Monday, August 31, 2009

Storage Area Networks Security

One might be thinking of their storage networks (FC) to be bullet-proof as nobody can hack into it primarily since it is on a private network which is also FibreChannel. Let us look into the various scenarios of storage security and how they can be hacked. I am not trying to say that storage networks are insecure, rather the other way round trying to convince that it is extremely difficult to do that.

Several tools that are provided by the vendors of HBAs makes the tasks quite easy to accomplish few of the hacks, but still physical access is required to accomplish most of the hacks.

World Wide Name (WWN) spoofing – It is the way of bypassing authorization methods in a SAN. Resources in SAN are allocated based on WWN and if someone spoofs a WWN of a HBA to the WWN of another authorized HBA, LUNs that are assigned/allocated to that HBA will be granted to the unauthorized HBA. This is more commonly referred to as DOS attack also, except in this case you can also end up with access to the storage devices.

Name Server Pollution – It is the process of corrupting the name server information on a Fibre Channel switch (Switch-NS) during a PLOGI or FLOGI (port or fabric login) by a client node to a SAN fabric. The pWWN can be spoofed to match that of an authorized one. Once the name server information is polluted, frames can be sent to an authorized entity. This requires sophisticated software and hardware..

Session hijacking – It is the act of intercepting Fibre Channel sessions between two trusting entities by guessing the predictable sequence control number and static sequence ID of a Fibre Channel frame that controls the session. Once an unauthorized user has hijacked the session, sessions (such as management session) can be controlled from an unauthorized resource.

LUN mask subversion – is the act of changing/modifying the masking properties that have been implemented on a particular node by spoofing a node’s WWN or simply changing LUN masking properties on the management client, which does not require authentication.

F-port replication – This occurs when an attacker can copy all the data from one host port to another host port that he or she controls using intelligent switch features, which does not need authentication.

Attack Points:
Any OS that has an IP connection and a Fibre Channel connection (HBA) can be a gateway to the FC SAN.

If any server has been infected with virus, worm or Trojan, then it can also be compromised by an attacker and be used as the gateway into the SAN.

Ethernet interfaces (management interfaces) on all FC switches connected to the SAN are attack points for SAN enumeration.

No comments:

Post a Comment