1 / 32

Storage Security - Securing Stored Data: Protecting Storage Networks and Backups

Storage Security - Securing Stored Data: Protecting Storage Networks and Backups. W. Curtis Preston VP Data Protection GlassHouse Technologies cpreston@glasshouse.com www.glasshouse.com. Overview. Why are we talking about this? Security Basics for the Storage Administrator

halima
Download Presentation

Storage Security - Securing Stored Data: Protecting Storage Networks and Backups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Storage Security - Securing Stored Data: Protecting Storage Networks and Backups W. Curtis PrestonVP Data ProtectionGlassHouse Technologiescpreston@glasshouse.com www.glasshouse.com

  2. Overview • Why are we talking about this? • Security Basics for the Storage Administrator • Backup Server Vulnerabilities • SAN Vulnerabilities • NAS Vulnerabilities • Management Interface Vulnerabilities • What you can do to secure your stored data

  3. The Good Ol’ Days • All disks were behind servers • No need for “storage security” • SCSI protocol not designed with security in mind • No concept or need of authentication or authorization

  4. Storage Networks vs DAS • Now you can access one server’s storage from another server • We must begin to address security concerns • Especially true of NFS/CIFS data and Out-of-band control data is being sent on production LAN.

  5. The challenge • Security and storage people do not often speak the same language • Storage people don’t get enough security training to learn the security issues that they should look out for • Security people don’t get enough storage training to know how networked storage and backup systems affect security • First result: Inaction • Second result: Publicly acknowledged attack • Third result: You become a jeopardy tile

  6. Security Basics for the Storage Professional

  7. Security Controls • Authentication Controls • Are you who you say you are? • Authorization Controls • Are you allowed to see or modify this? • Encryption • If you’re given access to something you’re not supposed to see, you won’t be able to read it. • Auditing • If bad things happen, we’ll know they happened • Integrity Controls • Is this the same as when I put it here?

  8. The two phases of an attack • Enumeration • Can take minutes, days, months, or years • Stop enumeration and you stop the attack • Penetration • Use data found in enumeration phase to actually attack • Often too late to do anything

  9. Backup System Vulnerabilities

  10. Backup System Vulnerabilities • Three basic attacks via the backup system • A compromised or rogue backup server • A compromised or rogue client • Stolen media • A compromised or rogue backup server is all powerful • Backup & restore (access) any data to/from any client • Install back doors anywhere the black hat wants • Destroy evidence of an attack or other malfeasance • Delete/erase all backups • Perform enumeration phase for stolen media attack • A compromised or rogue client is all powerful within its realm • Restore any data from the past or present • Overwrite recent backups within invalid backups

  11. Stolen Tapes • By design, backup is a plain-text application – to facilitate restores • All plain-text backup tapes are readable by black hats if they possess (and know how to use) the appropriate hardware and software • Backup tapes are handled by humans, and humans make mistakes • California (SB 1386) and several other states require written notification of exposures to customers. If not possible, it requires notification of media. • Huge PR loss & potential loss of I.P. • Many tapes cannot be de-gaussed & re-used

  12. SAN Vulnerabilities

  13. Authentication Methods • WWN-based zones (worst & most common) • Members specified using WWNs • WWN spoofing is built into HBA driver • Compromised server on the SAN can pretend to be any other server. • Port-based zones (better) • Members specified using switch ports • Only attackable with physical access • Port-binding (best) • Combines WWN-based zoning & port zoning • WWN only authenticated if it’s on the correct port

  14. Authorization Methods • Soft zones (worst & most common) • Only zone members authorized to list zone members • All authorized communicate directly with WWN • Only slows enumeration phase • Hardware enforced zones/Hard Zones (best) • Only zone members authorized to list zone members • Only zone members authorized to communicate with zone members • Only authorization method that offers any meaningful authorization

  15. LUN Masking • A LUN represents a virtual or physical device • LUN masking hides, or masks, LUNs from specific servers • LUNs are usually masked from certain servers based on the WWNs of those servers • Not an authentication or authorization method, simply traffic flow control

  16. NAS Vulnerabilities

  17. NFS Vulnerabilities • Protocol is clear-text • Authentication based on IP address and username • Authorization based on user ID, which can be faked on a rogue server • Any user can list all shares!

  18. ethereal Sniffing NFS Network

  19. Enumeration of All Shares • Any user can query an NFS server for shares

  20. CIFS Vulnerabilities • Encrypts communication traffic • Most weaknesses due to backward compatibility with older systems • Authentication weaknesses • Multiple users from any account can access a shared CIFS-enabled device using the correct password • Little accountability if a password is compromised • Share-level authentication is transmitted in clear-text • Backward-compatible systems are easily enumerated • Even kerberos-based systems can be penetrated with enough time

  21. CIFS Enumeration with winfo C:\>net use \\10.xxx.1.x\IPC$ "" /user:"" The command completed successfully. C:\>winfo 10.xxx.1.1 -n Trying to establish null session... Null session established. DOMAIN INFORMATION: - Primary domain (legacy): XXXXXXX - Account domain: XXXXX LOGGED IN USERS: * xxxxx SHARES: ... * ADMIN$ - Type: Special share reserved for IPC or administrative share - Remark: Remote Admin * C$ - Type: Special share reserved for IPC or administrative share - Remark: Default share • Using winfo, a null user can get a tonof information.. • This works on Samba servers too!

  22. CIFS Enumeration Enum.exe & NBTEnum20.execan also give you the info… Once enumerated, it’s a simple matter of a brute force attack

  23. CIFS Brute Force Attack Once the username and password have been guessed, the share is compromised

  24. CIFS Enumeration Tools • Enum.exe • NBTEnum20.exe • SMBBF (brute force) • LC4 for LANMAN attacks • kerbsniff and kerbcrack for kerberos attacks • And many, many more, all available via a quick Internet search

  25. Management Interface Vulnerabilities • True for backup, SAN & NAS • Usually connected to corporate LAN • Often do not change the password • Often managed using plain-text protocols • Black hat with LAN access to destroy all SAN attached data in a few seconds • Also often offer http & SNMP access to information very helpful in enumeration

  26. Closing the back door

  27. Protect Management Interfaces • Encrypt plain text interfaces • Put management interfaces on separate LAN • Require access through VPN or SSH tunnel to access management LAN • Use encrypted interfaces • Upgrade to non-plain text interfaces (SSL, SSH, Secure Telnet) • Stop using plain text plain text protocols – disable if possible

  28. Secure the SAN • Use port-based zoning, or port-binding for authentication • Use hardware-enforced zoning for authorization • Investigate in-band increased authentication systems, such as FC-CHAP • Investigate in-band encryption

  29. Secure NAS • Acknowledge the insecure nature of NFS & CIFS • Investigate recent advancements in authentication (Kerberos, NFSv4) • Consider private network for NFS/CIFS • Consider in-band authentication systems

  30. Secure the Backup Server • Minimize the number of people with full access to backup server • Remove all plain text access, separate mgmt port • If admin/root is required, use a Unix backup server & sudo if possible • Use a honeypot to watch for rogue servers • Work with security department to ensure security • Investigate the role-based security options of your backup product • Consider encryption of any tapes leaving the campus

  31. Discarding Used Media • Many modern media cannot be degaussed and re-used • Therefore, any reselling service claiming to do so with these media is lying • Secure media shredding services are available • You can also encrypt it in the first place

  32. Finally • Start thinking about Storage Security • Learn what you can about weaknesses and work around them where you can • Make friends with the security team • Put pressure on vendors to make things more secure (they are listening!) • GlassHouse can help with a storage security assessment

More Related