- Unauthorized Access
Unauthorized access is the most common security threat because it can run the gamut of Levels 1 to 3 threats. An unauthorized access may be as simple as plugging in the wrong cable or as complex as attaching a compromised server to the fabric. Unauthorized access leads to other forms of attack, and is a good place to start the discussion of threats.
Access can be controlled at the following points of attack:
1. Out-of Band Management Application – Switches have non- Fibre Channel ports, such as an Ethernet port and Serial Port, for management purposes. Physical access to the Ethernet port may be limited by creating a private network to manage the SAN that is separate from a company's Intranet. If the switch is connected to the company Intranet, Firewalls and Virtual Private Networks can restrict access to the Ethernet port. Access to the Serial Port (RS 232) can be restricted by limiting physical access and having user authorization and authentication. After physical access is obtained to the Ethernet port, the switch can control the applications that can access it with access control lists. The switch may also limit the applications or individual users that can access through point of attack 3.
2. In-band Management Application — Another exposure that a switch faces is through an in-band management application. The in-band management application will access the fabric services - such as the Name Server and Fabric Configuration Server. Access to the fabric services is controlled by the Management ACL (MACL).
3. User to Application – Once a user has physical access to a management application, they will have to log into the application. The management application can authorize the user for role-based access depending on their job function. The management application will need to support access control lists and the roles for each user.
4. Device to Device – After two Nx_Ports are logged into the fabric, one Nx_port can do a Port Login (PLOGI) to the another Nx_Port. Zoning and LUN masking can limit the access of devices at this point. The Active Zone Set in each switch will enforce the zoning restrictions in the Fabric. Storage devices maintain the LUN masking information.
5. Devices to Fabric – When a device (Nx_Port) attaches to the fabric (Fx_Port), the device sends a Fabric Login (FLOGI) command that contains various parameters like Port World Wide Name (WWN). The switch can authorize the port to log into the fabric or reject the FLOGI and terminate the connection. The switch will need to maintain an access control list (ACL) for the WWNs that are allowed to attach. The real threat to data will occur after the device is logged into the fabric and can proceed to point of attack 4 or 5.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.