Fibre Channel communication is clear-text. The lack of security built into the different layers of Fibre Channel frames combined with the fact that it is clear-text allows for certain security threats to be very successful.
The lack of encryption at the frame level is not a significant negative issue, considering the amount of performance impact the storage network would have if all frames were encrypted. Furthermore, sniffing is a difficult task in a Fibre Channel SAN since it can only take place if a hardware device is connected to a node in the SAN or if a Cisco MDS switch is comprised and configured to send traffic remotely to the software only sniffer called Ethereal. Nevertheless, the lack of data obfuscation that contains sensitive information can allow unauthorized users to view information that is required to complete an attack. In fact, a key starting point for successful attackers is the ability to sniff clear-text communication, which can be conducted with any traffic analyzer.
Clear-text communication can be viewed as the Achilles' heel of data networks. It satisfies the enormous performance and capacity issues, but it also exposes untrusted entities to sensitive information, including SAN information. For example, clear-text protocols in IP networks, such as Rsh, Rsysnc, Rlogin, FTP, Telnet, SNMP, POP3, SMTP, ARP, and even iSCSI, allow many IP risks and attacks to either be possible or escalated. The fact that sensitive information, such as usernames/password, community strings, message challenges/hashes, and/or route information, traverse clear-text communication mediums allow untrusted users to gain sensitive information without doing anything but tapping the connection.
Many IPv4 administrators overlook clear-text communication due to the false sense of security of switched networks. In IP networks, switch technology makes it more difficult to sniff network communication; however, many attacks, such as the Man-in-the-Middle (MITM) attack, can subvert switched networking, including Fibre Channel switched networking.
Fibre Channel networks can use Fibre Channel Arbitrated Loops (FC-AL) or Fibre Channel switched networks. Sniffing Fibre Channel Arbitrated Loops does not require any MITM tricks because the fabric is a loop (ring) topology, where every connected node on the same loop can view the communication of every other node on the loop. Furthermore, using similar techniques used in IPv4 network, sniffing on a Fibre Channel switch fabric is not an impossible task, but significantly more difficult than an IPv4 network. More discussion of the MITM attacks are discussed later in this chapter, but it is important to note that sniffing on a Fibre Channel fabric is a security risk that may expose the sensitive information that traverses the network in clear-text.
The risk and weaknesses of Fibre Channel start with the clear-text transmission of sensitive information, which directly results in enumeration (the first basic step for an attacker). Enumeration is a phase where an unauthorized user would gather information about the network, architecture, device, or application they want to compromise. The result from this phase is the actual fuel that is used to perform an attack. You'll notice that the enumeration phase is not something shown in Hollywood security films, but the truth is that the enumeration phase of an attack is usually 60 to 80 percent of the process itself. The actual act of performing an attack is less than a quarter of the work. As stated earlier, sniffing the network is the first step in the enumeration phase of attacks, which is used to reveal weaknesses in the network itself.
The results of the enumeration phase determine how triumphant the actual attack will be. For example, if the enumeration phase was able to gain significant information about the network, devices, applications, operating systems, routers, WWNs, and IQNs, then the penetration phase will not only be successful, but might also be far more damaging. Conversely, if the enumeration phase does not yield favorable results for an attacker, the actual penetration phase would be short and probably unsuccessful. Figure 2.3 is a graph that shows the relationship of the enumeration and penetration phase of an attack.
Figure 2.3 Example of a sample attack timeline.
In Figure 2.3, notice the direct relationship between the enumeration phase results and the attack success. As more success occurs in the enumeration phase, the likelihood of success in the attack process increases.
Now that we have established that enumeration is a very critical step in an attack, the problems with clear-text communication leaking an abundance of sensitive information should be understood. The next question to address is exactly what sensitive information in the Fibre Channel frame can actually be used in a possible attack? The following list describes several of the items that an unauthorized user can enumerate from a node connected to the SAN. Each of these entities gives ammunition to attackers to complete a successful attack:
- Fabric name
- Domain identification
- Switch name server information
- Session sequence control number
- Session sequence IDs
- World Wide Names used in the fabric
- Layer-2 frame information
- 24-bit addresses
- Routing information (destination and source IDs)
- Management information (such as SES and FC-SNMP)
The enumeration of a Fibre Channel SAN does not equate into data compromise, but it does significantly help the process. As an attacker tries to gain enough information to perform an attack, he or she will need to enumerate the target before any attack can be executed. Conversely, not all enumeration is negative. An organization may send clear- text information over the network that is not considered to be sensitive; such as Exchange IDs from Fibre Channel frames. The proper exercise of data classification should be conducted, as discussed in Chapter 1, "Introduction to Storage Security," to determine what type of data that traverses the network is consider public or private.
Use the following table of contents to navigate to chapter excerpts or click here to view SANs: Fibre Channel Security in its entirety.
Securing Storage: A Practical Guide to SAN and NAS Security
Home: SANs: Fibre Channel Security: Introduction
1: SAN risks
2:Fibre Channel risks
5:Fibre Channel frame weaknesses
6:Session hijacking: assessment exercise
7:Fibre Channel address weaknesses
8: Fibre Channel man-in-the-middle attacks
9: Fibre Channel address weaknesses: assessment exercise
|About the book:|
|Securing Storage: A Practical Guide to SAN and NAS Security is an indispensable resource for every storage and security professional, and for anyone responsible for IT infrastructure, from architects and network designers to administrators. You've invested heavily in securing your applications, operating systems, and network infrastructure. But you may have left one crucial set of systems unprotected: your SAN, NAS, and iSCSI storage systems. Securing Storage reveals why these systems aren't nearly as secure as you think they are, and presents proven best practices for hardening them against more than 25 different attacks. Purchase Securing Storage: A Practical Guide to SAN and NAS Security the book from Addison-Wesley Publishing|
|About the author:|
|Himanshu Dwivedi is a founding partner of iSEC Partners, a digital security services and products organization. Before forming iSEC Partners, Himanshu was the Technical Director for @stake s San Francisco security practice, a leader in application and network security. His professional experience includes application programming, infrastructure security, and secure product design with an emphasis on storage risk assessment.|