SAN (Storage Area Network) Security FAQ Revision 2004/04/11 - Part 1/1

SAN (Storage Area Network) Security FAQ Revision 2004/04/11 - Part 1/1

Post by will.spenc » Mon, 12 Apr 2004 15:13:38

rom: XXXX@XXXXX.COM (Will Spencer)
Subject: SAN (Storage Area Network) Security FAQ Revision 2004/04/11 - Part 1/1
Reply-To: XXXX@XXXXX.COM (FAQ Comments address)
Summary: This posting contains a list of Frequently Asked Questions (and their
answers) about SAN (Storage Area Network) Security.

Archive-Name: comp-arch-storage/san-security-faq
Posting-Frequency: Monthly
Last-Modified: 2004/04/11
Version: 2004/04/11

Welcome to the SAN (Storage Area Network) Security FAQ:
Answers to Frequently Asked Questions about SAN (Storage Area Network)

The SAN (Storage Area Network) Security FAQ is on the World Wide Web at

The contents of the SAN (Storage Area Network) Security
FAQ include:


What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a
LUN available to some hosts and unavailable to other hosts.

LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level.
LUN Masking implemented at this level is vulnerable to any attack that
compromises the HBA.

Some storage controllers also support LUN Masking.

LUN Masking is important because Windows based servers attempt to write
volume labels to all available LUN's. This can render the LUN's unusable
by other operating systems and can result in data loss.


What is zoning?

Zoning is a method of arranging Fibre Channel devices into logical groups
over the physical configuration of the fabric. These zones may be utlized
to implement compatmentalization of data for security purposes.

Each device may be placed into multiple zones.


What are the two types of zoning?

The two types of zoning in a fabric environment are port zoning and WWN
Zoning. Port zoning uses zones by physical ports. WWN (World Wide Name)
zoning uses name servers in the switches to either allow or block access
to particular WWNs in the fabric. Port zoning is more secure; WWN zoning
is common. A major advantage of WWN zoning is the ability to recable the
fabric without having to redo the zone information. WWN zoning susceptible
to unauthorized access, as the zone can be bypassed if someone knows the
IEEE address of the adapter and does an access directly to the node.


What are the classes of attacks against SANs?

Snooping: Mallory reads data Alice sent to Bob in private
Allows access to data
Spoofing: Mallory fools Alice into thinking that he is Bob
Allows access to or destruction of data
Denial of Service: Mallory crashes or floods Bob or Alice
Reduces availability