CITS) and the Am erican N ational Stand ard Institu te (AN SI), the invention of FC w as m ainly for u se in an ind u strial environm ent and then it becam e a stand ard , u nlike the SCSI p rotocol that m ainly d evelop ed as a stand ard . Som e p eop le refer to FC as the fibre version of the old SCSI technology [3]. FC started its w ork by being u sed in su p er com p u ters and m ainfram es bu t becau se of the benefits of these stand ard s, soon it becam e a p op u lar stand ard in the SAN . FC su p p orts tw o typ es of cables as a com m u nication m ed ia, fibre op tic and tw isted pair cables [5], [3].

FC allow s d ata to transfer in higher sp eed ; the current available sp eed on FC is u p to 16 GB/ Sec there are several p rod u cts and vend ors in the m arket cu rrently u sing the high sp eed ad vantages of FC. FC is a m u lti-p rotocol su p p ort and it can carry the traffic from the other p rotocols as w ell [3].

SCSI w as m ainly d evelop ed for m aking connections betw een com p u ters and the storage d evices, as a good op tion for u se in sm all scale netw orks. SCSI is u sed as a connection m ed iu m in DAS and carries and controls the blocks betw een the host and attached d evice. Use of SCSI had som e lim itations for the com p anies w ho w anted to u se it as the com m unication p rotocol; these lim itations confined grow th of

organization’s netw ork in some aspects, scalability is one of the them, the other lim itation in SCSI is low nu m ber of d evices that can be serviced at the tim e, the m axim u m nu m ber of attached d evices to bu s top ology can be su p p ort by SCSI is arou nd fifteen, becau se of effecting to the p erform ance of the system these nu m ber can be d ecrease to fou r or five. The other lim itation on SCSI w as the availability and reliability of the system . In SCSI, becau se of the large nu m ber of cables and connectors that are u sed for com m u nication in the netw ork, the p robability of system failu re is also high and any failu re in the server or cables that connects to the storage d evices can cau se a system failu re and lose the connectivity and d ata to ap p lications.

The other lim itations of SCSI p rotocol is related to the sp eed and d istance that can be su p p orted by this p rotocol; the m axim u m of 25 m eters long d istance m akes the SCSI p rotocol not a convenient solu tion for long d istances. Device sharing in bus top ology w as also another p roblem [3].

FC becom es a p op u lar m od el of SAN becau se of the lim itat ions of the p reviou s technologies. FC overcam e the lim itations of the I/ O sp eed , flexibility and Distance lim it of trad itional p rotocols, in SAN all hosts can see the storage like local attach d isks to the system , m u lti-p rotocol su p p ort is another ad vantag e of SAN . FC has tw o typ es of cables for u sing shorter and longer d istances, fibre op tic cable can m anage the connectivity for the longer d istances and cop p er cable is u sed for shorter d istances and the characteristics of FC m ake it com p atible w ith a w id e variety of d evices that su p p ort FC [5],[3].

By d efinition of the Am erican N ational Stand ard Institu te (AN SI) FC is a m u ltilayer netw ork p rotocol. Like other typ es of netw ork p rotocol stand ard s FC can send inform ation in a p ackets or fram es form ats. The FC hard w are allow s the d elivery of p ackets in high p erform ance m od e. To overcom e the d istance and sp eed lim itation, FC p rotocol u ses the serial transfer m ethod instead of u sing the p arallel one. There are tw o nod es playing roles in FC, sou rce and d estinatio n, sou rce is a d evice su ch as server, PC or m ainfram e and d estination can be a d isk or tap e d rive. FC p rotocol is the flexible p rotocol that can su p p ort a w id e variety of d evices and technologies [3], [5].

FC has the ability to d eliver d ata as fast as the d estination is cap able to receive it. FC u sed a com bination of trad itional I/ O technolog ies w ith the benefits of netw orking and this com bination m akes the FC cap able to transfer the large am ou nt of d ata in high p erform ance and sp eed . FC is a reliable p rotocol w ith the low est error p robability and has the ability to gu arantee the d ata d elivery from sou rce nod e to d estination. FC is a flexible p rotocol that can su p p ort d ifferent typ es of d ata e.g.

au d io and vid eo. The nu m ber of d evices that can be ad d res sed by the FC is u nlim ited . FC w ith these cap abilities and ad vantages, excep t im p lem entation cost, can be a p referable op tion for im plem enting SAN in larger scale netw ork [15], [5].

2.2.2 Fibre Channel Layers

FC consists of five layers and tw o sections, that each one of these layers has its ow n resp onsibilities. Figu re 3 show s the layered architectu re of the FC p rotocol.

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

8

Common services Protocol mapping layer (multimedia/channels/networks)

Signaling protocol (framing and flow control)

Transmission protocol (encode/decode)

Physical interface and media FC-2

FC-1

FC-0

Physical layers application

FC-3 FC-4

Upper layers

Fig. 3.FC p rotocol architectu re that show s the d ifferent layers of FC p rotocol

Accord ing to figu re 2, FC p rotocol d ivid es into tw o sections, the u p p er layer and the low er one called p hysical layers, layer FC-0 know n as p hysical interface, inclu d e the cabling elem ents and connectors and electrical p arts. FC -1 know n as transm ission p rotocol, the task of this layer is to p rovid e a m ethod for reaching to the m axim u m length of the cod e. FC-2 is know n as the signalling and fram ing p rotocol, the task of this layer is to p rovid e a reliable com m u nication and layer FC -2 is sep arate from the u p p er layer. These three layers together m ake the fibre channel, the signalling and p hysical interface. On the u p p er layer w e have tw o other layers that start w ith FC -3 know n as com m on services; the task of this layer is to fu nction d efinition of single nod es. FC-4 is the last layer and know n as the p rotocol m ap p ing layer and the task of this layer is transp orting of tw o d ifferent typ es of p rotocol over the sam e interface [5], [3].

Each FC fram e has a lim itation on d ata length that shou ld be 528 w ord s or 2112 bytes. For transm itting larger files FC d ivid es them into several fram es and then increasing the nu m ber of fram es w ith grow ing the nu m ber of sequ ence and then m akes the exchange. Figu re 4 show s the architectu re of the FC fram e [3].

(SOF) 32 bit Start

of frame

24 bit Destin ation port addres

s

24 bit Source

port addres

s

Control information

words

Frame payload

(0-2112 bytes) CRC

EOF (end of frame)

Fig 4- FC fram e architectu re show s the d ifferent segm ents of each FC fram e [3]

2.2.3 Naming Mechanism in FC

All nod es and p orts that are u sed in FC SAN have a sp ecific 64-bit ad d ress that u sed for their id entification. Manu factu rers assign this ad d ress t o FC and w hen these ad d resses u sed internationally all arou nd the w orld they becom e u niqu e and called World -Wid e N am e (WWN ), the ad d ress that assign s to p ort called w orld w id e p ort nam e (WWPN ) and the ad d ress that assign to nod e know n as World Wid e N od e N am e (WWN N ). Each WWN ad d ress consists of d ifferent p arts, each p art of the ad d ress contains d ifferent inform ation, the nam e p art rep resents the m anu factu rer, the other p art of the ad d ress refers to ad d ress typ e and another p art is assigned by the m anu factu rer to p orts and nod es. Each WWN ad d ress is tw o hex d igits like

<07:33:11:54:65:00:D5:A0>. There are som e other ad d ressable d evices su ch as d isk d rives, raid controller and logical d rive, an 8 byte ad d ress has been assigned to them that are created by FC p rotocol know n as logical Unit N u m ber (LUN ) that refers to sp ecific d rive [5].

2.2.4 Internet Small Computer System Interface (iSCSI)

The p rop osal of iSCSI p rotocol w as d evelop ed in Internet Engineering Task Force (IETF) by IBM and Cisco. The first id ea of this p rotocol w as im p lem enting a single netw ork that based on IP for m u ltip u rp ose tasks su ch as storage system s, d ata sharing, access to w eb services, m ail services, voice and vid eo [10].

Different elem ents of ISCSI SAN are su m m arised as follow s:

Initiator: The initiator is softw are that is p art of op erating system for transferring the SCSI com m and s over the IP netw ork from host to the target.

ISCSI target initiator: The target initiator is softw are that rep lies to requests from the host initiator.

I management: is a softw are that d oes the d iscovery of d evices arou nd the netw ork and ap p lies the p olicies and d o som e task on storages su ch as p artitioning, m ap p ing and volu m e m anagem ent.

The iSCSI requ ests are encap su lated into TCP/ IP to transfer over the ne tw ork. The iSCSI w orks on SCSI level 3 called SCSI-3. Mainly the iSCSI p rotocol w orks based on a client/ server m od el that in this m od el client know n as initiator and server know n as target. There are tw o typ es of transp orting are exist in iSCSI, inbou nd an d ou tbou nd , inbound m entioned to connection from initiator to target and ou tbou nd is m entioned to connection from target to initiator. Figu re 5 show s the iSCSI p acket form at and it functionality [3], [33].

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

10

FIG 5-iSCSI p acket form at show s the architectu re of the iSCSI p acket [3]

The nam ing and d iscovery m echanism in iSCSI w orks w ith d ifferent m ethod s, send ing target com m and s to verify the iSCSI server is u sed in sm all netw orks and for larger netw ork u se iSN S server or Service Location Protocol (SLP) w it h ability of m u lticasting. Using iSCSI is very com m on in d ata centres for having the local access to storage p ools also it is convenient for the situations that need to have a rem ote access to storages for d oing the m anagem ent of d isks or backu p and recove ry of d ata [3].

The nam ing m echanism w orks based on id entifier called World Wid e Uniqu e Id entifier (WWUI) for id entification of initiators and targets, WWUI is a part of iSCSI ad d ress, the form at of this iSCSI ad d ress is (<IP ad d ress>:[<p ort no>]/ <WWUI>) IP ad d ress p art can be IPV4 or IPV6 or a d om ain nam e, the p ort p art can be TCP p ort nu m ber and WWUI part d ifferent for each d evice and it is uniqu e and set by m anu factu rer [10].

The iSCSI p rotocol has som e ad vantages in the connectivity of iSCSI d evices, iSCSI su p p ort the w id e variety of storage technologies su ch as SAN and DAS and m ake d evices to w ork w ith LAN su ch as SAN and shared som e d evices w ith them . Su p p ort longer d istance connectivity w ith the low er cost and has m ore availability and flexibility in im p lem entation in com parison w ith FC SAN .

The availability of infrastru ctu re in iSCSI is other ad vantages of this p rotocol; iSCSI w orks based on TCP/ IP p rotocol that m ost of the com p anies alread y have IP based infrastru ctu re so there is no need to equ ip ou r netw ork w ith new d evices like FC sw itches that are exp ensive. The com patibility of d evices that u se TCP/ IP p rotocol in storage netw orks are m ore than FC.

The Backu p task, control and m anage by external server that m anages backu p p lan w ith initiator that connects to the iSCSI target. Managem ent of iSCSI d evices is like d irect attached SCSI d evices and there are m any IP based m anagem ent softw are exists in IP netw ork for control and m onitor the traffic flow of storages. The cost of im p lem entation is another su bject that is low er than FC becau se of availability of the IP netw ork d evices su ch as sw itches, connectors and netw ork card s for iSCSI, that alread y exist in m ost netw ork infrastru ctu re[10],[33]. Figu re 6 show s the sim ple com p arison betw een d ifferent SAN p rotocols and N AS.

IP network iSCSI protocols

IP network File protocols

CIFS/NFS FC network

SCSI protocol

Pooled storage Pooled storage

Data base application

Block I/O

Data base application

Block I/O

Block I/O Converted to File I/O protocols

Data base application

Block I/O

File I/O To Block I/O

Pooled storage

FCP SAN NAS iSCSI SAN

FIG 6-The sim p le com p arison betw een d ifferent SAN p rotocols and N AS [10]

2.3 Internet protocol over fibre channel SAN

SAN u se IP technologies to ad d som e benefits to its featu res e.g. sharing and isolation becom e easier w ith the u se of IP netw orks, allow ing m anagem ent and rep lication from the rem ote p oint and rem ote access to the d evices for app lying any configu ration and changes to storage configu ration . An IP netw ork help s SAN to p rovid e for low er cost and longer d istance in com p arison w ith FC w ith u se of the benefits of both TCP/ IP and FC together [4], [5].

There are other p rotocols w ho w ork w ith SAN ; these p rotocols are com bination of iSCSI and FC. They u se the sp eed and p erform ance of FC and t he flexibility of iSCSI together. These p rotocols are fibre channel over IP (FCIP), internet fibre channel p rotocol (iFCP) and ATA over Ethernet (AOE).

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

12

2.3.1 Fibre Channel over IP (FCIP)

This p rotocol u se tu nnelling for transferring p ackets over the TCP/ IP netw ork. FCIP tu nnels the fibre channel p ackets over the IP netw ork and encap su lates the blocks of fibre channel p ackets to TCP/ IP socket. FCIP d oes not ap ply any changes to the p ackets and ju st encapsu lates them to IP and then transm its them over TCP/ IP [3].

Tu nnelling is a m echanism that allow s a netw ork to send d ata traffic of one netw ork over another netw ork. These m echanism s try to encap su late p rotocols w ithin p ackets to transm it them over the second netw ork. Figu re 7 show s the architectu re of the FCIP [3].

SOF Start of

frame

FC

header SCSI data

C R C

EOF End of fram

e

IP payload (FC frame) IP

hdr CRC

FIG 7.FCIP p rotocol architectu re show s that the fu nctionality of FCIP [3]

2.3.2 Internet Fibre Channel Protocol (iFCP)

IFCP also know n as gatew ay to gatew ay p rotocol p rovid es services of fibre channel d evices from the fabric over IP. IFCP has several cap abilities su ch as error d etection, recovery and control the flow of the netw ork d ata traffic throu gh the TCP/ IP p rotocol. IFCP try to allow the connection betw een fibre channel d evices over the IP based netw ork and u se m ap p ing of FC head er to the TCP. IFCP also u se Internet Storage N am e Services (iSN S) service as a nam ing d iscovery m ethod . Figu re 8 show s the architectu re of the iFCP p rotocol [4],[5].

SOF (Start

of frame)

FC

hdr SCSI data

C R C

E O F

IP

hdr TCP IP payload (FC frame)

C R C

mapped

FIG 8-iFCP fram e show s the function ality of the iFCP fram e [4]

2.3.3 Internet Storage Name Services (iSNS)

ISN S is a nam e d iscovery service to im p lem ent on storage netw ork and has the ability to d iscover, m anage and configu re the storage d evices for both iSCSI and FC.

2.4 ATA over Ethernet (AOE)

AOE is another netw ork p rotocol that has been d evelop ed by (coraid) com p any for p rovid ing sim ple and high p erform ance access to storage d evices over the d ata link layer; thu s, this p rotocol cannot su p p ort any IP based rou ting p rotocol and service s.

AOE is not a com plex p rotocol and it is easy to im p lem ent and configu re, the cost of im p lem enting the AOE is five to eight tim es less than the p rice of other storage p rotocols, in p erform ance p oint of view AOE can be a good solu tion for virtu alization of servers and storages. The AOE has som e d isad vantages that m ake this technology not p opu lar in an enterp rise netw ork, the AOE is a single vend or p rotocol that it confine you r im p lem entation op tions, the AOE d oes not su p p ort the sequ encing m echanism that m akes d ifferentiating betw een d ifferent requ est in Ethernet fram es, this p rotocol d oes not su p p ort of retransm ission for recovery or p acket loss d etection it also d oes not have any strong secu rity m echanism for ap p lying to netw ork, the only su p p orted secu rity featu re is the MAC ad d ress filtering that it can easily sp oof and sniff by attackers [16],[17].

2.5 Fibre Optic Cables

The m ain com m u nication d evice betw een sou rce and d estination in FC SAN is fibre op tic cables. Fibre op tic cables are m ad e from a sp ecial kind of glass called silica that the thickness of them is like hair. Light is enters from one sid e of the fibre and exit from the other sid e. The m axim u m p ow er that can be sent throu gh a fibre op tic cable is 0.5 w atts. Fibre op tic cables are available in tw o typ es, single m od e and m u lti- m od e. FC SAN can be im p lem ented w ith both fibre op tic and cop p er cables. Fibre op tic cables are noiseless bu t the d u st and d irt can effect on their fu nction ality, in general fibre op tic cables have better p erform ance in com p are w ith Ethernet cables [5], [9].

Mu ltim od e fibre op tic cables are u sed for shorter d istance and single m od e u sed for longer d istance. FC SAN w ork w ith both typ es of fibre op tic cables. Fibre op tic cables are w orking w ith short and long w ave laser , shortw ave laser is ju st w orks w ith m u ltim od e fibre op tic and long w ave laser can w ork w ith both typ es of fibre op tic cables, single m od e and Mu ltim od e. The core size of the Mu ltim od e cables is 50 and 62.5 m icron and the core size of single m od e cables is arou nd 8.3 m icron [9],[4].

2.5.1 Host Bus Adapter (HBA)

H BA is an netw ork Interface that u sed to m ake connections betw een fabrics and storage in FC-based SAN . H BA converts the signals from p arallel to serial and transm it it throu gh the SAN . H BAs have one or m ore p orts, choosing the right H BA vend or is an im p ortant task in im p lem enting a SAN becau se som e H BAs are not com p atible w ith som e SAN d evices [3],[4].

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

14

2.6 Network Attached Storages (NAS)

N AS d efined as the hard d isk d rive that is connected to th e netw ork. N AS consist of one or m ore hard d isk in a bu nch together. N AS is a shared storage that connects to the netw ork and accessible d irectly over the local area netw ork (LAN ) by any of the u sers or servers that are attached to the netw ork and it w orks like a file server that stores and shares the d ata over the netw ork. The m ain function of a N AS is file sharing over the internet p rotocol (IP) netw ork. Data can be sent or received over TCP/ IP p rotocol [36], [1].

N AS is w orking w ith file level access to d ata and su p p ort d ifferent op erating system to share and access to files on shared storage. Ther e are tw o p rotocols exist in im p lem enting of N AS for m aking N AS com p atible w ith d ifferent op erating system s, N etw ork File System (N FS) that belongs to UN IX op erating system and Com m on Internet File System (CIFS) for w ind ow s op erating system . Accessing to files in N AS is over the sp eed of Local Area N etw ork (LAN ), accessing to files is som etim es becom e im p ossible w ith som e d elays or bottlenecks in the netw ork, com p anies need to u se equ ip m ent w ith better p erform ance and need to transfer larger am ou nt of d ata su ch as rend ering m ovies or online transactions they often sw itched from N AS to SAN . SAN is com p atible w ith MAC, UN IX, LIN UX and w ind ow s [36], [34], [1].

2.7 Direct Attached Storage (DAS)

DAS is a d ed icated d isk or any kind of storage d evice that connects d irectly to the host or server. DAS can be a good solu tion for sm all bu sinesses that need a low cost solu tion to exp and their storage cap acity. DAS is not a netw ork storage technology like SAN or N AS and uses p oint-to-p oint connectivity w ith server. The connection m ed ia in DAS can be fibre op tic or SCSI connectors and the p oint -to-p oint top ology is the sim plest w ay of com m u nication that exist s in storage system s. Access to stored d ata on DAS is d irectly throu gh the server ; if for any reason the server shu tting d ow n or the p ow er tu rns off, the ap p lications and u sers w ho w ork w ith DAS d o not have access to d ata. DAS also w orking w ith block level access to storages. DAS can be an econom ical solu tion for ap p lications su ch as accou nting, m ail server s, or any kind of d atabase p rogram su ch as Microsoft SQL. There is som e research abou t the com p arison betw een d ifferent com panies that u se DAS and SAN technology as the storage technology and the resu lts show s the one w ho u sed DAS, d isk u tilization w as arou nd 40% or less and those w ho u sed SAN w as arou nd 80%, so the d isk u tilization rate in a SAN is better than DAS. DAS is a cost effective solu tion bu t it is not scalable and if the am ou nt of d ata is increase, it cannot be a good solu tion to hand le the d ata traffic [8].

15

3 Storage Area Network security issues

Storing and availability of d ata is an im p ortant issu e in IT w orld tod ay. After investigating the architectu re of SAN to see the fu nctionality of SAN and typ e of file system and p rotocols u sed in SAN and w hat is the objectives of this technology in this chap ter try to m ake an overview of secu rity attacks and investigate abou t the d efence m ethod in SAN technology. SAN has som e vu lnerability that need s to verify, becau se of sensitivity of the stored d ata, storage ad m inistrators need to ap p ly good secu rity configu ration on their netw ork to achieve to highest level of secu rity and availability of d ata.

SAN im p lem ented on tw o p rotocols that w e m en tioned to them earlier, iSCSI and FC that both have their ow n secu rity attacks and vu lnerabilities. Secu rity is not just d oing one task or ap plying a cu stom ised secu rity p olicy to the netw ork, secu rity like a chain that each one of the circles has esp ecial resp onsibility for im proving the secu rity.

3.1 Storage Area Network access control

To increase the secu rity level in SAN w e need to verify the secu rity risks and vu lnerabilities of stored d ata and com m u nications betw een SAN elem ents. Access control m ethod s in the SAN are:

Authentication: u sed to id entify the p erson, softw are or hard w are to have p erm ission for u sing system . Au thentication d oesn’t exist by d efau lt in SAN . Most of the p eop le w ho w orks w ith storages thou ght that secu rity is exist som ew here else in the netw ork and there is no need to be w orried abou t secu rity featu res in storages and new technologies su ch as SAN . Au thentication is not inherently exist in SAN bu t throu gh som e other ap p lications w e can p rovid e it to SAN su ch as SAN m anagem ent softw are’s and ap p lications that have access to control SAN d evices, som e au thentication m od els su ch as Diffie-H ellm an -Challenge H and shake Protocol (DH -CH AP), Fibre Channel Au thentication Protocol (FCAP) and Fibre Channel Secu rity Protocol (FC-SP) p rovid e secu rity for d ifferent connection typ e su ch as sw itch-to-sw itch, nod e-to-nod e, nod e to sw itch connections [7].

Authorization: au thorization is u sed for verifying level of access to d evices in a SAN and it’s p rovid ed by the WWN ad d ress of the nod e or p ort that know n as WWN N and WWPN [7].

Encryption: encryp tion by d efau lt d oes not exist in m ost of storage d evices, bu t it p rovid e by u sing som e third p arty ap p lications bu t in general there is no encryp tion m ethod exists in layer 0 to 4 in FC [7].

Availability: checking the availability of d evices is sam e as QOS and exists in layer 2 of FC that know n as error control on fram es. Availability and ability of d etecting and controlling errors is one of the essential tasks on im p lem enting a SAN [7].

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

16

3.2 Fibre Channel Storage Area Network attacks

All com m u nications in FC are transm itted in clear text m od e; low level secu rity and clear-text m od e com m unication m ake SAN in secu re and vu lnerable w ith attacks.

SAN d oes not have any encryp tion m ethod on fram e level bu t not having an encryp tion m ethod is not a big p roblem becau se having encryp tion on fram e level p u t load on a system and d ecrease the p erform ance of the system . Lack of secu rity and clear text com m u nication m ethod help s attackers to gain to inform ation easier.

The inform ation in FC SAN that the attackers try to gain are m entioned as follow s:

[7]

 Dom ain id entification

 Sw itch nam e server inform ation

 sequ ence ID

 WWN (w orld w id e nam e)

 FC layer 2 fram e inform ation

 24 bit ad d ress

 rou te inform ation

 m anagem ent inform ation

 session control nu m ber

H acking in SAN know n as having u nau thorized access to the inform ation and stored d ata or access to m anagem ent console of SAN . Com m on attack typ es in FC SAN are [7], [30]:

 session hijacking

 LUN m asking attacks

 Man In The Mid d le Attack (MITM)

 nam e server p ollu tion

 WWN sp oofing

 zone hop p ing

 sw itch attack

There are som e secu rity w eaknesses in d ifferent p arts of FC SAN that increase vu lnerabilities e.g. w eakness in sequ ence is cau sed session hijacking attacks in SAN , w eaknesses in fabric ad d resses cau se MITM attack, w eaknesses in Fabric Login (FLOGI) and Port Login (PLOGI) cau se of nam e server p ollu tion, w eaknesses in H BA can be a cau se of WWN sp oofing and LUN m asking attacks and w eaknesses in FC sw itch fabric can be cau se of zone hop p ing attack [7].

FC and IP based SAN have several m u tu al attacks that m ost of them are in layer 2 of FC know n as fram e and flow control layer and layers 2 and 3 in IP SAN that know n as netw ork and d ata layers. Layer 2 of FC contain s 24 bit fram e head er that stores several m ain inform ation abou t the fram e that help s attackers to gain access to SAN easier. Figu re 9 show s the content of 24 bit ad d ress.

17

FIG.9-24 bit fram e head er architectu re show s 24bit ad d ress [7]

3.2.1 Session hijacking attack

Accessing to the session betw een tw o tru sted nod es by u ntru sted third p arty attacker to gain the control to connection am ong them know n as session hijacking attack.

Each session consist of tw o id entification p arts sequ ence ID and sequ ence Cou nt, sam e resp onsibilities of these tw o elem ents also exist in FC know n as Initial Sequ ence N u m ber (ISN ). Telnet can be one of these typ es of attacks. Session hijacking w as first d evelop ed in IP base netw ork becau se of w eaknesses of ISN in TCP head er bu t th ere are som e typ es of session hijacking attack also exist in FC SAN becau se of low au thentication m ethod for verifying the p articip ant or tw o nod es for having au thorized access. Session hijacking attack hap p ens becau se of the w eaknesses in sequ ence. This attack has higher risk for the system and w e can u se the strong sequ ence ID and sequ ence Count in ord er to confine risk of this typ e of attack [7].

3.2.2 Address Weakness attack

Another attack in FC SAN that cau se d enial of service and d am age system is becau se of w eaknesses in 24 bit ad d ress, 24 bit fabric ad d ress u se d for rou ting betw een storage elem ents and u se as SAN nod e inform ation in nam e server that is kind of nam e d atabase in SAN and u se this 24 bit ad d resses to link to the 64 bit WWN ad d ress and check au thorization betw een LUN s and WWN s for having access to them . The 24 bit ad d ress is an essential p art of id entification in som e of the secu rity m ethod s in SAN su ch as hard and soft zoning, changing the 24 bit ad d ress effects on fu nctionality of SAN and cau se of d enial of service [7],[30].

There are three typ es of login exist in FC SAN , Port Login (PLOGIN ), Fabric Login (FLOGIN ) and N od e Login (N LOGIN ). FLOGIN is the p rocess that a nod e is log in to the fabric and PLOGIN is the p rocess that the nod e r egisters the 24 bit ad d ress into the nam e server [30], [7].

3.2.3 Man-In-The-Middle attack

Man in the Mid d le Attack (MITM) is an attack that u ntru sted third p arty attackers try to intercep t the com m u nication betw een tw o tru sted p articip ants and d irect it to w rong d irection w ithou t aw areness of the p articip ants. In FC SAN this attack is u sed

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

18

for sp oofing the 24 bit ad d ress and nod es WWN . The risk level of this atta ck is low and in this attack u nau thorized p erson or nod es try to gain the access to u ntru sted fram es. MITM w as introd u ced first in IP netw ork and the p robability of that in FC is low er than IP netw orks, secu rity risk of this attack is low er in FC than iSCSI. In FC SAN for p erform ing MITM attack, the m alicious nod e need s to change the 24 bit ad d ress of itself to the ad d ress of the target to perform this attack. Most of the tim e MITM hap p en s in PLOGIN session becau se of lack of au thentication , also it hap p ens w hen a nam e server w ants to u p d ate its inform ation, the m aliciou s nod e send the fake PLOGIN fram e inform ation to the nam e server for registerin g 24 bit ad d ress of target to the WWN of the attackers. Im p roving secu rity in MITM attack is a hard task and need to have a good know led ge of FC architectu re, u sing strong au thentication m ethod in PLOGIN and FLOGIN can d ecrease the risk of this attack [7].

3.2.4 Name Server Pollution attack

In this attack, attacker try to corru p t the inform ation on the nam e server and change them w ith the w rong inform ation from the attacker nod e, w hen other nod es w ants to com m u nicate w ith target the traffic is red irect to the w rong ad d ress t he m aliciou s nod e, the attacker change its ow n 24 bit ad d ress inform ation to the WWN of the target. The risk level of this attack is high becau se the attackers can gain to the sensitive d ata w ith this attack. Im p roving the secu rity level for this attack is not a hard task and need to have a good know led ge on the FC p rotocol. The w ay that can im p rove the risk of this attack is to exam ine the PLOGIN fram e w hen they w ant to u p d ate their inform ation on the nam e server to d o not let them to interfere and change the inform ation tables on the nam e server [7].

3.3 Internet Small Computer System Interface attacks

The iSCSI SAN transfer SCSI com m and s over the IP netw orks, secu rity risks on iSCSI SAN are sam e as IP netw orks p lu s the sp ecific secu rity attacks that sp ecify to iSCSI SAN [20].

3.3.1 Man-in-the-middle Attack

To p rovid ing MITM attack, an attacker need s som e inform ation from architectu re of the netw ork. First step is to find ing iSN S server ad d ress by u sing the third -p arty sniffing softw are to sniff TCP p ort 3205, after find ing iSN S server ad d ress attacker try to rep lace the iSN S server ad d ress w ith the fake ad d ress to red irect all netw ork traffic to the fake ad d ress, by d oing this action attacker control registration requ ests from clients and targets and has the access to ap p ly changes in d om ain sets and rem ove or change secu rity p olicies and settings in au thentication and encryp tion m ethod s [7].

Au thorization of iSCSI SAN d oes w ith initiator nod e nam e, the architectu re of initiator nod e nam e show s in figu re 10. Each p art of the ad d ress is contains inform ation abou t that nod e su ch as typ e, d ate, d om ain nam e and the host nam e.

Inform ation is transm itting in clear text m od e; thu s, the attackers can easily sniff and

19

change them by u sing a netw ork analyser tools by m onitoring the traffic on TCP p ort 3260. This inform ation can be u sed to gain access to iSCSI d evices on the netw ork [7], [30].

Iqn.2013-05.com.aum:exchange-backup

Type Date

Reverse domain name of naming

authority Host name

FIG.10-initiator nod e nam e architectu re [7]

3.3.2 Internet Simple Name Server Domain Hopping

H op p ing attack in iSN S server is like VLAN or Zone hop p ing. IQN inclu d e d om ain and host nam e of the initiator, Attacker by know ing these inform ation and change their IQN to the IQN of the target, cau se the iSN S server u p d ate their inform ation table w ith the w rong and sp oofed d ata from the attacker and cau se d enial of service and gain to au thorized access to sensitive inform ation of organization [7].

3.3.3 Authentication Attack

Au thentication on iSCSI d evices is p rovid es by CH AP p rotocol by u sing u sernam e and p assw ord for connecting to LUN s, CH AP is not u sed by d efau lt and is an op tional featu re. CH AP is not a secu re m ethod for au thentication becau se it can sniff and sp oof by u sing sim p le third -p arty tools to steal p assw ord s and inform ation of the netw ork. Au thentication attack try to sniff the p ackets on TCP p ort 3260 to gain to CH AP u sernam es and p assw ord s by u sing sniffer tools and p assw ord d ictionary to verify p assw ord s and connect to the iSCSI SAN d evices [30], [7].

3.4 Fibre Channel security solutions

Data that need s to be p rotected are d ivid ed into tw o typ es, Data in Flight (DIF) and Data at Rest (DAR). Data in flight m ention to d ata and inform ation that transm itted from sou rce to target su ch as p ackets, Protocol Data Unit (PDU) p rotecting d ata d u ring transm ission know n as d ata in fligh t secu rity. Data at rest know n as the secu rity of stored d ata on d isks su ch as encryp ting the stored d ata or ap p lying secu re access to the stored d ata on d isks[18].

Data confid entiality know n as gu arantee the inform ation from accessing by u nau thorized p ersons and d ata integrity has resp onsibility of gu arantee the stored d ata to d o not ap p ly any change or corru p tion after storing on d isk [3].

The FC p rotocol has som e au thentication m ethod s su ch as Sw itched Link Au thentication Protocol (SLAP) and Fibre Channel Au thentication Protocol (FCAP), SLAP is u sed to m ake tru st area betw een sw itches that w ants to connect to each other and FCAP is a p u blic key infrastru ctu re that u sed cryp tograp hic au thentication for m aking tru sted area betw een sw itches and H BAs and d o this task by exchanging the certificate betw een sw itches and fabrics [3].

Evalu ation of Storage Area N etw ork (SAN ) secu rity and p erform ance

20

3.4.1 Fibre Channel Zoning

Com m u nication m ethod in SAN is any to any, there is no lim itation for d evices in SAN to com m u nicate w ith each other, by d efau lt there is not any secu rity m echanism for controlling SAN d evices access from other sou rces and other netw orks. The lack of secu rity is one of d raw backs of SAN if it u sed in large scale netw orks from both secu rity and access control asp ects. Zoning is a m echanism for controlling the access from d ifferent sou rces by m aking zones and grou p s and assign them to d evices and entities to organize their access to d isks. Only the m em bers of one zone have access to d evices and not the m em bers of other zones. Zoning d efined on sw itch, each nod e can be access to d evices if they allow by their WWN N or WWPN to th at zone. Zoning can restrict the access to d ata that is m ore sensitive and control traffic flow th rou gh the fabric, error d etection on fabric becom es faster and easier by u sing zoning. There are tw o typ es of zoning exist in sw itches, hard and soft zoning [5], [3].

H ard zoning ap p ly zoning on p ort nu m bers or id entifier on sw itches. H ard zoning is easier to im plem ent and m ore secu re than soft zoning, the p roblem of this m ethod is p olicies that ap p lied to p hysical p ort on sw itches, by changing or m oving d evices, the p ort need s to reconfigu re and becom e a p art of another zone, this can m ake a secu rity p roblem on the netw ork [7],[5]. Soft zoning also know n as nam e server zoning and w orks based on the WWN ad d ress table in fabric and give access to nod es or p orts by their WWN N or WW PN id entifier. In soft zoning there is no need to reconfigu re the settings w ith chan ging or m oving the cables on fabrics, becau se they ap plied to the WWN id entifier of nod es and p orts, soft zoning cannot be a good m ethod for ap p lying secu rity to the fabrics because WWN is vu lnerable by sp oofing attack and WWN are not u niqu e and can be change by changing the H BAs or by the u sers [7], [30]. Figu re 11 show s zoning m echanism in SAN [5].

Node 1

node2

node3

Node 4 WWPN5 WWPN6

WWPN7 WWPN8 WWPN1

WWPN2

WWPN3 WWPN4

FABRIK

Zone 1=WWPN3+WWPN8+WWPN6 Zone 2=WWPN7+WWPN 5+WWPN 1

Zone3=WWPN5+WWPN2

Zoning policy is kept in a switch and valid for the entire fabric

FIG. 11 --- this figu re show s zoning m echanism in SAN to assigning d ifferent zone to d ifferent WWPN [5]

21 3.4.2 Logical Unit Number masking

Each d isk d ivid ed into sm aller p arts that know n as volu m e or p artition , this volu m e on d isks are id entified in SAN w ith Logical Unit N u m ber (LUN ), m asking generally im p lem ent on FC H BA, LUN m asking m ake LUN s available by som e host and u navailable by others [19].

The LUN m asking can im p lem ent on softw are or hard w are m od es, hard w are LUN m asking are p rovid es on rou ters, sw itches and controllers of d isks and softw are LUN m asking p rovid es by cod ing that store on the com p u ter w ho connects to SAN [4]. LUN m asking lim its or gives access of som e ports to d isks LUN s by their WWPN id entifier. Figu re 12 show s LUN m asking m echanism in SAN [5].

LUN0

LUN1

LUN2

LUNn

FABRIC

WWPN1 WWPN2

WWPN3 WWPN4

WWPN5 WWPN6

WWPN7 WWPN8 LUN masking policy resides

the storages controller LUN0=WWPN1+WWPN6

LUN1=WWPN2 LUN2=WWPN3+WWPN4

. .

LUNn=WWPN3+WWPN5

Server 1

Server 2

Server 3

Server 4

FIG.12 ---this figu re show s the arch itectu re of LUN m asking m ech anism that allow s sp ecific WWPN to accessing to d ifferent LUN s [5].

3.4.3 Port Binding

Bind ing ap p lies on sw itches and u sed to set p erm ission for nod e and p ort access to fabrics, bind ing w orks based on WWN ad d ress. Bind ing ap p lied on p orts, sw itches or fabrics. On p ort bind ing each p ort that connect ed to the sw itch get a p olicy based on their WWPN and any change or rep lacem ent on fabrics need s to reconfigu re p olicies. Bind ing on sw itches is w orks based on m ap p ing of WWN N to sw itch, changing or sw ap p ing the cables d oes not need to rebu ild the p olicy configu rations.

Fabric bind ing p revents access of u nau thorized sw itches to the fabrics [5].

3.5 Internet Small Computer System Interface SAN security solutions

Au thentication, au thorization and encryp tion are three basic secu rity elem ents in SAN , au thentication in iSCSI SAN is p rovid ed by u sing Challenge H and Shake Protocol (CH AP) for authorization control SAN u sed initiator nod e nam e and for encryp tion u sed IP Sec and Secu re Socket Layer (SSL) [7], [20]. Most of SAN d evice vend ors believe that SAN is not a vu lnerable technology becau se it w orks on Gigabit Ethernet infrastru ctu re and SAN is a p oint to p oint technology so attackers are not