320 likes | 487 Views
Storage Security - Securing Stored Data: Protecting Storage Networks and Backups. W. Curtis Preston VP Data Protection GlassHouse Technologies cpreston@glasshouse.com www.glasshouse.com. Overview. Why are we talking about this? Security Basics for the Storage Administrator
E N D
Storage Security - Securing Stored Data: Protecting Storage Networks and Backups W. Curtis PrestonVP Data ProtectionGlassHouse Technologiescpreston@glasshouse.com www.glasshouse.com
Overview • Why are we talking about this? • Security Basics for the Storage Administrator • Backup Server Vulnerabilities • SAN Vulnerabilities • NAS Vulnerabilities • Management Interface Vulnerabilities • What you can do to secure your stored data
The Good Ol’ Days • All disks were behind servers • No need for “storage security” • SCSI protocol not designed with security in mind • No concept or need of authentication or authorization
Storage Networks vs DAS • Now you can access one server’s storage from another server • We must begin to address security concerns • Especially true of NFS/CIFS data and Out-of-band control data is being sent on production LAN.
The challenge • Security and storage people do not often speak the same language • Storage people don’t get enough security training to learn the security issues that they should look out for • Security people don’t get enough storage training to know how networked storage and backup systems affect security • First result: Inaction • Second result: Publicly acknowledged attack • Third result: You become a jeopardy tile
Security Controls • Authentication Controls • Are you who you say you are? • Authorization Controls • Are you allowed to see or modify this? • Encryption • If you’re given access to something you’re not supposed to see, you won’t be able to read it. • Auditing • If bad things happen, we’ll know they happened • Integrity Controls • Is this the same as when I put it here?
The two phases of an attack • Enumeration • Can take minutes, days, months, or years • Stop enumeration and you stop the attack • Penetration • Use data found in enumeration phase to actually attack • Often too late to do anything
Backup System Vulnerabilities • Three basic attacks via the backup system • A compromised or rogue backup server • A compromised or rogue client • Stolen media • A compromised or rogue backup server is all powerful • Backup & restore (access) any data to/from any client • Install back doors anywhere the black hat wants • Destroy evidence of an attack or other malfeasance • Delete/erase all backups • Perform enumeration phase for stolen media attack • A compromised or rogue client is all powerful within its realm • Restore any data from the past or present • Overwrite recent backups within invalid backups
Stolen Tapes • By design, backup is a plain-text application – to facilitate restores • All plain-text backup tapes are readable by black hats if they possess (and know how to use) the appropriate hardware and software • Backup tapes are handled by humans, and humans make mistakes • California (SB 1386) and several other states require written notification of exposures to customers. If not possible, it requires notification of media. • Huge PR loss & potential loss of I.P. • Many tapes cannot be de-gaussed & re-used
Authentication Methods • WWN-based zones (worst & most common) • Members specified using WWNs • WWN spoofing is built into HBA driver • Compromised server on the SAN can pretend to be any other server. • Port-based zones (better) • Members specified using switch ports • Only attackable with physical access • Port-binding (best) • Combines WWN-based zoning & port zoning • WWN only authenticated if it’s on the correct port
Authorization Methods • Soft zones (worst & most common) • Only zone members authorized to list zone members • All authorized communicate directly with WWN • Only slows enumeration phase • Hardware enforced zones/Hard Zones (best) • Only zone members authorized to list zone members • Only zone members authorized to communicate with zone members • Only authorization method that offers any meaningful authorization
LUN Masking • A LUN represents a virtual or physical device • LUN masking hides, or masks, LUNs from specific servers • LUNs are usually masked from certain servers based on the WWNs of those servers • Not an authentication or authorization method, simply traffic flow control
NFS Vulnerabilities • Protocol is clear-text • Authentication based on IP address and username • Authorization based on user ID, which can be faked on a rogue server • Any user can list all shares!
Enumeration of All Shares • Any user can query an NFS server for shares
CIFS Vulnerabilities • Encrypts communication traffic • Most weaknesses due to backward compatibility with older systems • Authentication weaknesses • Multiple users from any account can access a shared CIFS-enabled device using the correct password • Little accountability if a password is compromised • Share-level authentication is transmitted in clear-text • Backward-compatible systems are easily enumerated • Even kerberos-based systems can be penetrated with enough time
CIFS Enumeration with winfo C:\>net use \\10.xxx.1.x\IPC$ "" /user:"" The command completed successfully. C:\>winfo 10.xxx.1.1 -n Trying to establish null session... Null session established. DOMAIN INFORMATION: - Primary domain (legacy): XXXXXXX - Account domain: XXXXX LOGGED IN USERS: * xxxxx SHARES: ... * ADMIN$ - Type: Special share reserved for IPC or administrative share - Remark: Remote Admin * C$ - Type: Special share reserved for IPC or administrative share - Remark: Default share • Using winfo, a null user can get a tonof information.. • This works on Samba servers too!
CIFS Enumeration Enum.exe & NBTEnum20.execan also give you the info… Once enumerated, it’s a simple matter of a brute force attack
CIFS Brute Force Attack Once the username and password have been guessed, the share is compromised
CIFS Enumeration Tools • Enum.exe • NBTEnum20.exe • SMBBF (brute force) • LC4 for LANMAN attacks • kerbsniff and kerbcrack for kerberos attacks • And many, many more, all available via a quick Internet search
Management Interface Vulnerabilities • True for backup, SAN & NAS • Usually connected to corporate LAN • Often do not change the password • Often managed using plain-text protocols • Black hat with LAN access to destroy all SAN attached data in a few seconds • Also often offer http & SNMP access to information very helpful in enumeration
Protect Management Interfaces • Encrypt plain text interfaces • Put management interfaces on separate LAN • Require access through VPN or SSH tunnel to access management LAN • Use encrypted interfaces • Upgrade to non-plain text interfaces (SSL, SSH, Secure Telnet) • Stop using plain text plain text protocols – disable if possible
Secure the SAN • Use port-based zoning, or port-binding for authentication • Use hardware-enforced zoning for authorization • Investigate in-band increased authentication systems, such as FC-CHAP • Investigate in-band encryption
Secure NAS • Acknowledge the insecure nature of NFS & CIFS • Investigate recent advancements in authentication (Kerberos, NFSv4) • Consider private network for NFS/CIFS • Consider in-band authentication systems
Secure the Backup Server • Minimize the number of people with full access to backup server • Remove all plain text access, separate mgmt port • If admin/root is required, use a Unix backup server & sudo if possible • Use a honeypot to watch for rogue servers • Work with security department to ensure security • Investigate the role-based security options of your backup product • Consider encryption of any tapes leaving the campus
Discarding Used Media • Many modern media cannot be degaussed and re-used • Therefore, any reselling service claiming to do so with these media is lying • Secure media shredding services are available • You can also encrypt it in the first place
Finally • Start thinking about Storage Security • Learn what you can about weaknesses and work around them where you can • Make friends with the security team • Put pressure on vendors to make things more secure (they are listening!) • GlassHouse can help with a storage security assessment