White paper – QLogic 2500 Series Data-at-Rest Encryption Addresses SAN Security Requirements User Manual

hSG-WP08015

FC0032001-00 rev. B 05/12

3

White PaPer

in the case of planned attacks by unauthorized users (lower right quadrant
of Figure 1), it is well known that Fibre Channel SaN security is enforced
through physical means and network isolation. the fact that the Fibre
Channel SaN is a separate physical network from the LaN offers the
first level of protection. the second level of protection is that the SaN is
physically protected against physical access to the data center.

Once physical security is instituted in a SaN, the only security exposure
is when backup tapes and disk drives leave the data center. this exposes
sensitive data from being accessed by an unauthorized user. it is important
to encrypt tapes and disk drives, whether they stay in the data center or are
stored outside the organization.

Standard SAN Security Techniques

QLogic’s 8Gb Fibre Channel adapters deliver authentication through
Fibre Channel-Security Protocol (FC-SP) technology. FC-SP is a security
framework (defined by the t11 standards group) that includes protocols to
enhance Fibre Channel security in several areas, including authentication
of Fibre Channel devices, cryptographically secure key exchange, and
cryptographically secure communication between Fibre Channel devices.
FC-SP protects data in transit throughout the Fibre Channel network.

Diffie hellman-Challenge handshake authentication Protocol (Dh-ChaP) is
a secure key-exchange authentication protocol that supports both switch-
to-switch and host-to-switch authentication. Dh-ChaP is a secret-based
authentication and key management protocol that uses the ChaP algorithm
(see rFC 1994) augmented with an optional Diffie-hellman algorithm (see
rFC 2631). Dh-ChaP provides bidirectional authentication, and can provide
unidirectional authentication, between an authentication initiator and an
authentication responder. to authenticate with the Dh-ChaP protocol, each
entity, identified by a unique name, is provided with a secret.

QLogic’s 8Gb Fibre Channel adapters support FC-SP authentication using
Dh-ChaP protocol. in addition, QLogic has provided software solutions to
expose these features to end users. Using Dh-ChaP capabilities through
QLogic’s SaNsurfer

®

FC hBa Manager, data center managers can enforce

authentication between hosts and switches connected to a Fibre Channel
SaN.

SaN management software can limit access by partitioning or segmenting
storage resources so that only authorized users or enterprise groups can
view certain SaN hardware components. access control in an Fibre Channel
SaN is accomplished through a technology called zoning. Zoning allows
users to specify groups of devices that can talk to each other. the primary
purpose of zoning is to protect Fibre Channel SaN environments from
spoofing attacks, where a malicious system successfully presents itself as
a legitimate system and gains access to a protected resource.

Zoning can be accomplished through hardware or software, depending on
which it is termed: hard zoning or soft zoning.

With hard zoning, also know as port zoning, members of certain zones are
allowed to communicate only with certain systems by managing access
on a port-by-port basis. the Fibre Channel Switch keeps a list of valid port
addresses and only allows communication among ports within the same
zone. if a port tries to communicate with a port in a different zone, the
frames from the non-authorized port are dropped.

Since hard zoning is based on ports, it is more secure and efficient than
soft zoning, which uses the World Wide Number (WWN) instead of port
numbers. the switch checks the WWNs of the source and destination. Data
is forwarded only if the source and destination belong to the same zones.
even though hard zoning is less flexible to manage and configure, it is
preferred by SaN administrators because it provides tighter security.

Physical security in a SAN, when combined with standard SAN
security practices described in this section, address the major risks
faced by customers today.

Adapter Based Encryption: A Solution Looking for a

Problem

there isn’t a single comprehensive encryption approach that covers all
threats to data-at-rest. therefore, care must be taken when choosing
where to encrypt. Data encryption options come in many forms, including
host-based software, encryption hardware appliances, and encryption
aSiCS that reside on the adapter, switch, raiD controller, and hard drive
(see Figure 2). there are cost, interoperability, performance, and latency
issues to consider with each of these options.

Figure 2. Components In the I/O Path from Host to Targets