Risks and Threats To Storage Area Networks
by McDATA - Monday, 11 July 2005.
4. Device to Device – After two Nx_Ports are logged into the fabric, one Nx_port can do a Port Login (PLOGI) to the another Nx_Port. Zoning and LUN masking can limit the access of devices at this point. The Active Zone Set in each switch will enforce the zoning restrictions in the Fabric. Storage devices maintain the LUN masking information.

5. Devices to Fabric – When a device (Nx_Port) attaches to the fabric (Fx_Port), the device sends a Fabric Login (FLOGI) command that contains various parameters like Port World Wide Name (WWN). The switch can authorize the port to log into the fabric or reject the FLOGI and terminate the connection. The switch will need to maintain an access control list (ACL) for the WWNs that are allowed to attach. The real threat to data will occur after the device is logged into the fabric and can proceed to point of attack 4 or 5.

6. Switch to Switch – When a switch is connected to another switch, an Exchange Link Parameters (ELP) Internal Link Service (ILS) will send relevant information like the Switch WWN. The switch can authorize the other switch to form a larger fabric or the link can be isolated if the switch is not authorized to join. Each switch will need to maintain an ACL for authorized switches.

7. Data at Rest - Stored data is vulnerable to insider attack, as well as unauthorized access via fabric and host-based attacks. For example, since storage protocols are all cleartext, administrators for storage, backup and hosts have access to stored data in raw format, with no access restrictions or logging. Storage encryption appliances provide a layer of protection for data at rest, and in some cases provide additional application- level authentication and access controls.

Controlling access with Access Control Lists (ACLs) prevents accidents from leading to catastrophes. ACLs will not stop attackers who are willing to lie about their identity. Unfortunately, most thieves usually don’t have a problem with lying to get what they want. To prevent spoofers (someone who masquerades as another) from infiltrating the network, the entity that is being authorized must also be authenticated.


Spoofing is another threat that is related to unauthorized access. Spoofing has many names and forms and is often called: impersonation, identity theft, hijacking, masquerading and WWN spoofing. Spoofing gets its names from attacking at different levels. One form of attack is impersonating a user and another attack is masquerading as an authorized WWN.

The way to prevent spoofing is by challenging the spoofer to give some unique information that only the authorized user should know. For users, the knowledge that is challenged is a password. For devices, a secret is associated with the WWN of the Nx_Port or switch. Management sessions may also be authenticated to ensure that an intruder is not managing the fabric or device.

Spoofing can be checked at the following points of attack:

1. Out-of Band Management Application – When a management application contacts the switch, the switch may authenticate the entity that is connecting to the switch. Authentication of the users is addressed in point of attack 6.

2. In-band Management Application – The in-band management application will use Common Transport (CT) Authentication to prevent spoofing of commands to Fabric Services.

3. User to Application – When the user logs into the application, the management application will challenge the user to present a password, secret or badge. The application could authenticate the user with biometric data like fingerprints, retina scans or even DNA samples.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th