Risks of Fibre Channel
Risks in Fibre Channel? There are no risks in Fibre Channel, right? Wrong. The Fibre Channel communications medium is absent of several entities that are required for secure transmission. Several of the weaknesses are similar to the weaknesses in IP version 4 (IPv4) and have been repeated in Fibre Channel. This section discusses the following topics:
- Description of Fibre Channel
- Clear-text communication
Description of Fibre Channel
In order to understand the security issues with Fibre Channel SANs, we should discuss the architecture of Fibre Channel communications. Fibre Channel uses frames between one node to the other (similar to how IP networks use packets). Each frame contains five layers. The layers within each frame work with the layer below and the layer above to provide different functions within a Fibre Channel topology. Most SANs use either a switched Fibre Channel topology, similar to what we use in an IP-enabled switch network, or a Fibre Channel arbitrated loop (FC-AL). In either topology, each layer performs a specific function depending on the architecture that has been deployed. The five different layers of Fibre Channel frames are as follows:
- Upper Layer Protocol Mapping—FC Layer 4
- Common Services Layer—FC Layer 3
- Signaling/Framing Layer—FC Layer 2
- Transmission Layer—FC Layer 1
- Physical Layer—FC Layer 0
Similar to an IP network, Fibre Channel frames work from the physical layer, layer 0, to the upper layers. The similarities of the two communication methods primarily end at the physical layer; however, they do share similar security weaknesses and both have absent security controls. Several IP weaknesses have translated to vulnerabilities and exploits. Unfortunately, several of these attack types are also available in Fibre Channel frames. The weaknesses in Fibre Channel frames specifically target Fibre Channel layer 2, known as the framing/flow control layer (layer 2 in Fibre Channel and the Data/ Networking (layer 2/layer 3) layer in an IP packet). The similarities are close in terms of security weaknesses and the lack of authentication, authorization, integrity and encryption. Figure 2.1 shows the five different layers of a Fibre Channel frame.
Figure 2.1 Five layers of a Fibre Channel frame.
Fibre Channel layer 2, the Framing Protocol/Flow Control layer, is the primary target when addressing frame security weaknesses. Fibre Channel layer 2 contains the header information for each frame. The header information is the location of several security weaknesses. The contents of the header include a 24-bit address (also known as the port ID) of the source node, the 24-bit address of the destination node, the sequence control number, the sequence identification number, and the exchange information. The following entities are located within the frame header:
- Source Address (S_ID) -- A 24-bit fabric address used to identify the source address when routing frames.
- Destination Address (D_ID) -- A 24-bit fabric address used to identify the destination address when routing frames.
- Sequence ID (SEQ_ID) -- A static number transmitted with each frame in a sequence that identifies the frame as part of a session. Each frame in the same session has the same sequence ID.
- Sequence Count (SEQ_CNT) -- A number that identifies individual frames within a sequence. For each frame transmitted in a sequence, SEQ_CNT is incremented by 1, allowing the frames to be arranged in the correct order.
- Exchange ID -- Information that specifies how many frames a node can accept at one time. This information is passed from one node to another.
- Originator Exchange ID (OX_ID) -- The exchange information of the sender.
- Recipient Exchange ID (RX_ID) -- The exchange information of the receiver.
- Type -- The Upper Layer Protocol byte section.
- Routing Control (R_CTL) -- Contains information such as the routing bits, which contain data values, and the information category, which tells the receiver what type of data is contained in the frame.
Each node on a SAN fabric has a 24-bit fabric address that is used for a variety of things, including routing and name server information. (Note: Do not confuse the 24-bit fabric address with the 64-bit WWN address from the HBA.) Similar to how an IP packet is used to route packets, the 24-bit address is used to route frames from one node to the other.
Figure 2.2 shows an example of the header information in Fibre Channel layer 2.
Use the following table of contents to navigate to chapter excerpts or click here to view SANs: Fibre Channel Security in its entirety.
Securing Storage: A Practical Guide to SAN and NAS Security
Home: SANs: Fibre Channel Security: Introduction
1: SAN risks
2:Fibre Channel risks
5:Fibre Channel frame weaknesses
6:Session hijacking: assessment exercise
7:Fibre Channel address weaknesses
8: Fibre Channel man-in-the-middle attacks
9: Fibre Channel address weaknesses: assessment exercise
About the book: Securing Storage: A Practical Guide to SAN and NAS Security is an indispensable resource for every storage and security professional, and for anyone responsible for IT infrastructure, from architects and network designers to administrators. You've invested heavily in securing your applications, operating systems, and network infrastructure. But you may have left one crucial set of systems unprotected: your SAN, NAS, and iSCSI storage systems. Securing Storage reveals why these systems aren't nearly as secure as you think they are, and presents proven best practices for hardening them against more than 25 different attacks. Purchase Securing Storage: A Practical Guide to SAN and NAS Security the book from Addison-Wesley Publishing About the author: Himanshu Dwivedi is a founding partner of iSEC Partners, a digital security services and products organization. Before forming iSEC Partners, Himanshu was the Technical Director for @stake s San Francisco security practice, a leader in application and network security. His professional experience includes application programming, infrastructure security, and secure product design with an emphasis on storage risk assessment.
Dig deeper on Storage Area Network (SAN)