Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

SAN (Storage Area Network) Security FAQ Revision 2004/03/01 - Part 1/1


[ Usenet FAQs | Web FAQs | Documents | RFC Index | Zip codes ]
From: will.spencer@sansecurity.com (Will Spencer)
Newsgroups: comp.arch.storage,comp.answers,news.answers
Subject: SAN (Storage Area Network) Security FAQ Revision 2004/03/01 - Part 1/1
Followup-To: comp.arch.storage
Approved: news-answers-request@MIT.EDU
Reply-To: will.spencer@sansecurity.com (FAQ Comments address)
Summary: This posting contains a list of Frequently Asked Questions (and their
answers) about SAN (Storage Area Network) Security.

See reader questions & answers on this topic! - Help others by sharing your knowledge
Archive-Name: comp.arch.storage/san-security-faq
Posting-Frequency: Monthly
Last-Modified: 2004/03/01
Version: 2004/03/01
URL: http://www.sansecurity.com/faq.shtml

Welcome to the comp.arch.storage SAN (Storage Area Network) Security FAQ: 
Answers to Frequently Asked Questions about SAN (Storage Area Network) 
Security.

The SAN (Storage Area Network) Security FAQ is on the World Wide Web at 
http://www.sansecurity.com/faq.shtml

The contents of the comp.arch.storage SAN (Storage Area Network) Security
FAQ include:


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#LUN-masking

What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a 
LUN available to some hosts and unavailable to other hosts.

LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. 
LUN Masking implemented at this level is vulnerable to any attack that 
compromises the HBA.

Some storage controllers also support LUN Masking.

LUN Masking is important because Windows based servers attempt to write 
volume labels to all available LUN's. This can render the LUN's unusable
by other operating systems and can result in data loss.


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#zoning

What is zoning?

Zoning is a method of arranging Fibre Channel devices into logical groups 
over the physical configuration of the fabric. These zones may be utlized 
to implement compatmentalization of data for security purposes.

Each device may be placed into multiple zones.


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#hard-soft-zoning

What are the two types of zoning?

The two types of zoning in a fabric environment are port zoning and WWN 
Zoning. Port zoning uses zones by physical ports. WWN (World Wide Name) 
zoning uses name servers in the switches to either allow or block access 
to particular WWNs in the fabric. Port zoning is more secure; WWN zoning 
is common. A major advantage of WWN zoning is the ability to recable the 
fabric without having to redo the zone information. WWN zoning susceptible 
to unauthorized access, as the zone can be bypassed if someone knows the 
IEEE address of the adapter and does an access directly to the node.


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#SAN-attacks

What are the classes of attacks against SANs?

Snooping: Mallory reads data Alice sent to Bob in private
Allows access to data 
Spoofing: Mallory fools Alice into thinking that he is Bob
Allows access to or destruction of data 
Denial of Service: Mallory crashes or floods Bob or Alice
Reduces availability 


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#FCP-Fiber-Channel-attacks

What are some attacks against FCP?

Node Name / Port Name spoofing at Port Login time 
Source Port ID spoofing on dataless FCP commands 
Snooping and spoofing on FC-AL 
Snooping and Spoofing after Fabric reconfiguration 
Denial of Service attacks can be made in User mode 


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#FCAP-Fibre-Channel-Authentication-Protocol

What is FCAP (Fibre Channel Authentication Protocol)?

FCAP is an optional authentication mechanism employed between any two devices 
or entities on a Fibre Channel network using certificates or optional keys.


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#FCPAP-Fibre-Channel-Password-Authentication-Protocol

What is FCPAP (Fibre Channel Password Authentication Protocol)?

FCPAP is an optional authentication mechanism employed between any two devices
or entities on a Fibre Channel network using secure remote password (SRP). 


-----------------------------------------------------------------------

http://www.sansecurity.com/faq.shtml#SLAP-Switch-Link-Authentication-Protocol

What is SLAP (Switch Link Authentication Protocol)?

SLAP is an authentication method for Fibre Channel switches which utilizes 
digital certificates to authenticate switch ports.

SLAP was designed to prevent the unauthorized addition of switches into a Fibre 
Channel network.


User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA


[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
will.spencer@sansecurity.com (FAQ Comments address)





Last Update March 27 2014 @ 02:11 PM