SECURING FIBRE CHANNEL FABRICS - Brocade

More documents

Recommendations

Info

Chapter 11: Brocade Data Encryption Productsport target but it can have multiple initiators or hosts associated withit. A CTC can also have several LUNs behind the storage port in theCTC. Furthermore, once a storage port has been assigned to a CTC, itcannot exist or be defined in another CTC. Essentially, this forces alltraffic that goes through a specific storage port to be encrypted and togo through the same encryption device.NOTE: The storage port can still be made accessible (with appropriatezoning) for other hosts in case encryption is not required for theirLUNs. In this case, these LUNs are not added to the CTC.First-Time Encryption and RekeyingThe first-time encryption (FTE) process can generally be performed usingtwo methods. The first is to copy the original cleartext data on the productionLUN to a second LUN with an equivalent amount of disk space whileencrypting the data at the same time. This method obviously requires anequivalent amount of disk space, which may or may not be available. Furthermore,once the data is copied to the new LUN, the servers must nowpoint to it, which requires rebuilding the device tree on the server and mayresult in disruption of the production environment.The other method, which is implemented by the Brocade encryptionsolution, is to perform the FTE in-place on the same LUN. The processinvolves reading the first logical block on the LUN (which is in cleartext),encrypting it, and then writing it back to its original location asciphertext. Subsequent blocks are encrypted in the same mannersequentially until all blocks in the LUN have been encrypted. This processcan be performed offline or online, depending on anorganization's business requirements.Figure 45 illustrates the FTE process.Hostp 1 d 0 u 1 0 1 cleartextj 1 d 0 u 1 0 1g 1 d 0 u 1 0 1$ 1 0 2 8 . 0 6Reads cleartext from LB0StorageLB =logicalblockBrocadeEncryptionSwitchWrites ciphertext to LB00 1 0 0 1 1 0 11 1 0 0 1 1 0 10 1 0 0 1 1 0 1ciphertext0 1 0 1 1 1 0 0LUNLB0 01011100LB1 10010110LB2 00110110..LBn $1028.06Figure 5. First-time encryption operation180 Securing Fibre Channel Fabrics
Brocade Encryption FeaturesThe next encryption process to consider is the rekey operation, inwhich a LUN is re-encrypted using a different key. There are two basicreasons why a rekey operation would be performed: a compromisedkey or a security policy requirement. If a key is lost or stolen, it is compromisedand the data encrypted with this key can no longer beconsidered secure. The security or risk management department of anorganization may implement a policy requiring that all keys must berefreshed on a specified schedule, such as every 36 months. This isoften done out of fear that keys may have been compromised withouttheir knowledge and the organization may prefer to err on the side ofcaution by forcing a rekey of all encrypted data after a defined periodof time. However, most of the time, the primary reason organizationsperform a rekey operation is that they are mandated to do so as aresult of a compliance requirement, such as with the PCI-DSS. Rekeyingcan be performed automatically by setting an expiration date on akey using the Brocade encryption device, but this is not generally recommended.It is preferable to expire keys manually to control exactlywhen this is performed and schedule off-peak hours.In-place rekeying is not possible for tape, since a tape drive is a steamingdevice and the media itself is flexible. Rekeying data on a tapeinvolves copying it to a new tape and encrypting it with a different keyas the data is copied. In the case of disk media, the process is muchsimpler, since the LUN with the compromised key can be rekeyed inplaceand online if necessary.During the rekey operation, the LUN actually has two keys assigned toit, one used for new writes and one for reading data that has not yetbeen rekeyed. Once the rekey process is completed, the original key isno longer used. As with a first-time encryption, the rekey operation canbe performed online or offline.Clustering and AvailabilityOne of the principle tenets of security is maintaining availability. Needlessto say, downtime can be expensive and precautions must betaken to prevent a loss of availability of the information. This is particularlytrue for encryption solutions, since there is a completedependence on the encryption keys to recover encrypted information.Compounding this problem is the importance of the applications thatrequire encryption. Any loss of availability of information that is importantenough to require encryption is mostly likely to be disastrous forits owners. Extensive precautions must be taken to protect the keysand to maintain the availability of the encryption solution.Securing Fibre Channel Fabrics 181
Page 1 and 2:
SECURINGFIBRECHANNELFABRICSSECOND E
Page 3:
SECURINGFIBRECHANNELFABRICSSECOND E
Page 6 and 7:
© 2012 Brocade Communications Syst
Page 8 and 9:
viSecuring Fibre Channel Fabrics
Page 10 and 11:
viiiSecuring Fibre Channel Fabrics
Page 12 and 13:
ContentsChapter 4: Security Basics
Page 14 and 15:
ContentsIsolation and Separation ..
Page 16 and 17:
ContentsxivSecuring Fibre Channel F
Page 18 and 19:
Chapter 1: Introduction• The Euro
Page 20 and 21:
Chapter 1: IntroductionThe SAN Secu
Page 22 and 23:
Chapter 1: IntroductionInternet sta
Page 24 and 25:
Chapter 1: Introductionoften, the s
Page 26 and 27:
Chapter 2: SAN Security MythsSAN Se
Page 29 and 30:
SAN Security Myth Number 5SAN Test
Page 31 and 32:
SAN Security Myth Number 6To demons
Page 33 and 34:
SAN Security Myth Number 7SAN Secur
Page 35 and 36:
SAN Basics for SecurityProfessional
Page 37 and 38:
Evolution of the FC ProtocolTable 1
Page 39 and 40:
Fibre Channel BasicsTable 2. FC pro
Page 41 and 42:
Fibre Channel BasicsFC FabricsFC fa
Page 43 and 44:
Fibre Channel BasicsType Category N
Page 45 and 46:
FC Fabric Features and ServicesAn F
Page 47 and 48:
FC Fabric Features and Servicesing
Page 49 and 50:
FC Fabric Features and ServicesWhen
Page 51 and 52:
FC Fabric Features and ServicesAnd
Page 53 and 54:
FC Fabric Features and ServicesSwit
Page 55 and 56:
FC Fabric Features and ServicesAs c
Page 57 and 58:
FC Fabric Features and ServicesSwit
Page 59 and 60:
FC Fabric Features and Servicesothe
Page 61 and 62:
Security Basics forStorage Professi
Page 63 and 64:
Security Modelshave enacted such le
Page 65 and 66:
Security Modelssures must be taken
Page 67 and 68:
Types of ThreatsTypes of ThreatsA t
Page 69 and 70:
Types of ThreatsOne significant thr
Page 71 and 72:
Types of Threatsside attacks such t
Page 73 and 74:
Types of Threatsences from previous
Page 75 and 76:
AttacksAttacksAttackers have many o
Page 77 and 78:
Attackstion between the two parties
Page 79 and 80:
Identification and AuthenticationBi
Page 81 and 82:
Physical SecurityOne challenge with
Page 83 and 84:
Physical SecurityPhysical access co
Page 85 and 86:
Information Disposal and Sanitizati
Page 87 and 88:
Chapter SummaryAlgorithm Passes Des
Page 89 and 90:
Elementary Cryptography5This chapte
Page 91 and 92:
Common Cryptography TermsHere are s
Page 93 and 94:
Symmetric vs. Asymmetric Cryptograp
Page 95 and 96:
Cryptographic Algorithms• Range o
Page 97 and 98:
Cryptographic AlgorithmsHashing alg
Page 99 and 100:
Modes of Operationencryption proces
Page 101 and 102:
Modes of OperationRSAAt around the
Page 103 and 104:
Key ManagementSSL can be used with
Page 105 and 106:
Key ManagementBrocade Encryption De
Page 107 and 108:
FC Security Best Practices6In previ
Page 109 and 110:
The Brocade SAN Security ModelThe m
Page 111 and 112:
The Brocade SAN Security ModelStora
Page 113 and 114:
The Brocade SAN Security ModelChann
Page 115 and 116:
The Brocade SAN Security Modelrestr
Page 117 and 118:
The Brocade SAN Security Modeltem a
Page 119 and 120:
The Brocade SAN Security ModelPassw
Page 121 and 122:
The Brocade SAN Security ModelData
Page 123 and 124:
The Brocade SAN Security ModelWith
Page 125 and 126:
Encrypting Data-in-FlightEncrypting
Page 127 and 128:
Encrypting Data-at-RestEncrypting D
Page 129 and 130:
Encrypting Data-at-Restand disk dev
Page 131 and 132:
Encrypting Data-at-RestPhysical Sec
Page 133 and 134:
Encrypting Data-at-RestTraining and
Page 135 and 136:
Chapter SummaryChapter SummaryAltho
Page 137 and 138:
Deploying SAN-AttachedDevices in a
Page 139 and 140:
Securing the Servers in the DMZpoli
Page 141 and 142:
Securing the Storage DevicesFor exa
Page 143 and 144:
Securing the Storage DevicesInterne
Page 145 and 146: Auditing and Assessing the SANAudit
Page 147 and 148: Securing FOS-Based Fabrics8When it
Page 149 and 150: Securing Management InterfacesThe f
Page 151 and 152: Securing Management InterfacesThe t
Page 153 and 154: Securing Management InterfacesFilte
Page 155 and 156: Securing Management InterfacesThe f
Page 157 and 158: Securing Management Interfacesadmin
Page 159 and 160: FC-Specific SecurityFC-Specific Sec
Page 161 and 162: FC-Specific SecurityBrocade-support
Page 163 and 164: FC-Specific SecurityTo prevent this
Page 165 and 166: Fabric-Based Encryptionthe Brocade
Page 167 and 168: Fabric-Based Encryption3. (LDAP onl
Page 169 and 170: Chapter SummaryInsistent Domain IDI
Page 171 and 172: Compliance and Storage9Certainly, m
Page 173 and 174: Payment Card Industry Data Security
Page 175 and 176: Breach Disclosure LawsThe precedent
Page 177 and 178: Gramm-Leach-Bliley Act (GLBA)vides
Page 179 and 180: Federal Information Processing Stan
Page 181 and 182: Common Criteria (CC)allow different
Page 183 and 184: Defense Information Systems Agency
Page 185 and 186: Other SAN Security Topics10SAN secu
Page 187 and 188: The Future of Key ManagementThe Fut
Page 189 and 190: Brocade Data EncryptionProducts11Br
Page 191 and 192: Brocade Encryption for Data-At-Rest
Page 193 and 194: Brocade Encryption for Data-At-Rest
Page 195: Brocade Encryption Features• Data
Page 199 and 200: Brocade Encryption FeaturesDEK clus
Page 201 and 202: Brocade Encryption Featuresthe DEK
Page 203 and 204: Brocade Encryption FeaturesThe foll
Page 205 and 206: Brocade Encryption InternalsFigure
Page 207 and 208: Design and Implementation Best Prac
Page 209 and 210: Design and Implementation Best Prac
Page 211 and 212: Brocade Encryption for Data-In-Flig
Page 213 and 214: Chapter SummarySite ACiphertextSite
Page 215 and 216: Fabric OS SecurityFeatures MatrixAL
Page 217 and 218: Security FeatureFOS2.xFOS3.xFOS4.x+
Page 219 and 220: Security FeatureFOS2.xFOS3.xFOS4.x+
Page 221 and 222: Standards Bodies andOther Organizat
Page 223 and 224: IETFSpecifically, the SNIA Security
Page 225 and 226: IndexNumerics3DES 4Aaccess control
Page 227 and 228: Indexhuman threat 9Iidentification
show all

SECURING FIBRE CHANNEL FABRICS - Brocade

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?