ESP over Fibre Channel secures SANs

Storage-area networks were once closed and relied predominantly on physical protection to ensure security. However, as SANs become more distributed and remotely accessible, security concerns are growing.

Fibre Channel has limited security services. Commonly used schemes such as zoning and logical-unit-number masking provide some level of access control, but without authentication of hosts or users connected to the fabric, they cannot prevent host spoofing, message-replay attacks or unauthorized entity fabric access.

The Fibre Channel standardization body (T-11) has initiatives to enhance Fibre Channel security by defining protocols to address access issues – supporting authentication, data encryption and management of security information.

One such scheme is Encapsulating Security Payload (ESP) over Fibre Channel, which has become the de-facto way to secure transmissions in the Fibre Channel network. This scheme is flexible enough to let administrators decide which type of messages (control frames or data frames) to secure.

ESP can secure communications between any two entities in a fabric by providing message authentication and optional confidentiality. It is widely deployed in the IP world, and the IETF iSCSI proposal specifies it for link security.

Fibre Channel specifies a maximum transmission unit of 2,112 bytes, and longer transfers are segmented into sequences. Typically, storage protocols use 2,048-byte frames, so there is some headroom for the ESP header and trailer.

To deter session-key brute-force attacks, ESP implementations must have key lifetimes based on amount of data transfer and number of packets allowed per key. Rekeying enables an automatic and secure exchange of new keys.

At the recent T-11 Fibre Channel-Security Protocols committee meeting, the shared- password protocol Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol (DH-CHAP) was unanimously accepted. This shared-password rekeying scheme does not need certificates, but requires acceptable password practices (128 bits and nontext characters) to avoid attacks. Shared-password administration can be simplified by offloading to a centralized Remote Authentication Dial-In User Service device.

By deploying periodic host authentication and authorization schemes for all fabric entities, spoofing can be prevented and access can be restricted to defined storage resources.

The most-secure deployment is achieved when each node in the SAN implements ESP for all traffic, control and data. However, this might be an expensive approach, because it requires hardware assistance from all nodes because of performance impact.

A software solution (HBA driver, for example) for message authentication is cost-effective when only control frames need to be secured – not encrypting application data.

If data path security (full encryption) is desired, it will be application-dependent. Transaction processing applications are latency sensitive,while e-commerce databases or data mining require high throughput. Latency might not affect secondary storage applications. As such, a hardware-based approach would best meet all these performance requirements.

Key management will be an important consideration. For example, high Fibre Channel data rates quickly wrap over the ESP sequence-number window and prompt frequent rekeying. The Fibre Channel standards body will need to address this issue, possibly by increasing the sequence-number window size. Secure mechanisms for storing private keys and secret passwords at the host are required, which might include using protected memory or smart cards.

ESP is a well-defined and well-understood protocol for securing data in flight. DH-CHAP complements ESP by providing a needed entity authentication and key exchange mechanism for Fibre Channel SANs. Fibre Channel-Security Protocol does not address securing data at rest. This is an outstanding issue as corporate-sensitive, trusted or regulated persistent data is taken off-site or consolidated via data replication and backup.