How To Protect Yourself from Fibre Channel Insecurity
Vendor and end-user ignorance perpetuate security holes, security architect warns
Think Fibre Channel—that super-fast standard used in storage and storage area networks—is secure? Think again, says @stake managing security architect Himanshu Dwivedi. Security Strategies talked with him about Fibre Channel security vulnerabilities and the inability of vendors to communicate maximum-security configurations of common tools.
Dwivedi also explains how the industry can improve Fibre Channel security, and best practices for users until then.
When did you begin looking into Fibre Channel security?
I started doing some research on the storage area market about three to four years ago, when I became aware of these issues within the storage area network management area, specifically Fibre Channel security.
What are key attacks?
Some of the key attacks have to deal with getting access in a storage area network without getting permission, and there are several ways of doing that, because the devices assume only trusted and authorized users will get access. And in any situation where there's an untrusted user, these vendors have little way to double check [identity].
What are the general security issues?
There are three issues in storage area networks—HBAs [Host Bus Adapters], session hijacking, and man-in-the-middle attacks. The first is HBAs—they're a NIC [network interface card] in the Fibre-channel world. Each HBA has a number, and that's similar to a MAC [Media Access Control] address in the network world. One of the major issues is that these HBA addresses are used for access control. Yet if you spoof it, you can have access to a set of data or storage that you shouldn't have access to.
Is spoofing the HBA easy?
Changing your name is a key feature of these HBAs, in the software. For functionality and ease of use, the vendors support this feature. [Of course] the issue is that if you change your worldwide name and reboot, all of a sudden you’ll have access to someone else's data that you shouldn't.
What uses HBA?
The worldwide IDs that are used [for] zoning and unmasking. Both are great segmentation tools. However, over 90 percent of the zoning and unmasking tools out there depend upon worldwide names. So … if someone changes their worldwide name, they could not only divert any zoning properties, but any unmasking. And while there are segmentation and pseudo-security tools, they all depend upon this inherently weak security.
Do these tools have any additional security?
The zoning and unmasking utilities, while they're great for segmentation, do not do enforcement. There are two kinds of zoning—soft zoning, where if an inappropriate node tries to access something it shouldn't, yet knows how to get there, then it will still get there. So it's really not a security utility. If it [were] a security tool it would be used for restriction. On the other hand, hard zoning does do restriction. It will prevent access to certain nodes based on authorization. However, 90 percent of the zoning on the market today is soft.
Why the lack of security?
The vendors who set them up don't understand the difference between hard and soft zoning. It's a lot easier to set up soft zoning, and a lot of management software cannot use hard zoning; it doesn’t support it.
What about add-ons?
There are a lot of things you can do today, including Brocade, Legato, even EMC, but the aspects of these are not being communicated to the end users. For some reason, customers are not being exposed to the strongest security settings available.
Isn’t it the vendors’ responsibility to do that?
[Take] one of the switch vendors I work with. [It] has a lot of good security features, but [employees weren’t] aware of the security features they offer to their customers. It was surprising, again, when you're thinking about implementation, you're thinking about getting it functioning, that makes sense. However [many users think] that it's Fibre Channel, so it must be secure; security by obscurity. So when people do Fibre Channel … they just don't think there are any issues. However it's quite trivial to get data in a Fibre Channel, as opposed to the three or four separate attacks you'd have to complete in an IP network [to steal equivalent amounts of data].
What about unmasking?
Without going into too much detail, unmasking depends upon worldwide names. It should not be used as a security utility—it should be used as a segmentation utility. But, again, this is one of the things that companies use to mask off data, but again it's easy to access that data.
What about session hijacking?
The same [weaknesses] found in IP are found in Fibre Channel. If you have some kind of connection to a session, you can basically hijack that, get access to the session. However … it does require some background in how the architecture works. Again, any security technologist would be able to figure that out quite easily, because it's an attack that’s been out there in the IP world for 10 years.
What about man-in-the-middle attacks?
That allows an unauthorized user to insert themselves between two authorized nodes and get access, whether to just get data or to alter it. While that attack is theoretically possible, the problem is that the unauthorized users would make themselves into a switch in the Fibre Channel. In an IP network, speed is not an issue, but when you’re talking about up to two gigabytes per second [with Fibre], it's very hard to support those speeds on a Windows operating system.
So it’s not the simplest way of capturing information?
While it’s not a simple attack, it's still possible. [And] there are things that we should be doing today to mitigate these issues. The important thing is that there are significant weaknesses out there that [we] could really mitigate before the exposures become widespread.
What’s on the market now to better secure Fibre Channel installations?
Brocade and McData both have secure versions of their switches, which offer a lot of security tools. The reason you see so many solutions with authentication is that as of today, there is no authentication within Fibre Channel. So when you talk about the three core parts of security in anything—authentication, authorization, and encryption—[with Fibre] you’ve got no authentication, weak authorization, and limited to no encryption.
What are best security practices for current Fibre users?
Secure switches, and you don't even necessarily have to use the secure switches. [Use] hard zoning, … and things like port allocation, where you allocate based on physical ports on the switch, not worldwide names. So if you spoof or change your worldwide name, basically the attack wouldn’t work, because it's not looking at the worldwide name, it's looking at the physical port. Those are things you can do without the secure versions of the switches. Unfortunately, in my opinion, the secure versions of the switches cost more.
Hard zoning isn’t onerous?
The thing is you talk about hard zoning which takes more time, and there’s no doubt about that, however if your SAN is not dynamic, meaning you're not changing things every day or month, then hard and soft zoning will seem the same to you for set-up. Vendors say hard zoning is difficult if you change things. My pushback: how often would you really change your storage area network after you've set it up?
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.