[Comp.Sci.Dept, Utrecht] Note from archiver<at>cs.uu.nl: This page is part of a big collection of Usenet postings, archived here for your convenience. For matters concerning the content of this page, please contact its author(s); use the source, if all else fails. For matters concerning the archive as a whole, please refer to the archive description or contact the archiver.

Subject: SAN (Storage Area Network) Security FAQ Revision 2004/03/01 - Part 1/1

This article was archived around: NNTP-Posting-Mon, 01 Mar 2004 09:00:53 GMT

All FAQs in Directory: comp.arch.storage
All FAQs posted in: comp.arch.storage
Source: Usenet Version

From: will.spencer@sansecurity.com (Will Spencer) Newsgroups: comp.arch.storage,comp.answers,news.answers Subject: SAN (Storage Area Network) Security FAQ Revision 2004/03/01 - Part 1/1 Followup-To: comp.arch.storage Approved: news-answers-request@MIT.EDU Reply-To: will.spencer@sansecurity.com (FAQ Comments address) Summary: This posting contains a list of Frequently Asked Questions (and their answers) about SAN (Storage Area Network) Security.
Archive-Name: comp.arch.storage/san-security-faq Posting-Frequency: Monthly Last-Modified: 2004/03/01 Version: 2004/03/01 URL: http://www.sansecurity.com/faq.shtml Welcome to the comp.arch.storage SAN (Storage Area Network) Security FAQ: Answers to Frequently Asked Questions about SAN (Storage Area Network) Security. The SAN (Storage Area Network) Security FAQ is on the World Wide Web at http://www.sansecurity.com/faq.shtml The contents of the comp.arch.storage SAN (Storage Area Network) Security FAQ include: ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#LUN-masking What is LUN masking? LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts. LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA. Some storage controllers also support LUN Masking. LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN's. This can render the LUN's unusable by other operating systems and can result in data loss. ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#zoning What is zoning? Zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric. These zones may be utlized to implement compatmentalization of data for security purposes. Each device may be placed into multiple zones. ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#hard-soft-zoning What are the two types of zoning? The two types of zoning in a fabric environment are port zoning and WWN Zoning. Port zoning uses zones by physical ports. WWN (World Wide Name) zoning uses name servers in the switches to either allow or block access to particular WWNs in the fabric. Port zoning is more secure; WWN zoning is common. A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information. WWN zoning susceptible to unauthorized access, as the zone can be bypassed if someone knows the IEEE address of the adapter and does an access directly to the node. ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#SAN-attacks What are the classes of attacks against SANs? Snooping: Mallory reads data Alice sent to Bob in private Allows access to data Spoofing: Mallory fools Alice into thinking that he is Bob Allows access to or destruction of data Denial of Service: Mallory crashes or floods Bob or Alice Reduces availability ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#FCP-Fiber-Channel-attacks What are some attacks against FCP? Node Name / Port Name spoofing at Port Login time Source Port ID spoofing on dataless FCP commands Snooping and spoofing on FC-AL Snooping and Spoofing after Fabric reconfiguration Denial of Service attacks can be made in User mode ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#FCAP-Fibre-Channel-Authentication-Protocol What is FCAP (Fibre Channel Authentication Protocol)? FCAP is an optional authentication mechanism employed between any two devices or entities on a Fibre Channel network using certificates or optional keys. ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#FCPAP-Fibre-Channel-Password-Authentication-Protocol What is FCPAP (Fibre Channel Password Authentication Protocol)? FCPAP is an optional authentication mechanism employed between any two devices or entities on a Fibre Channel network using secure remote password (SRP). ----------------------------------------------------------------------- http://www.sansecurity.com/faq.shtml#SLAP-Switch-Link-Authentication-Protocol What is SLAP (Switch Link Authentication Protocol)? SLAP is an authentication method for Fibre Channel switches which utilizes digital certificates to authenticate switch ports. SLAP was designed to prevent the unauthorized addition of switches into a Fibre Channel network.