Implementing Security For Sans: Brksan-2892

Implementing Security
for SANs
BRKSAN-2892
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2006, Cisco Systems, Inc. All rights reserved. 1

Presentation_ID.scr
Agenda
SAN Security Scope

Cisco MDS9000 Security
SAN Management Security
Fabric and Target Access Security
Fabric Protocols Security
IP Storage Security
Security for Data at Rest: Storage Media Encryption
PCI DSS Compliance Considerations

Recap and Conclusions
BRKSAN-2892
SAN Security Scope
BRKSAN-2892

Presentation_ID.scr
Several Threats: Incomplete Solutions
SAN security is often overlooked as an area of concern but
can have the most detrimental impact
Application-level integrity and security is well addressed, but
the back end network carrying data is generally not
SAN extension solutions now push SANs outside the data
center boundaries
Not all compromises are intentional (many are accidental
breaches), but they still have the same impact
SAN security is only one part of complete DC solution:
Host access security—one time passwords, audit logs, VPNs
Storage security—data-at-rest encryption, LUN security
Datacenter physical security
BRKSAN-2892
SAN Security Scope

6.Data Integrity and Secrecy
Fabric security augments overall
application security 4.SAN Fabric Protocol
Security
Host and disk security also required
Six key areas of focus
SAN Management Access—Secure Cisco
Target
access to management services Host

MDS 9000
Family
Fabric Access—Secure device

access to fabric service
Target Access—Secure access to 3.Target
Access
targets and LUNs 2.Fabric Security
Access
SAN Protocols—Secure switch-to- Security
1.SAN
Management
iSCSI
switch communication protocols Security 5.IP Storage

Security
IP Storage Access—Secure FCIP (iSCSI/FCIP)
and iSCSI services

Data Integrity and Secrecy—
Encryption of data in transit and
at rest
BRKSAN-2892

Presentation_ID.scr
SAN Management
Security
BRKSAN-2892
SAN Management Potential Threats

Three main areas of vulnerability:
1. Disruption of switch processing
CPU hogging from unnecessary queries
Denial-of-service attacks
Result: Switch can’t react to
fabric events
2. Compromised fabric stability
Altered/lost switch configurations
Removal of other security services
Disabled switches/ISLs/device ports
Result: Loss of service, unplanned
down time
Out-of-band Ethernet
3. Compromised data integrity and secrecy Management Connection
Altered target (and LUN) visibility

Altered zoning configuration
Result: LUN corruption, data corruption, Accidental or Intentional
data theft or loss Harmful Management
Activity
BRKSAN-2892

Presentation_ID.scr
SAN Management Security
Securing access to all management SAN Management Security Infrastructure
facilities on the Cisco MDS Management
9000 Family Network
Integrated RFC 2625
IP-over-FC provides
redundant IP connectivity
for security services over
Must secure console sessions RAD in-band FC link
Must secure GUI application access RADIUS server

for user
Must secure API access (SMI-S) authentication
Must also secure file transfer TAC+ Out-of-band Ethernet

to/from switch Management Connection
TACACS+
server for user
Equally important to enable authentication
audit mechanisms
SNMP
Integrated RADIUS for user accounting SNMP Polling

and switch scope assignment server using
SNMPv3
Integrated SYSLOG for switch

Cisco Fabric MDS 9000
event accounting NTP Manager SAN OS CLI
using SNMPv3 using SSH/SFTP
Integrated SNMP traps for access NTP server
for time/date switch> config t
denial accounting synchronization

switch(config)>
analyzer on
switch(config)>
exit
switch>
Network time protocol (NTP) support to

synchronize clocks, log entry time stamps
BRKSAN-2892
Roles-Based Access Control (RBAC)

Partitioning management capabilities in Roles-Based Access Control Details
the Cisco MDS 9000 Family Sample Roles
Management Role #1 – ‘super’ admin
Different roles for different user profiles (sys Network Zoning
FSPF
full
full
admin, network admin, super admin) VSANs
FCID Policy
full
full
RADIUS server can iSCSI full
Common roles across CLI access and Cisco be used to centralize FCIP full
user accounts and
Fabric Manager access RAD
assign roles
Role #2 – dept. admin
Zoning VSAN-2
FSPF VSAN-2
Integrated Roles-Based-Access-Control Roles are populated into

VSANs
FCID Policy
iSCSI
no
VSAN-2
view-only
switches. Different roles FCIP view-only
Assign subsets of full command set to roles can exist in different
Role #3 – network admin
switches as required Zoning view-only
Users are then assigned to roles FSPF
VSANs
view-only
view-only
FCID Policy view-only
May have a maximum of 64 unique roles iSCSI
FCIP
full
full
Roles include IP storage features (iSCSI/FCIP) Bill – SAN admin

Role #1
Commands not visible if not part of assigned role VSAN- All switches
Enabled (full fabric admin)
VSAN-based RBAC Fabric 1 2
Sally – Storage admin

Roles can be assigned to specific VSAN(s) only Role #1
Switch 1,2 only
(assigns storage only)
Enables administrator-per-VSAN model 3 4 5 6
Reduce infrastructure costs through Fred – Email admin

Role #2
consolidation using VSANs and still Switch 3,4 only
VSAN 1 VSAN 2 (VSAN-2 – email app)
delegate fabric ‘island’ administration
BRKSAN-2892

Presentation_ID.scr
Flexible RADIUS and TACACS+ Services
Used for AAA (Authentication, RADIUS and TACACS+ Deployments
Authorization, and Accounting) services Dial/VPN servers

Datacenter for remote
Limit management access to a subset of switches routers and access
switches System console
MDS 9000 supports up to five HA server definitions terminal servers
RADIUS—Remote Authentication Dial In Network

User Service (IETF RFC-2865 standard)
NMS
RAD management
AD stations
Redundant
Initially used for dial-in networks—now greatly Microsoft Server
Active Directory
expanded to a variety of uses Authentication calls and
accounting records are
RAD
sent to centralized
System user account centralized authentication RADIUS or TACACS+
Windows 2000 servers
Network device user account AAA services IAS Server
(RADIUS)
LDAP
Dial-in/VPN service AAA services Server
Cisco
iSCSI host authentication TAC+ MDS 9000
Family
Linux
Switches
TACACS+—Terminal Access Controller DB
TACACS+ Server
Access Control System (based on Database

RBAC role
membership info Roles are
RFC-1492) Server
(Oracle,
is authorized by
RADIUS/TACACS+
populated into
MDS 9000
mySQL,
servers switches
Widely used and supported by Cisco etc)
Freely available from Cisco—similar to RADIUS
BRKSAN-2892
Sample Radius Accounting Record

Example snapshot of a Microsoft NAS-IP-Address
User-Name
: 172.19.48.87
: net-adm-1
IAS RADIUS record generated Record-Date
Record-Time
: 10/3/2007
: 11:51:08
Decoded Microsoft IAS
Radius accounting record
during an MDS 9509 CLI session Service-Name
Computer-Name
: IAS
: IBM305S1
using Microsoft’s
‘iasparse.exe’ support tool
NAS-Identifier : login (part of Windows 2000/2003
‘Start/stop’ records are recorded NAS-Port-Type
NAS-Port
: Virtual
: 3001
distribution)
by default, ‘accounting’ records Service-Type

Calling-Station-Id
: Authenticate-Only
: sjc-1.cisco.com
of actual commands are enabled Client-IP-Address
Client-Vendor
: 172.19.48.87
: CISCO
on the MDS 9000 as an option Client-Friendly-Name : core3
SAM-Account-Name : IBM305S1\net-adm-1
Fully-Qualified-Name : IBM305S1\net-adm-1
Similar record generated Authentication-Type : PAP
Class : 311 1 172.19.48.54 10/3/2007 18:44:03 1
by TACACS+ Packet-Type : Access-Request
Reason-Code : The operation completed successfully.
Full RADIUS Accounting Record
172.19.48.87,net-adm-1,10/3/2007,11:51:08,IAS,IBM305S1,32,login,61,5,5,3001,6,8,31,sjc-1.cisco.com,4108,172.19.48.87,4116,
9,4128,core3,4129,IBM305S1\net-adm-1,4130,IBM305S1\net-adm-1,4127,1,25,311 1 172.19.48.54 10/3/2007 18:44:03 1,4136,1,4142,0
172.19.48.87,net-adm-1,10/3/2007,11:51:08,…,shell:roles=network-admin,MDS Policy,172.19.48.87,core3,IBM305S1\net-adm-1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:34,…,accounting:accountinginfo=vsan:4001 values updated interoperability mode:1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:56,…,accounting:accountinginfo=vsan:4001 values updated loadbalancing:src-id/dst-id/oxid,…
172.19.48.87,net-adm-1,10/3/2007,11:52:02,…,accounting:accountinginfo=Interface fc3/1 state updated to down,…
172.19.48.87,net-adm-1,10/3/2007,11:52:05,…,accounting:accountinginfo=Interface fc3/1 state updated to up,…
172.19.48.87,net-adm-1,10/3/2007,11:52:16,…,accounting:accountinginfo=vsan:4001 deleted,…
172.19.48.87,net-adm-1,10/3/2007,11:52:20,…,accounting:accountinginfo=vsan:4000 deleted,… Some of these records have been
172.19.48.87,net-adm-1,10/3/2007,11:52:23,…,accounting:accountinginfo=shell terminated,… shortened to fit them on this slide ‘…’
BRKSAN-2892

Presentation_ID.scr
Configuration Consistency Analysis
Important to keep consistent Administrator
configurations across all switches compares policy
reference config to
all switches in
Especially important for security configurations: fabric
RADIUS/TACACS+, Remote SYSLOG, NTP,

SNMP communities, Authentication and Roles
Policy
MDS 9000 Family configurations can be Reference

Switch
extracted from switches as a flat text file

Allows for easy and regular archiving
Cisco Fabric Manager provides “Fabric Fabric Configuration

Configuration Analysis” tool Analysis Part of
Cisco Fabric Manager
Checks all switch configurations against policy

switch or file
Can take corrective action to fix configurations
Also has ‘zone merge analysis’ tool to validate
zone merge validity
Review Results and Take
Corrective Actions
Define Analysis Rules
BRKSAN-2892
SAN Management Recommendations

1. Use RBAC to grant adequate privilege to SAN administrators
Example: Not every administrator needs capability to disable modules
Reserve select functions to fewer ‘super-admin’ RBAC role:
VSAN definition, firmware upgrades, roles definition, RADIUS and SSH configuration
2. Use RADIUS or TACACS+ for centralized user account administration

Ensures consistent and timely removal of users if required
Use RADIUS accounting feature for audit log of configuration events
3. Use all secure forms of management protocols—disable others

SSH, SFTP, SCP, SNMPv3, SSL for SMI-S support
Disable Telnet, FTP, TFTP, SNMPv1,v2
4. Enable NTP across all switches for consistent time stamping of events
5. Log and archive everything
Enable centralized SYSLOG
Take regular copies of MDS 9000 configurations (can use CiscoWorks RME)
Turn on Cisco MDS 9000 “Call Home” feature to alert of anomalies
BRKSAN-2892

Presentation_ID.scr
Fabric and Target
Access Security
BRKSAN-2892
Fabric and Target Access

Potential Threats
Three main areas of vulnerability:
Compromised application data
Unauthorized access to targets and LUNs
High potential for data corruption, loss, or theft
Result: Unplanned down time, costly
data loss
Compromised LUN integrity
Unauthorized Unauthorized
Fabric Service Target Access
LUN corruption due to unintentional OS mount
Accidental formatting of LUN—loss of data
data loss
Compromised application performance
Unauthorized I/O potentially causing
congestion
Injected fabric events causing disruption;
i.e. rogue HBA hammering fabric controller
Result: Unplanned down time, poor
I/O performance
BRKSAN-2892

Presentation_ID.scr
Fabric Access Security: Port Modes
Port mode security—Allow edge ports Port Mode and VSAN-based Security
to form F_Ports or FL_Ports only,
i.e. no ISL/EISL IP access lists (ACL) based on
source and destination IP
Cisco MDS 9000 Family supports an Fx_Port Management
Network
addresses, TCP/UDP ports,
and TCP connection flags
mode which allows F_Port or FL_Port only ‘E_Port’ ‘Auto’
mode mode
Limit users who can change port mode via Any port type
Roles-Based Access Control assignments ‘Fx_Port’ ‘F_Port’
mode mode
VSAN-based security—only allow F,FL Only F Only
access to devices within attached VSAN ‘Fx_Port’

‘E_Port’
or ‘Auto’
mode
mode
Strict isolation based on fabric service
partitioning and explicit frame tagging
Independent name server table per VSAN EISLs carrying
Disk array connected
multiple VSANs
to multiple VSANs
Independent active zoneset per VSAN
VSAN 1
Part of ANSI T11 ‘Fabric Expansion’
study group VSAN 2
Both
Management port access security

One active Unique services
Provides IP access control lists (ACLs) for VSAN only per VSAN
management traffic (SNMP, SSH, Telnet, etc.)

BRKSAN-2892
Fabric Access Security

Cisco MDS Access Security Technology
Grant selective access to fabric based on device identity
Failure results in link-level login failure
Prevents FC frame S_ID spoofing through hardware frame filtering
Supports device-to-switch (port security) and switch-to-

switch (fabric binding)
Uses grouping of attributes to define binding configuration
WWN or Port_ID – port identifier on switch (i.e. fc1/2)
Multiple ‘groups’ are created and activated as a ‘group set’ to enforce
desired policy
Auto-learning mode to ease initial configuration
BRKSAN-2892

Presentation_ID.scr
Fabric Access Security: Fabric Binding
Used to allow ISL establishment
Attributes to define binding configuration:
fWWN—Fabric WWN
of switch port Bind sw-2 to sw-1 ISL Security Group – sw-1
sWWN-2
sWWN—Switch WWN
sw-1
Port_ID—Port identifier fWWN-2 fWWN-1
Port_ID-2 Port_ID-1
on switch (i.e. fc1/2) pWWN-1 pWWN-3
sWWN-1 fWWN-5
Port_ID-5
nWWN-1
fWWN-6
Port_ID-6
pWWN-2 pWWN-4
fWWN-3 fWWN-4 nWWN-2

Port_ID-3 Port_ID-4
sw-2
sWWN-2
Security Group – sw-1

Bind sw-2 to sw-1/port 5 ISL sWWN-2
Port_ID-5 or fWWN-5
BRKSAN-2892
Fabric Access Security: Port Security

Used to allow device-to-switch login
Attributes to define binding configuration
pWWN—Port WWN of attaching device
nWWN—Node WWN of attaching device
fWWN—Fabric WWN of switch port
Port_ID—Port identifier on switch (i.e. fc1/2)

Bind host to sw-1 (any port) pWWN-1 or nWWN-1
sw-1
fWWN-2 fWWN-1
Port_ID-2 Port_ID-1
Bind host, disk to sw-1 (any port) pWWN-1 pWWN-3
pWWN-1 or nWWN-1
pWWN-3 or nWWN-2 fWWN-5
sWWN-1
Port_ID-5
nWWN-1
Security Group – sw-1 fWWN-6
Bind host to sw-1 /port 2 Port_ID-6
pWWN-1 or nWWN-1
Port_ID-2 or fWWN-2 pWWN-2 pWWN-4
fWWN-3 fWWN-4 nWWN-2

Port_ID-3 Port_ID-4
Security Group – sw-1 sw-2

Bind host HBA-1 to sw-1/port 2 pWWN-1
Port_ID-2 or fWWN-2 sWWN-2
BRKSAN-2892

Presentation_ID.scr
Fabric Access Security: Authentication
Device authentication provides Fibre Channel Fabric Authentication
RADIUS and TACACS+ servers
stronger means of ensuring Management

Network
can be used to hold DH-CHAP
user accounts and passwords for
centralized authentication
device identity
RAD
WWNs can be spoofed by RADIUS server

simple means for user
authentication
Out-of-band Ethernet
ANSI T11 FC-SP Security TAC+

Management Connection
Protocols working group

TACACS+
server for user
Cisco was the prime contributor authentication
DH-CHAP provides DH-C

HAP
authentication mechanism - CH
AP
New host
wanting to
DH join the
DH-CHAP
Switch-to-switch authentication fabric
New switch
FCIP
wanting to join
Device-to-switch authentication (when the fabric
Network Equipped with
HBA supporting
adopting HBA supporting DH-CHAP) DH-CHAP
(Emulex, Qlogic)
New switches wanting to

join the fabric over FCIP
BRKSAN-2892
FC-SP DH-CHAP Authentication Protocol

Authentication Initiator (N) Authentication Responder (M)
AUTH_Negotiate / T_ID=Q
(NameN, DH-CHAP, hash=MD5orSHA1, DiffieHelmanGroupID=2or3)
DHCHAP_Challenge / T_ID=Q
(NameM, hash=MD5, DiffieHelmanGroupID=2, challenge C1, g^x mod p)
DHCHAP_Reply / T_ID=Q
(NameM, response R1, g^y mod p, challenge C2)
DHCHAP_Success / T_ID=Q
(response R2)
DHCHAP_Success / T_ID=Q
BRKSAN-2892
Note: common DH key is g^xy mod p

Presentation_ID.scr
Fabric Access Recommendations
Use IP ACLs on management interfaces to block unused services
Enable logging of denied attempts—block denial-of-service attacks
Hard-fix switch port administrative modes to assigned port function

Lock (E)ISL ports to only be (T)E_Ports—set to ‘E_Port’ mode
Lock access ports to only be F(L)_Ports—set to ‘Fx_Port’ mode
Use VSANs to isolate departments

Provides security AND availability benefits
RBAC management control per VSAN allows individual admin assignment
Use port security features everywhere

Bind devices to switch as a minimum level of security
Bind devices to a port as an optimal configuration
Consider binding to line card in case of port failure
Bind switches together at ISL ports—bind to specific port, not just switch
Use FC-SP authentication for switch-to-switch fabric access

Use device-to-switch when available
BRKSAN-2892
IP access lists (ACL) based
Target Access Security: Zoning on source and destination IP

addresses, TCP/UDP ports,
and TCP connection flags
Zoning is prime mechanism for securing Simple Name Server

Zoning
access to SAN targets (disk and tape) pWWN-1

pWWN-2
FCID-1
FCID-2
Each device connected to the
switch registers with the name
pWWN-3 FCID-3 server and queries it to find
Two prime types of zoning: pWWN-4 FCID-4 potential targets
Soft Zoning (sw-based name server filtering)

fWWN-1 fWWN-3
Port_ID-1 Port_ID-3
Communication still possible if FC_ID known
11 pWWN-1 pWWN-3
Hard Zoning (hw-enforced frame filtering) fWWN-2 fWWN-4

Port_ID-2 Port_ID-4
Absolute requirement for true security
22 pWWN-2 pWWN-4
Also involves name server filtering

zoneset-A (active)
Can filter on various attributes
Switch Port_IDs—vendor-specific zone-1 zone-2 zone-3
pWWN-1 pWWN-2 Port_ID-1
Device nWWN/pWWNs—standards-based pWWN-3 pWWN-3 Port-ID-4
Name Server Frame
Advanced zoning features offered by Cisco and Frame Filtering Filtering
Device Visibility
Zoning is very complementary to VSANs pWWN-3 FCID-3
Device Visibility
pWWN-3 FCID-3
pWWN-4 FCID-4
One active zoneset per VSAN
Name server visibility
Multiple configured zonesets per VSAN restricted based on active
2
2
11 zone definitions
Non-disruptive zoneset activation to other VSANs
BRKSAN-2892

Presentation_ID.scr
Cisco MDS 9000 Family Zoning Services
All zoning services offered by Cisco are
implemented in hardware Hardware-Based Zoning Details
No dependence on whether using mix of WWNs and
Port_IDs in a zone—all hardware based fWWN-1
Port_ID-1
fWWN-3
Port_ID-3
WWN-based zoning implemented in software with 1 pWWN-1 pWWN-3
hardware reinforcement (i.e. no name server only zoning)

1
fWWN-2 fWWN-4
WWNs are translated to FCIDs to be frame-filtered Port_ID-2 Port_ID-4
2 pWWN-4
Dedicated high speed port ‘filters’ called 2
ternary CAMs (TCAMs) filter each frame in pWWN-2 FCID-2 TCAM hardware
frame filtering
WWNs translated
hardware and reside in front of each port to FCIDs to filter
Support up to 20,000 programmable entries consisting

of zones and zone members Zone_A
Very deep frame filtering for new innovative features (active)
Wire-rate filtering performance—no impact regardless

of number of zones or zone entries
Optimized programming during zoneset activation— NEW
incremental zoneset updates New
To add new host to Zone_A
RSCNs contained within zones in given VSAN and activate, an additional
TCAM entry is simply
programmed at the relevant
Selective Default Zone behavior—default ports – no disruption to existing
is deny active zones
Per VSAN setting

BRKSAN-2892
Cisco Advanced Zoning Services

Cisco has introduced two new zoning
Advanced Zoning
capabilities in the MDS 9000 Family: LUN zoning allows control of access to
specific LUNs based on zone assignment
LUN Zoning is the ability to zone an initiator
with a subset of LUNs offered by a target Zone_A (active) 1 X
2 X
Host discovers all LUNs but can only login to those X X
LUNs part of the zone pWWN-1 pWWN-2 X X
Inaccessible LUNs are busied-out by the switch at X X
the ingress port
report_LUNs
Provides powerful solution combined with array-based 10 LUNs available
LUN security to add fabric enforcement report_size LUN_1
LUN_1 is 50GB
Accidental LUN exposure prevented by fabric report_size LUN_3
LUN_3 is unavailable
Read-Only Zoning leverage the hardware-
based frame processing of the MDS Read-only zoning restricts ‘write’ commands from
being sent to zoned targets
9000 Family
Media Zone_A
Filters FC4-Command frames based on whether the Master (active)
Server
command is a read or write command
Useful for systems that only need read access to a
volume such as multimedia servers Streaming
Server NEW
Zone_B (read-only)
Especially useful for media servers that need high (active)
speed access to rich content for broadcast—block level
bypasses NAS service
BRKSAN-2892

Presentation_ID.scr
Target Access Recommendations
Use zoning services to isolate where required Learn the Isn’t soft
FCID and gain zoning good
Port or WWN-based, all hardware enforced access enough?
Use read-only zones for read-only targets

Use LUN zoning as extra reinforcement
Set default-zone policies to ‘deny’ Occupy the Ok, add port-
port and gain
Suggested to only allow zoning configuration access
based zoning
from one or two switches to minimize access

Use RBAC to create two roles, only one allowing
zoning configuration Spoof the Ok, add
Install ‘permit’ role on two switches, ‘deny’ role WWN and WWN-based
gain access zoning
on remainder
Or, use RADIUS or TACACS+ to assign roles
based on particular switch, more flexible
*Better* Must
Use WWN-based zoning for convenience spoof and Ok, add port-
and use port-security features to harden occupy to
gain access
security
switch access
Works well for interop with non-Cisco switches
*Best*
Port-based zoning in ‘native mode’ interoperability Need full Ok, add DH-
in SANOS v1.2 authentication CHAP
to gain access
BRKSAN-2892
Fabric Protocols
Security
BRKSAN-2892

Presentation_ID.scr
Fabric Protocols Potential Threats
Three main areas of vulnerability: Rogue Switch
1. Compromised fabric stability

Injection of disruptive fabric events
Creation of traffic ‘black-hole’
Result: Unplanned down time,
fabric instability
2. Compromised data security
Injection of harmful zone reconfiguration data
Open access to fabric targets Fabric Control
Protocol Integrity
data loss
3. Compromised application performance
Unauthorized I/O potentially causing congestion
Numerous disruptive topology changes
Result: Unplanned down time, poor
I/O performance
BRKSAN-2892
SAN Fabric Protocols Security

Fabric Protocols Security
Very important to secure the fabric control
Dept ‘A’ Dept ‘B’
protocols to ensure fabric stability
Securing access to control protocol configuration via VSAN
Cisco RBAC is first step Trunk
Bundles
1 7 2 8
Enable port-security for switch binding 5 5 6 6
Cisco
MDS 9216
Using FC-SP for switch-to-switch authentication is
Port Channeling
next critical step to block rogue ISLs for HA and
performance Cisco MDS 9500
Plug-n-play fabric protocol configuration is 3
3 3
4
4 4
Multilayer Director
convenient—however, static configuration

is more secure VSAN Trunks
over optical
Configure static principle switch DWDM or CWDM

‘RCF-reject configured to
Network
Enable static domain IDs protect against remote
initiated fabric rebuild
Statically assigned
Enable static FCIDs *optional but recommended* principle switch
Statically assigned per VSAN
Great benefit for HP/UX and AIX environments domain_IDs, one per active
VSAN minimizes potential for
disruptive RCF
Enable RCF-reject, especially on long-haul links Enterprise
1 1 2 2 Tape VSAN
Enable RSCN-suppression where necessary
Use VSANs to divide and manage individual

fabric configuration and resiliency
BRKSAN-2892

Presentation_ID.scr
Certificate Infrastructure
MDS can relay upon the IKE (Internet Key Exchange) infrastructure to
exchange asymmetric keys
Asymmetric key are used to initialize protocols like IPSec and SSH
MDS can enroll with a CA (Certificate Authority, trust point) to obtain an
identity certificate
The identity certificate contains the local MDS public key encrypted with
the CA private key (RSA format)
Only one certificate per CA, but MDS can enroll with multiple CAs
The default key label is the switch fully qualified name
The local MDS can trust multiple CAs
It can communicate with a remote peer that uses a certificate provided by a different CA,
where the local MDS is not enrolled
The key pair is different for each CA certificate
As a good practice relay upon the IKE infrastructure to establish a
secure and trusted relationship between all the network elements and
management nodes
BRKSAN-2892
Key Management Based on Certificates

Without certificate each Keys
switch must be configured
with the symmetric key for Keys Keys
each other switch
Keys
CA
Keys
Without certificates the
CA will distribute the public
keys used for secure
key exchange
BRKSAN-2892

Presentation_ID.scr
IP Storage Security
BRKSAN-2892
IP Storage Security
IP Storage Security
iSCSI leverages many of the security
features inherent in Ethernet and IP
Ethernet Access Control Lists (ACLs) iQN2 is mapped to
↔ FC zones an allocated pWWN
and registered in the
RADIUS server fabric
Ethernet VLANs ↔ FC VSANs used to centralize
iSCSI accounts iQN1 =
Ethernet 802.1x port security ↔ FC port security pWWN1 iSCSI
pWWN1/
nWWN1
iSCSI
iSCSI authentication ↔ FC DH-CHAP RAD
RAD
authentication iSCSI Login
registering iQN
Cisco Catalyst® using CHAP
iSCSI offers LUN masking/mapping 6500 Multilayer
LAN Switches
authentication
capability as part of gateway function

FCIP security leverages many IP security IP ACLs
802.1X Auth.
iSCSI
iQN1 iSCSI
Ethernet VLANs
features in Cisco IOS®-based routers iSCSI qualified
names are defined
IPSec VPN connections through public carriers FCIP Tunnels
over IPSEC
within iSCSI client
Network
High speed encryption services in specialized HW
Can also be run through a firewall
FCIP tunnel is a virtual ISL—Can
leverage FC-based FC-SP switch-to-
switch authentication
BRKSAN-2892

Presentation_ID.scr
Security for Data
at Rest: Storage
Media Encryption
BRKSAN-2892
Cisco SME Overview

Encrypts storage media (data
Application
Server at rest)
Strong, IEEE compliant
Name: XYZ
SSN: 1234567890
AES-256 encryption
Amount: $123,456
Status: Gold
Integrated as transparent
Key Management
fabric service
Center
Encrypt
IP
Supports tape devices and VTLs
Compresses tape data
Name: XYZ
@!$%!%!%!%%^& Offers secure key management
SSN: 1234567890
*&^%$#&%$#$%*!^
Amount: $123,456
@*%$*^^^^%$@*)
Status: Gold
%#*@(*$%%%%#@ Allows offline media recovery
Built upon FIPS-140-2 level-3
Tape
Library
system architecture
BRKSAN-2892

Presentation_ID.scr
Cisco SME-Enabled Platforms
MDS 9222i
MDS 9000
Family
Systems
MDS 9216A
MDS 9216i MDS 9506 MDS 9509 MDS 9513
MDS 9000
Modules
18/4-Port Multiprotocol Services Module (MPS)
Mgmt. Cisco Fabric Manager w/Key Management Center
OS Cisco MDS 9000 Family SAN-OS
BRKSAN-2892
Transparent Fabric Service

Integrates seamlessly with existing
Application Servers Cisco MDS fabrics
Non-disruptive deployment
No appliances to insert in data path
No SAN re-wiring or re-configuration
Redirects traffic flows after

MPS-18/4 MPS-18/4 enabling encryption
Highly scaleable performance
Load balances automatically
Reliable, highly available service
Tape
Library Routes traffic to another MPS when
one fails
BRKSAN-2892

Presentation_ID.scr
Wizard-Based Provisioning
Management integrated in Fabric Manager (Web Client)

Resources management
Key management
Media management
BRKSAN-2892
SME Key Management

Cisco Key Complete key lifecycle
Management Center management
Archives, recovers, distributes, and
shreds media keys
Application Servers Accommodates single and multiple
site environments
Transports keys and management

traffic securely (SSH, HTTPS)
Key catalog based on a standard
MPS-18/4
MPS-18/4 MPS-18/4
MPS-18/4 database or on third party
Fabric ’A’ Fabric ’B’ Key Manager
Tape
Integrates with Cisco FM server
Libraries No additional software to install
Intuitive provisioning and management
with Cisco FM Web client
BRKSAN-2892

Presentation_ID.scr
Media Encryption Key Hierarchy
Master Key resides in Smart cards
Quorum (M out of N) of smartcards
Master Key required to recover a Master Key
Recovery Shares accomplish
secret sharing
Keys reside in clear-text only

within crypto boundary on
Cisco Key switch module
Management
Tape Volume
Center Group Key Unique key per tape, or per tape
volume group
Tape Key Media keys wrapped by Master

Key before storage or transport to
Cisco Key Management Center
Option to store tape keys on
tape media
Tape Key
BRKSAN-2892
SME Media and

Keys Management Options
Key mode:
Individual Key Mode: To achieve maximum security, each individual tape is assigned its
own unique key
Shared Key Mode: To simplify key management procedures and reduce to a minimum the
size of the key database, SME uses the same key for all tape volumes belonging to the
same group
Volume group (group of physical tapes) mode:
Manual grouping: Volumes are manually identified on the basis of the cartridge bar code
Auto grouping: Volumes are assigned automatically to a group by the backup application
Tape compression in the SME interface enabled or disabled
Compression should be performed before encryption, since the compression ratio for
encrypted data is usually very low
Tape recycle controls how the media key used for a tape cartridge is managed
when the specific tape is re-labeled.
One or more copies (clones) of the original tape may have been generated outside the
Cisco SME environment, to have redundant physical copies of the data in different locations
If a tape is recycled, when labeling occurs, a new media key is generated and the previous
media key is purged from the Cisco KMC database; all copies of the original tape are
virtually shredded
If a tape is not recycled, a new media key is generated for the tape, but the old media key
will be left in the Cisco KMC database, the copies of the original tape will still be readable
BRKSAN-2892

Presentation_ID.scr
Encryption Meta-Data Storage on Tape
Provides option to store media keys on tape

Media keys (Tape Volume Key) are encrypted with
the Volume Group Key for protection
These media keys are not stored in KMC, increasing
scalability with large numbers of tape volumes
Simplifies export of tapes to remote site
No need to export media keys routinely
Only need to export wrap key once
SME creates unique tape header to store

SME-related information
BRKSAN-2892
Effect of Media Key Options

on Key Management
Group Shared Key
Shared Key across a Group of Tapes
Pros The catalog dimension is contained.

A single key allows decoding all tapes in the group, very
practical in case a single backup spans more tapes, or to
share a group of tapes with a third party.
Cons Less secure.

If the single common Tape Volume Key is compromised, all the
tapes in the group can be accessed.
Recovery Procedure Key export is required only when a new tape volume group is
created, either manually or by the auto grouping
Virtual Shredding Only a tape group

Implications
Tape Recycling The key catalog size remains constant
BRKSAN-2892

Presentation_ID.scr
Effect of Media Key Options
on Key Management
Unique Key per Tape
Unique Key per Tape
Media Key stored in catalog Media Key stored on tape
Pros More secure. The catalog dimension is contained.

Each tape can be managed or transferred to A single key allows decoding all tapes in the
a third party independently. group, very practical in case a single
If a Tape Volume Key is compromised, only backup spans more tapes, or to share a
the given tape may be accessed. group of tapes with a third party.
If a Tape Volume Group Key is The tapes in a group use different media
compromised, the hacker still need to keys, solution cryptographically more
access the catalog to access the data secure than using the same key for many
tapes.
Cons The catalog contains an entry for each tape, If a Tape Volume Group Key is
so it could be very large. compromised, the hacker can decrypt the
Tape Volume Key and the data of all
tapes in the group.
Recovery Procedure Key export is required only when a tape Key export is required only when a new tape
volume is labeled volume group is created, either manually
or by the auto grouping
Virtual Shredding Can be at the individual tape level Only a tape group
Implications
Tape Recycling The key catalog contains a new entry every The key catalog size remains constant
time a tape is re-labeled, unless the
recycle option is selected
BRKSAN-2892
Secure System Architecture

Hardware and software architecture designed to meet
FIPS140-2 Level-3 certification requirements
Tamper-proof: Attempts to tamper with system destroys
the sensitive information
Strong, standard AES-256 modes of encryption
Smart cards available for master key protection
Critical security parameters and media keys never leave
system un-encrypted
Role-based access control (RBAC) secures management
Enforces SME specific roles
AAA server support allows centralized
user authentication and accounting (auditing)
BRKSAN-2892

Presentation_ID.scr
Roles and Identities
SME Administrator SME Recovery Officer
Responsible for provisioning SME Responsible for any recovery

function requiring a Master Key
Per-VSAN role-based access
control limits management scope Quorum of Recovery Officers
needed to perform recovery
SAN administrator may assume this procedures (default is two out
role too of five)
Security operations (SecOp) staff
may assume this role
BRKSAN-2892
Master Key Management

Smart cards
Advanced
Smart cards with Recovery Shares for each
Master Key where M of N Recovery Officers
Level of Security
are required to recover a Master Key
Standard
Smart Cards with all Master Keys
No Recovery Shares
Basic
• USB Drive with all Master Keys
• A file with all Master Keys
• Master keys encrypted with a password
• Regular backup & archive.
Simplicity
BRKSAN-2892

Presentation_ID.scr
Cisco SME Review
Solution for and tape and VTL
Supports existing storage devices
Simplifies provisioning and integrates key management
Integrates transparently into SAN fabric, which simplifies
deployment and eliminates down-time
No need to rewire SAN
Eliminates appliances, extra cables, and wasted switch ports
Reliable and scalable solution
Cisco MDS directors provide highly available platform,
Encryption can be added and enabled non-disruptively
Virtual SAN support
Encryption services available for all VSANs
Full RBAC with AAA servers and VSAN-based access control
Integrates management with Cisco FM Server
No additional management software needed, FM Server License not required
Unifies user rights and credentials management
FM Web Client supports provisioning and key management
BRKSAN-2892
PCI DSS Compliance

Considerations
BRKSAN-2892

Presentation_ID.scr
PCI (Payment Card Industry):
Data Security Standard (DSS)
PCI DSS are applicable if a Primary Account

Number is stored, processed or transmitted
The security requirements apply to all system
components, including servers, networks or
application, that are part of or connected to the
cardholder data environment
Adequate network segmentation can reduce the
scope of the cardholder data environment
The following requirement are excepted from the
PCI DSS v1.1, released in September 2006
BRKSAN-2892
Build and Maintain a Secure Network

Requirement 1: Use a firewall to protect cardholder data
Cisco MDS9000 SAN:
Storage protocols are likely used in internal network zone only
Use SNMPv3 and ssh for management
Create a protected internal IP network for iSCSI
Segment the SAN using Virtual SANs
Requirement 2: Do not use vendor-supplied

default password
Cisco MDS9000 SAN:
SANOS can enforce the use of passwords compliant to PCI
BRKSAN-2892

Presentation_ID.scr
Protect Cardholder Data
Requirement 3: Protect stored cardholder data

Cisco MDS9000 SAN:
Deploy SME to protect data at rest
Store the Keys in the Cisco Key Management Server or in
a secure third party Key Manager as RSA KM
VSANs provide additional segmentation and abstraction to
implement the Appendix-B compensating control if needed
Requirement 4: Encrypt data across public networks

Cisco MDS9000 SAN:
Use FCIP over IPSec tunnels for SAN extension
BRKSAN-2892
Maintain a Vulnerability
Management Program
Requirement 5: Anti-virus
Cisco MDS9000 SAN:
Not applicable to SANOS
Requirement 6: Develop and maintain secure

systems and applications
Cisco MDS9000 SAN:
Use a test VSAN to validate any new configuration
before production
SANOS have been developed with secure coding
guidelines and tested against common vulnerability
BRKSAN-2892

Presentation_ID.scr
Implement Strong Access
Control Measures: 1
Requirement 7: Restrict access by business need-to-know
Cisco MDS9000 SAN:
The security features as VSANs, advanced zoning, fabric binding,
port security, FC-SP authentication and RBAC with SNMPv3 and ssh
make MDS9000 the ideal platform to enforce the restricted access
RBAC in particular, if used in conjunction with VSANs, is especially
designed to support a tight partitioning of the physical infrastructure
Requirement 8: Assign a unique ID to each user

Cisco MDS9000 SAN:
Create an individual account for each administrator with
strong password
Authentication can be performed using the external AAA server
of choice (e.g. TACAS+), to implement the desired policy of user
authentication an password management
BRKSAN-2892
Implement Strong Access

Control Measures: 2
Requirement 9: Restrict physical access to

cardholder data
Cisco MDS9000 SAN:
Media can be encrypted using SME, that provides
tools to transfer the key information to share data with
a partner, secure the data transferred via courier
SME can instantaneously “cryptographically shred”
the data without destroying the physical media, that
may be recycled
BRKSAN-2892

Presentation_ID.scr
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network
resources and cardholder data
Cisco MDS9000 SAN:
Fabric Manager Server provides continuous monitor of the SAN, it
allows to establish criteria and thresholds to generate real time alarm
and call home
Syslog offers detailed entries, it may be redirected to a log server to
consolidate monitoring the IT infrastructure
Note that the log never contains application data
Requirement 11: Regularly test security systems and processes
Cisco MDS9000 SAN:
Fabric Manager Server provides the configuration and topology
information needed to design, schedule and execute such a test
BRKSAN-2892
Maintain an Information Security Policy
Requirement 12: Policy that address information

security for employees and contractors
Cisco MDS9000 SAN:
SANOS can automatically disconnect unused
management sessions
RBAC allows a clear responsibility assignment
for administrators
Detailed logging supports a detailed audit
BRKSAN-2892

Presentation_ID.scr
Conclusions
BRKSAN-2892
SAN Security Review

SAN Security Scope
Cisco MDS9000 Security
SAN Management Security (Secure Protocols, RBAC, log)
Fabric and Target Access Security (Fabric Binding, Port
Security, Authentication)
Fabric Protocols Security (VSAN, hardening)
IP Storage Security (authentication, secure transport)
Identity based on certificate
Security for Data at Rest: Storage Media Encryption

Architecture, Key management
Configuration options
PCI DSS Compliance: Requirement analysis

BRKSAN-2892

Presentation_ID.scr
Conclusions
As SANs continue to grow and expand out of the data

center, security becomes increasingly a concern
Cisco offers a comprehensive set of security features in
the MDS 9000 Family
No impact on switch performance
Data path features are all hardware-based
Address management, access, data in flight and data at rest
All security features are securely managed through
Cisco’s Fabric Manager
The adoption of the Cisco MDS 9000 Family security
feature is a step forward in achieving compliance to
applicable regulations
BRKSAN-2892
Other Relevant Sessions

and Useful Links
Sessions relevant to SAN security

Cisco Fabric Manager BRKSAN-????
SME Configuration and Troubleshooting BRKSAN-????
White Papers relevant to SAN security

Cisco MDS 9000 SAN Security
http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps4358/prod_white_
paper0900aecd80281e21_ns513_Networking_Solutions_White_Paper.html
SME Key Management

http://www.cisco.com/ToBeDefined
BRKSAN-2892

Presentation_ID.scr
Q and A
BRKSAN-2892
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press®
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKSAN-2892

Presentation_ID.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com
BRKSAN-2892
BRKSAN-2892

Presentation_ID.scr

Implementing Security For Sans: Brksan-2892

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing Security For Sans: Brksan-2892

Uploaded by

Copyright:

Available Formats

Implementing Security

© 2006, Cisco Systems, Inc. All rights reserved. 1

 SAN Security Scope

 PCI DSS Compliance Considerations

SAN Security Scope

© 2006, Cisco Systems, Inc. All rights reserved. 2

SAN Security Scope

access to management services Host

Fabric Access—Secure device

switch communication protocols Security 5.IP Storage

and iSCSI services

© 2006, Cisco Systems, Inc. All rights reserved. 3

SAN Management Potential Threats

Altered target (and LUN) visibility

© 2006, Cisco Systems, Inc. All rights reserved. 4

Must secure GUI application access RADIUS server

Must also secure file transfer TAC+ Out-of-band Ethernet

Integrated RADIUS for user accounting SNMP Polling

Integrated SYSLOG for switch

denial accounting synchronization

Network time protocol (NTP) support to

Roles-Based Access Control (RBAC)

 Integrated Roles-Based-Access-Control Roles are populated into

Roles include IP storage features (iSCSI/FCIP) Bill – SAN admin

Sally – Storage admin

Reduce infrastructure costs through Fred – Email admin

© 2006, Cisco Systems, Inc. All rights reserved. 5

Authorization, and Accounting) services Dial/VPN servers

 RADIUS—Remote Authentication Dial In Network

Access Control System (based on Database

Freely available from Cisco—similar to RADIUS

Sample Radius Accounting Record

by default, ‘accounting’ records Service-Type

Full RADIUS Accounting Record

© 2006, Cisco Systems, Inc. All rights reserved. 6

RADIUS/TACACS+, Remote SYSLOG, NTP,

 MDS 9000 Family configurations can be Reference

extracted from switches as a flat text file

 Cisco Fabric Manager provides “Fabric Fabric Configuration

Checks all switch configurations against policy

SAN Management Recommendations

2. Use RADIUS or TACACS+ for centralized user account administration

3. Use all secure forms of management protocols—disable others

© 2006, Cisco Systems, Inc. All rights reserved. 7

Fabric and Target Access

© 2006, Cisco Systems, Inc. All rights reserved. 8

 VSAN-based security—only allow F,FL Only F Only

access to devices within attached VSAN ‘Fx_Port’

 Management port access security

management traffic (SNMP, SSH, Telnet, etc.)

Fabric Access Security

 Supports device-to-switch (port security) and switch-to-

 Auto-learning mode to ease initial configuration

© 2006, Cisco Systems, Inc. All rights reserved. 9

fWWN-3 fWWN-4 nWWN-2

Security Group – sw-1

Fabric Access Security: Port Security

Security Group – sw-1

fWWN-3 fWWN-4 nWWN-2

Security Group – sw-1 sw-2

© 2006, Cisco Systems, Inc. All rights reserved. 10

stronger means of ensuring Management

SAN Security Scope

PCI DSS Compliance Considerations

Integrated Roles-Based-Access-Control Roles are populated into

RADIUS—Remote Authentication Dial In Network

MDS 9000 Family configurations can be Reference

Cisco Fabric Manager provides “Fabric Fabric Configuration

VSAN-based security—only allow F,FL Only F Only

Management port access security

Supports device-to-switch (port security) and switch-to-

Auto-learning mode to ease initial configuration

ANSI T11 FC-SP Security TAC+

DH-CHAP provides DH-C

Hard-fix switch port administrative modes to assigned port function

Use VSANs to isolate departments

Use port security features everywhere

Use FC-SP authentication for switch-to-switch fabric access

Zoning is prime mechanism for securing Simple Name Server

Use VSANs to divide and manage individual

Redirects traffic flows after

Transports keys and management

Keys reside in clear-text only

Tape Key Media keys wrapped by Master

Provides option to store media keys on tape

SME creates unique tape header to store

Responsible for provisioning SME Responsible for any recovery

PCI DSS are applicable if a Primary Account