Storage Networking Security Series: Securing Data In Transit

3m ago
24 Views
0 Downloads
2.71 MB
38 Pages
Transcription

Storage Networking Security Series:Securing Data in TransitLive WebcastOctober 28, 202010:00 am PT1 2020 Storage Networking Industry Association. All Rights Reserved.

Today’s PresentersAlex McDonaldModeratorIndependent ConsultantVice Chair SNIA NSFClaudio DeSantiDell Technologies2 2020 Storage Networking Industry Association. All Rights Reserved.Ariel KitNVIDIACesar ObedienteCiscoBrandon HoffBroadcom

SNIA-At-A-Glance33 2020 Storage Networking Industry Association. All Rights Reserved.

NSF Technologies44 2020 Storage Networking Industry Association. All Rights Reserved.

SNIA Legal Notice§ The material contained in this presentation is copyrighted by the SNIA unless otherwisenoted.§ Member companies and individual members may use this material in presentations andliterature under the following conditions:§§Any slide or slides used must be reproduced in their entirety without modificationThe SNIA must be acknowledged as the source of any material used in the body of any document containingmaterial from these presentations.§ This presentation is a project of the SNIA.§ Neither the author nor the presenter is an attorney and nothing in this presentation isintended to be, or should be construed as legal advice or an opinion of counsel. If you needlegal advice or a legal opinion please contact your attorney.§ The information presented herein represents the author's personal opinion and currentunderstanding of the relevant issues involved. The author, the presenter, and the SNIA donot assume any responsibility or liability for damages arising out of any reliance on or use ofthis information.NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.5 2020 Storage Networking Industry Association. All Rights Reserved.

Agenda§ Storage networks security framework§ Data-in-motion security§ Private and public cloud§ Securing data in the datacenter6 2020 Storage Networking Industry Association. All Rights Reserved.

Click to edit Master title styleStorage Networks Security FrameworkThreats AnalysisClaudio DeSantiDell Technologies7 2020 Storage Networking Industry Association. All Rights Reserved.

Storage Area Network (SAN) ExampleManagement Station (Console)Hosts orServers8 2020 Storage Networking Industry Association. All Rights Reserved.Storage(Array)Images credit: David Black

Security Threats010) Management & System Integrity1) Uncontrolled Storage Access2) Impersonation (Spoofing)3) Communication Access§ Eavesdrop§ Inject/Modify4) External Access§ Media Theft§ Other Access3249 2020 Storage Networking Industry Association. All Rights Reserved.

Security Threat 0:Management & System Integrity0) Management & System Integrity§ Countermeasures:Management Security§ Authentication & Authorization§ Logging and Anomaly Detection§ Secure Channels§ Countermeasures:System Integrity§ Hardware/software/firmware integritychecks and assurance§ Preferably anchored to hardwareroot of trust10 2020 Storage Networking Industry Association. All Rights Reserved.0

Security Threat 1:Access Control11) Uncontrolled Storage Access§ Countermeasure:Storage Access Control§ E.g., FC zoning,SCSI LUN masking,NVMe Namespace mapping§ Does not preventimpersonation11 2020 Storage Networking Industry Association. All Rights Reserved.

Security Threat 2:Impersonation2) Impersonation (Spoofing)§ Countermeasure:Authentication§ Proof of identity212 2020 Storage Networking Industry Association. All Rights Reserved.

Security Threat 3:Communication3) Communication Access§ Eavesdrop§ Inject/Modify§ Countermeasure: SecureChannel (data in flight)§ Confidentiality§ Cryptographic Integrity313 2020 Storage Networking Industry Association. All Rights Reserved.

Security Threat 4:Stored Data4) External Access§ Media Theft§ Other Access§ Countermeasure:Stored Data Encryption(data at rest)*§ Application, server OS,VM guest OS§ Hypervisor§ Storage drives (SEDs)4*Storage Networking Security Series: Protecting Data at Rest 14 2020 Storage Networking Industry Association. All Rights Reserved.

Storage NetworkingSecurity Review0)1)2)3)Management & System IntegrityStorage Access ControlAuthentication (proof of identity)Secure Channel (data in flight)012§ Confidentiality§ Cryptographic Integrity4) Stored Data (data at rest)Encryption*43*Storage Networking Security Series: Encryption 101 202015 2020 Storage Networking Industry Association. All Rights Reserved.

SAN Protocols: Security Mechanisms ComparisonFibre ChanneliSCSINVMe over Fabrics/IPAccess control (1)ZoningLUN maskingNetwork reachabilityLUN maskingNetwork reachabilityNamespace mappingAuthentication LS (1.2 defined, 1.3 in progress)Secure Channel (3) FC ESP Header16 2020 Storage Networking Industry Association. All Rights Reserved.

Click to edit Master title styleData-in-Motion SecurityEncryption TechnologiesAriel KitNVIDIA17 2020 Storage Networking Industry Association. All Rights Reserved.

Security in Different Layers (OSI)ControlAgentStored DataEncryptionL6/7 Application LayerHWRoot-OfTrustServicesLayersL4/5 Transport LayerL2/3 - Network LayerInfrastructureLayersL1 - Physical Layer18 2020 Storage Networking Industry Association. All Rights d Payload

IPsec§ Generic encryption and authentication ofany IP packet§ 2 IP protocols§ AH - Authentication Headers§ ESP - Encapsulating Security PayloadTransport Mode§ 2 modes of operation§ Tunnel – between IPsec gateways (VPN)§ Transport – end-to-end communication§ Implementations§ Site-to-site or edge-to-site (VPN)§ OS\Server level encryption (Kernel IPsec)19 2020 Storage Networking Industry Association. All Rights Reserved.Tunnel Mode

Transport Layer Security (TLS)§ Privacy and data integrity between applications or micro-services§ Connection security/privacy by symmetric cryptography§ Identity and session keys negotiated using asymmetric cryptography§ Versions§ 1.2 – widely deployed§ 1.3 – better performance, more secure§ Implementations§ Web applications (HTTPS)§ Client/server application communicationSSL/TLS protocol support across world’s most popular sites20 2020 Storage Networking Industry Association. All Rights Reserved.

IPsec or TLS?§ Web 2.0 content and application based (SaaS)?§TLS is more popular as it is done at the application level to protect the content§ Infrastructure or cloud provider (IaaS)?§IPsec protects the communication between sites or servers and widely used to protect the north-south channels (application un-aware)§ East-west encryption?§IPsec and TLS are relevant, depends on the deployment and customer preferences including existing solutions. TLS is widely used for service mesh§ RoCE encryption?§IPsec is the only option as it can be fully implemented in hardware§ Transparent encryption for legacy and bare metal?§IPsec implementation can be hidden to the server OS and applications which also match regulatory requirements for data confidentiallyTo summarize:§ IPsec is used for applications that don’t natively support any kind of protection§ TLS is used when the application is aware to the type of protection21 2020 Storage Networking Industry Association. All Rights Reserved.

Data Confidentiality Performance ypto is complex and compute hungryPlaintextPacketEncryptedPacketEncrypted headers blind the network devicesNIC hardware accelerators become useless22 2020 Storage Networking Industry Association. All Rights Reserved.

Click to edit Master title stylePrivate and Public CloudData in-flight Network EncryptionCesar ObedienteCisco23 2020 Storage Networking Industry Association. All Rights Reserved.

MAC Security - IEEE802.1AE§ Provides confidentiality, replay protection,and data integrity on Ethernet linksbetween nodes§ Enabled on Point-to-Point Ethernet Link§ Packets are decrypted on ingress port§ Packets are in the clear in the device§ Packets are encrypted on egress port§ Can co-exist with other security protocols:§ IP Security (IPSec)§ Secure Socket Layer (SSL)24 2020 Storage Networking Industry Association. All Rights Reserved.

Cloud Security Encryption§ Cloud security provides transport andencryption for VXLAN technology - “multi-hopMACsec”§ Cloud security offers secure tunnel betweenauthorized VXLAN EVPN endpoints§ Cloud security leverages BGP to do the keyexchangeCloud Security - Multiple Data CentersMacSec – Point-to-Point25 2020 Storage Networking Industry Association. All Rights Reserved.

Site-to-Site IPSec VPN§ Provides encryption to all the traffic over theInternet§ Maintain a permanent encrypted connectionbetween the sites§ Protocols§ AH - Authentication Headers§ ESP - Encapsulating Security Payload§ Modes of operation§ Tunnel§ Transport26 2020 Storage Networking Industry Association. All Rights Reserved.

Click to edit Master title styleFibre ChannelSecuring Data in the DatacenterBrandon HoffBroadcom27 2020 Storage Networking Industry Association. All Rights Reserved.

FC-SP-2: What and Why?§ Why? : Need to transition SANs from Authorization and segmentation basedFC security to authentication and encryption based security!§ What? FC-SP-2 is a ANSI/INCITS standard (2012) that defines protocols to –§§§§Authenticate Fibre Channel entitiesSetup session encryption keysNegotiate parameters to ensure per frame integrity and confidentialityDefine and distribute security policies over FC§ Designed to protect against several classes of threatsFCIA Webinar: “Fibre Channel and 7/36359328 2020 Storage Networking Industry Association. All Rights Reserved.

FC-SP-2 ESP header§ ESP header (optional) is a layer 2 security protocol that provides§ Origin authentication, Integrity, Anti-replay protection, Confidentially§ Encapsulating Security Payload (ESP) is defined in RFC 4303§ FC-FS-3 defines optional headers for Fibre Channel, FC-SP defineshow to use ESP in Fibre Channel§ Similar protections exist for CT Authentication29 2020 Storage Networking Industry Association. All Rights Reserved.

Authentication Protocols and SAs30 2020 Storage Networking Industry Association. All Rights Reserved.

Managing Secrets, Passwords, and Certs§ For mutual authentication, each deviceneeds to know the credentials of§ The adjacent device§ End nodes for end-to-endSharing the credentials of one deviceRadius ServerEthernetNetwork§ Manual configuration becomes difficult§ 50,000 or more credentials are possible inlarge environments§ Options for managing credentials§§§§RADIUSKMIPPublic Certificate AuthorityInternal Certificate Authority§ Unfortunately, not supported in anyopen systems operating system31 2020 Storage Networking Industry Association. All Rights Reserved.FC NetworkDH-CHAP Credentials:NameSecret

Fibre Channel SAN Threat Mitigation“Outside Job” ThreatsOSOS“Inside Job” ThreatsDataCenterPerimeter32 2020 Storage Networking Industry Association. All Rights Reserved.Unlikely Threats

Full Fibre Channel Storage Security StackDigitally Signed DriversIntegrated with OS security guidelines/best practices.OSOSSecure UEFI Fibre Channel BootDigitally signed boot image that is validated by the server prior to systemboot. Supported by all major server OEMs.Digitally Signed Firmware UpgradeFirmware images digitally signed by the vendor. Signature check andvalidation before firmware update.Secure User InterfacesUser ACLs, RBAC, SSL, etc.Fabric based Authorization and AuthenticationZoning, FC-SP Authentication, LUN MaskingDataCenterPerimeter33 2020 Storage Networking Industry Association. All Rights Reserved.Digitally signed software stack for the arrayExtends security features to the storage array.

Best Practices for Encryption in Fibre Channel SANsData At Rest EncryptionOSEncrypt in the storage system to protectdata on SSDs and Hard Disks when theyare taken out of the array.OSData In Flight EncryptionFibreChannelDataCenter AOSISLorFCIPOSEncrypt data in flight when it leaves thesecure boundary of the data center.Usually for site-to-site Fibre Channellinks (ISLs) or FCIP.Minimize Cost and RiskDataCenter B34 2020 Storage Networking Industry Association. All Rights Reserved.Avoid the cost and complexity of data inflight encryption inside the data center.No commercially available options.

Summary§ We’ve discussed§ Storage networks security framework§ Data-in-motion security§ Private and public cloud§ Securing data in the datacenter§ Ensuring data is secure requires more than just a lock & key when it’sstored; it needs in-transit security§ Secure data is possible, even if it’s eavesdropped, intercepted, copied or hackedon private or public networks§ Essential on an insecure & unreliable edge35 2020 Storage Networking Industry Association. All Rights Reserved.

More SNIA Security Resources§ Storage Networking Security Webcast Series: On-demand at the SNIAEducational Library: ing Storage Security and ThreatsProtecting Data at RestEncryption 101Key Management 101Security & Privacy RegulationsApplied Cryptography§ Follow us on Twitter @SNIANSF for dates and times of others planned:§ Securing the Protocol§ Securing the System: Hardening Methods§ SNIA TLS Specification for Storage Systems36 2020 Storage Networking Industry Association. All Rights Reserved.

After this Webcast§ Please rate this webcast and provide us with your feedback§ This webcast and a copy of the slides wi