Risk always starts with a threat. Threats can be broken up into three basic levels. The first level of threats is unintentional and due to accidents or mistakes. While not intentional, these threats are common and can cause downtime and loss of revenue. The second level of threats is a simple malicious attack that uses existing equipment and possibly some easily obtainable information. These attacks are less common but are intentional in nature and are usually from internal sources. The third level of threat is the large scale attack that requires an uncommon level of sophistication and equipment to execute the attack. A third level attack is usually from an outside source and requires access, either physically or virtually. Third level attacks are extremely rare in SANs today and may take considerable knowledge and skill to execute. Table 1 summarizes the three levels of threat.

Level 1 attacks are unintentional and are usually the result of common mistakes. A classic example of a Level 1 attack is connecting a device to the wrong port. While unintentional, a miscabling could allow a device to have unauthorized access to data or cause a disk drive to be improperly formatted. The incorrect connection could even join two fabrics that could enable hundreds of ports to be accidentally accessed. The unfortunate aspect of this attack is that it can be executed with little skill or thought. Fortunately, Level 1 threats are the easiest to prevent.

Level 2 threats are distinguished by the fact that someone maliciously tries to steal data or cause disruption of service. The variety of Level 2 attacks increases as the intruder (anyone initiating the attack) is attempting to circumvent barriers. An intruder impersonating an authorized user would be a common Level 2 attack. To prevent a Level 2 threat, the SAN will need to add processes and technology to foil the attack.

Level 3 threats are the most troublesome. These are large-scale offensives that are usually perpetrated by an external source with expensive equipment and sophistication. An example of this attack would be installing a Fibre Channel analyzer that monitors traffic on a link. Equipment to crack authentication secrets or encrypted data would be another example of a Level 3 attack. These cloak and dagger type attacks are difficult to accomplish and require uncommon knowledge and a serious commitment to perpetrate the attack. Level 3 attacks are rare and complex and are beyond the scope of this white paper.


The three levels of attack are helpful in categorizing threats, but an in-depth analysis is required to address each threat. The next section will enable a systematic approach to dealing with individual threats.

Administrator's Perspective - Storage Network Points of Attack

Threats to storage networks come from many places. Each point of attack may be used as a stepping-stone for later attacks. To provide high levels of security, several checkpoints should be placed between the intruder and the data. The various points of attack are helpful in identifying security method to thwart different attacks. Similar to how castles have several defense mechanisms to defend against invaders, the enterprise should install many barriers to prevent attacks.