How to secure an FC SAN with basic preventive measures

By Khoo Boo Leong | Dec 18, 2008

1 comments

Digg

 Email

 Print

There is a misconception among storage system administrators and operators that implementing security for a storage area network (SAN) is difficult and complex. But it really doesn’t have to get very complicated, according to Roger Bouchard, a global solutions architect and security subject matter expert at Brocade.

Disable unused ports

Simple preventive measures can go a long way to securing the SAN and thwarting many types of attacks. A good first step is to persistently disable all unused ports in the SAN switches. “From my audits, most enterprises don’t do that,” said Brouchard. “If you connect a new Brocade switch to an existing SAN fabric and turn it on, you can automatically download all the configuration information and get a new domain ID.”

While this capability is great for an administrator, it’s a major area of concern from a security point of view. “Anybody can walk into the data center with a switch, plug it into the SAN, boot it up and with the root password on the switch, the intruder will have root privileges and complete control over the entire SAN. So, if you had only disabled all the unused ports, the new switch plugged into an unused port will not work.”

To ensure unused ports are disabled, Brocade has introduced the persistent port disable feature on its SAN switches. This feature also ensures disabled ports are not reactivated when the switch is rebooted.

Log in securely

Specifically for Fibre Channel (FC) SANs, another simple security procedure is to use Secure Shell (SSH) instead of Telnet to log in to the SAN switches. While the FC protocol is relatively secure from hackers, the Archilles heel is the TCP/IP protocol used by the switches’ management interfaces.

“Since TCP/IP is so well known by hackers, I believe the management interfaces are very vulnerable,” said Brouchard. “So, use secure protocols in the transfer of information. Instead of using telnet, which is clear text, use SSH and all the information will be encrypted to prevent anyone from sniffing the password or the account. It’s not any harder to type in ‘SSH’ than to type in ‘telnet’. You may have to do a couple more things when you set up the SSH client but most companies want you to use SSH anyway when you log in to the server.”

Brocade switches are made secure by disabling TCP/IP ports and services such as SNMP, telnet and HTTP. In many cases, organizations should replace these services with more secure protocols such as SSHv2 and SSL/HTTPS to encrypt the login conversations. Organizations should also use SNMPv3 to manage the switches since it supports encrypted community strings along with many other features.

1 comments

Digg

 Email

 Print