Fibre Channel SANs (storage area networks) are touted as more secure than IP-based storage networks. In a way, that is true because Fibre Channel is a distinct network separated from the mainstream client-based applications. Moreover, the Fibre Channel protocol is entirely different from IP, and the deep understanding of the protocol, its implementations are exclusive to a selected cohort of practitioners and professionals in the storage technology industry.
The data landscape has changed significantly compared to the days where FC SANs were dominating the enterprise. The era was the mid 90s and early 2000s. EMC® was king; IBM® Shark was a top-tier predator; NetApp® was just getting over its WAFL™ NAS overdose to jump into Fibre Channel. There were other fishes in the Fibre Channel sea.
But the sands of storage networking have been shifting. Today, data is at the center of the universe. Data is the prized possession of every organization, and has also become the most coveted prize for data thieves, threat actors and other malefactors in the digital world. The Fibre Channel protocol has been changing too, under its revised specifications and implementations through its newer iterations in the past decade. This change in advancement of Fibre Channel as a storage networking protocol is less often mentioned, but nevertheless vital in the shift of the Fibre Channel SANs into a Zero Trust world.
Zones, masks and maps
Many storage practitioners are familiar with the type of security measures employed by Fibre Channel in the yesteryears. And this still rings true in many of the FC SANs that we know of today. For specific devices to connect to each other, from hosts to the storage LUNs (logical unit numbers), FC zoning must be configured. This could be hard zoning or soft zoning, where the concept involves segmentation and the grouping of configured FC ports of both the ends to “see” each other and to communicate, facilitated by the FC switches. These ports are either the initiators or the storage target, each with its own unique WWN (World Wide Name).
On top of zoning, storage practitioners also configure LUN masking at the host side, where only certain assigned LUNs from the storage array is “exposed” to the specific host initiators. In conjunction, at the storage array side, the LUNs are also associated to only a group of host initiators that are allowed to connect to the selected LUNs. This is the LUN mapping part.
Overall, zoning, masking and mapping all play crucial parts in securing the correct and authorized access to the data in the storage. This is the physical and logical Fibre Channel security often deployed in FC SANs. There is a degree of trust once all these 3 mechanisms are deployed. However, the data payload and the FC services data communicated between these 3 secured constructs are often not encrypted by default, because the “trust” through partitioning and FC segmentation has already been established through zoning, masking and mapping.
Fibre Channel security challenges and Zero Trust changes
Despite that misnomer than Fibre Channel is secure, there are several security challenges that comes to mind. And at the top of it all, once the Fibre Channel “partitions” or “segmentations” (that I mentioned earlier) are compromised, data is at risk of being comprised as well. And we must think that the data in Fibre Channel SANs are more valuable than most other types of data in an organization. Contextually, we know what we are dealing with here.
FC SANs are not without their security weaknesses. Man-in-the-Middle (MITM) attack, WWN spoofing, Common Services poisoning are possible, albeit more difficult to hackers who are more familiar with IP-based attacks. In most of the compromises, insider access to FC SANs is often required to inject FC fabric attacks. Given this day and age of zero trust, phishing and other internal attack vectors, the possibility of FC fabric attacks is no longer an “if” but a “when“.
But the Fibre Channel protocol has been changing too. Here are a few notable security enhancements that have happened to the Fibre Channel protocol in the past decade.
- FC-2 Frame Encapsulation
- The frame services is not authenticated and not encrypted at best. This allows the potential for the unauthenticated FC network perpetrator (not required) to sniff out the payload data.
- FC-SP (Fibre Channel Security Protocol) specifications have been around for a long time but hardly enforced. In FC-SP-2 (version 2), the introduction of the ESP_Header (Encapsulating Security Payload) provides authentication and verification of the communicating devices, encrypts the payload in the frame to ensure data integrity and secure communications between FC devices in the fabric. Here is a look at the presence of the ESP_Header in a Fibre Channel frame.
- FC-3 Common Services Authentication – CT_Authentication (Common Transport)
- Above the frame layer FC-2, the CT_Authentication sets parameters to enable the authentication between information units (CT_IU) requests and responses. The parameters also enables the encryption of the CT_IU requests and responses, ensure data confidentiality and data integrity of the FC common services such as directory services and name services.
- Internet Key Exchange Protocol v2 (IKEv2)-AUTH – The negotiation between the FC entities at the ESP_Header frame exchanges layer and the CT_Authentication common services layer are optionally employed with the use of IKEv2, riding on the FCAP (Fibre Channel Authentication Protocol) among others, to identify and authenticate between communicating FC entities, such as node- to-switch, switch-to-switch, and node-to-node.
Fibre Channel Security is extensively discussed in this comprehensive SNIA® document here.
The advent of these few upgrades to the FC protocol security specifications obviously gives FC professionals the framework to migrate to a Zero Trust Architecture in FC SAN networks. The ability to apply authentication to FC devices in FC zones provides greater trust and data integrity to only accept validated FC ports, authenticated and encrypted messaging from other validated FC devices is immensely important. The ability for FC data payload encryption to protect the security and privacy of each payload cannot be understated.
Now the question is, “Are the new generations of FC SANs enforcing these end-to-end security implementations in a zero trust world“?
Zero trust FC SAN in practice
I have not worked on FC SANs for quite a long while now. I revisited my old haunts where I spoke to a few scaled FC SANs operators and also spoke to a Brocade® technology professional in the past few months. In all cases, the “more secure” FC SAN practices belie what we think of (and know of) a secure data network. All the people I spoke to are still practicing the old ways, security via segmentation of SAN zoning, LUN mapping and masking.
This should have been raised as a red flag, given how critical it is to secure and protect the data that is carried through FC networks. Zero trust based on authentication and encryption should supplant the old ways of FC segmentation practices, but it appeared more of a lip service than is in practice.
In a shrinking world of Fibre Channel pushing against the wave of cloud computing, FC SANs remain the stronghold of enterprise data storage in many organizations. This blog aims to create the awareness of a more encompassing discussion about Fibre Channel security. The security features such as ESP Payload Encryption and Common Transport Authentication are there. They have been there for more than a decade. In a zero trust world, it is time to enforce these features in FC SANs, and protect enterprise data.
Pingback: Random Short Take #83 | PenguinPunk.net