Storage area network (SAN) hacking

Hacking the SAN

Hacking the SAN translates to unauthorized access to an entity or data in a storage area network. In the next three chapters, we discuss the following items.

• Session hijacking
• Man-in-the-Middle attacks
• Name server pollution
• WWN spoofing
• LUN masking attacks
• Zone hopping
• Switch attacks

Table 2.2 is summary of the weaknesses that are discussed in the next three chapters and their correlating attacks.

Table 2.2 SAN Security Weaknesses and Correlation SAN Attacks

SAN weaknesses	SAN attacks
Sequence weaknesses	Session hijacking
Fabric address weaknesses	Man-in-the-Middle attacks
FLOGI/PLOGI weaknesses	Name server pollution
HBA weaknesses	LUN masking attacks/WWN spoofing
FC switch weaknesses	Zone hopping

A key idea to introduce at this time before we begin our discussion on SAN attacks is the difference between a valid attack and a valid risk. In a given network, there are several hundred attacks that are fully possible to execute, but only a handful of them may actually pose a valid risk due to the nature of the network or the business. Hence, for each attack described in this section, a chart is used to describe how easy or difficult the execution of the attack will be, and its risk level also will be discussed. See Figure 2.4 for the example chart.

Figure 2.4 Security and business risk chart.

The primary purpose of the SBR chart is to place each threat described in some type of security risk context. This chapter covers many risks and threats in Fibre Channel SANs; many of the threats are easy to perform, but many are very difficult to execute due to the need for physical access to the network or a hardware analyzer for sniffing. It would not be in the best interest of the book to simply skip the threats that are hard to actually perform, but use the SBR chart to appropriately show the risk level of each attack after it has been described.

In Figure 2.4, notice that each area of the chart represents a different security and business risk value. Items in the upper-left corner are high security risk, but low business risk. Risks in this area should be technically mitigated from a security perspective only since the business risk is low. Items in the upper-right corner are high security risk and high business risk. Risks in this area should be resolved immediately since they present a high business and security risk. Conversely, items in the lower-left corner are low security risk and low business risk. Risks in this area can often be accepted (bearable) since the impact is relatively low. Finally, items in the lower-right corner are low security risk and high business risk. Risks in this often need a process solution rather than a technical solution. The type of summary in the Security and Business Risk (SBR) chart will help readers understand what valid attacks are and the risks associated with them.

Now that we understand the architecture of Fibre Channel frames and the problems associated with clear-text communication, we will now discuss the security weaknesses with Fibre Channel frames. The following list describes each weakness that we will discuss:

• Sequence weaknesses
• Address weaknesses
• Fabric, port, and node login weaknesses
• FLOGI, PLOGI, and address spoofing

Use the following table of contents to navigate to chapter excerpts or click here to view SANs: Fibre Channel Security in its entirety.

Securing Storage: A Practical Guide to SAN and NAS Security
  Home: SANs: Fibre Channel Security: Introduction
  1: SAN risks
  2:Fibre Channel risks
  3:Clear-text communication
  4:SAN hacking
  5:Fibre Channel frame weaknesses
  6:Session hijacking: assessment exercise
  7:Fibre Channel address weaknesses
  8: Fibre Channel man-in-the-middle attacks
  9: Fibre Channel address weaknesses: assessment exercise