12.07.2015 Views

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SHOW MORE
SHOW LESS
  • No tags were found...

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

The <strong>Brocade</strong> SAN Security ModelStorage Device Best Practices Summary• Secure all LUNs with LUN-masking• Assign disk and tape devices to separate zones to reduceRSCN risks• Use secure management protocols when accessing the storagedevice management interface• For the most sensitive environments, use DH-CHAP to authenticatestorage devices joining a fabricProtecting the FC InfrastructureThe FC infrastructure, composed of the switches, directors, and routers,is the heart of the SAN and all SAN data must pass through the FCinfrastructure. The FC infrastructure is one of the most complex componentsof the SAN and, the more complex it is, the greater thepotential vulnerability. Most FC switch vendors offer an extensive setof security features to secure the FC infrastructure.FC Device Access ControlsThe devices connected to the fabric are also vulnerable and requirespecific protection. For example, one of the advantages of a SAN is theability to easily add a new switch into the fabric. A SAN administratoronly needs to connect a new switch to an available port on an existingswitch in a fabric using an ISL and power up the new switch. Automatically,a unique domain ID is assigned and the configuration files aredownloaded to the new switch. From a security perspective, however,this time-saving administrative feature could be the security professional'sworst nightmare; anyone with a switch could potentiallyconnect to an existing fabric and gain control of the fabric. If an attackerwith admin or root access on the rogue switch were to use this technique,they would now have admin and root privileges for the entirefabric.There are several features available to prevent this scenario. The bestdefense is a defense-in-depth approach with multiple layers of challenges,described as follows.The first and simplest line of defense is to persistently disable allunused ports. This will prevent someone without management accessto the fabric from connecting a new switch and joining the fabric. It isimportant to use the persistent disable option to ensure that disabledSecuring Fibre Channel Fabrics 95

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!