storage security - securing stored data: protecting storage networks and backups

© Copyright Storage World Conference 2006. All rights Reserved.

Storage Security - Securing Stored Data: Protecting Storage Networks

and Backups

W. Curtis PrestonVP Data ProtectionGlassHouse [email protected]

© Copyright Storage World Conference 2006. All rights Reserved. 2

Overview

• Why are we talking about this?• Security Basics for the Storage Administrator• Backup Server Vulnerabilities• SAN Vulnerabilities• NAS Vulnerabilities• Management Interface Vulnerabilities• What you can do to secure your stored data


The Good Ol’ Days

apollo

Data

elvis

Data

nina

Data

rissa

Data

The “good old days”

• All disks were behind servers

• No need for “storage security”

• SCSI protocol not designed with security in mind

• No concept or need of authentication or authorization


• Now you can access one server’s storage from another server

• We must begin to address security concerns

• Especially true of NFS/CIFS data and Out-of-band control data is being sent on production LAN.

Storage Networks vs DAS


The challenge• Security and storage people do not often

speak the same language• Storage people don’t get enough security

training to learn the security issues that they should look out for

• Security people don’t get enough storage training to know how networked storage and backup systems affect security

• First result: Inaction• Second result: Publicly acknowledged attack• Third result: You become a jeopardy tile


Security Basics for the Storage Professional


Security Controls

• Authentication Controls– Are you who you say you are?

• Authorization Controls– Are you allowed to see or modify this?

• Encryption– If you’re given access to something you’re not

supposed to see, you won’t be able to read it.• Auditing

– If bad things happen, we’ll know they happened• Integrity Controls

– Is this the same as when I put it here?


The two phases of an attack

• Enumeration– Can take minutes, days, months, or years– Stop enumeration and you stop the attack

• Penetration– Use data found in enumeration phase to actually attack– Often too late to do anything

Enumeration Phase SuccessStart Finish

Penetration PhaseSuccess

Enumeration

AttackTimeline

Penetration

Figure 1


Backup System Vulnerabilities


Backup System Vulnerabilities

• Three basic attacks via the backup system– A compromised or rogue backup server– A compromised or rogue client – Stolen media

• A compromised or rogue backup server is all powerful– Backup & restore (access) any data to/from any client– Install back doors anywhere the black hat wants– Destroy evidence of an attack or other malfeasance– Delete/erase all backups– Perform enumeration phase for stolen media attack

• A compromised or rogue client is all powerful within its realm– Restore any data from the past or present– Overwrite recent backups within invalid backups


Stolen Tapes• By design, backup is a plain-text application – to facilitate

restores• All plain-text backup tapes are readable by black hats if

they possess (and know how to use) the appropriate hardware and software

• Backup tapes are handled by humans, and humans make mistakes

• California (SB 1386) and several other states require written notification of exposures to customers. If not possible, it requires notification of media.

• Huge PR loss & potential loss of I.P.• Many tapes cannot be de-gaussed & re-used


SAN Vulnerabilities


Authentication Methods

• WWN-based zones (worst & most common)– Members specified using WWNs– WWN spoofing is built into HBA driver– Compromised server on the SAN can pretend to be

any other server.• Port-based zones (better)

– Members specified using switch ports– Only attackable with physical access

• Port-binding (best)– Combines WWN-based zoning & port zoning– WWN only authenticated if it’s on the correct port


Authorization Methods

• Soft zones (worst & most common)– Only zone members authorized to list zone members– All authorized communicate directly with WWN– Only slows enumeration phase

• Hardware enforced zones/Hard Zones (best)– Only zone members authorized to list zone members– Only zone members authorized to communicate with

zone members– Only authorization method that offers any

meaningful authorization


LUN Masking

• A LUN represents a virtual or physical device• LUN masking hides, or masks, LUNs from specific

servers • LUNs are usually masked from certain servers

based on the WWNs of those servers• Not an authentication or authorization method,

simply traffic flow control


NAS Vulnerabilities


NFS Vulnerabilities

• Protocol is clear-text• Authentication based on IP address

and username• Authorization based on user ID,

which can be faked on a rogue server

• Any user can list all shares!


ethereal Sniffing NFS Network


Enumeration of All Shares

• Any user can query an NFS server for shares


CIFS Vulnerabilities

• Encrypts communication traffic• Most weaknesses due to backward compatibility with

older systems• Authentication weaknesses

– Multiple users from any account can access a shared CIFS-enabled device using the correct password

– Little accountability if a password is compromised – Share-level authentication is transmitted in clear-

text • Backward-compatible systems are easily enumerated• Even kerberos-based systems can be penetrated with

enough time


CIFS Enumeration with winfo

C:\>net use \\10.xxx.1.x\IPC$ "" /user:""The command completed successfully.

C:\>winfo 10.xxx.1.1 -nTrying to establish null session...Null session established.DOMAIN INFORMATION: - Primary domain (legacy): XXXXXXX - Account domain: XXXXXLOGGED IN USERS:* xxxxxSHARES: ... * ADMIN$ - Type: Special share reserved for IPC or administrative share - Remark: Remote Admin * C$ - Type: Special share reserved for IPC or administrative share - Remark: Default share

•Using winfo, a null user can get a tonof information..•This works on Samba servers too!


CIFS Enumeration

Once enumerated, it’s a simple matter of a brute force attack

Enum.exe & NBTEnum20.exe can also give you the info…


CIFS Brute Force Attack

Once the username and password have been guessed, the share is compromised


CIFS Enumeration Tools

• Enum.exe• NBTEnum20.exe • SMBBF (brute force)• LC4 for LANMAN attacks• kerbsniff and kerbcrack for kerberos

attacks• And many, many more, all available

via a quick Internet search


Management Interface Vulnerabilities

• True for backup, SAN & NAS• Usually connected to corporate LAN• Often do not change the password• Often managed using plain-text protocols• Black hat with LAN access to destroy all SAN attached

data in a few seconds• Also often offer http & SNMP access to information very

helpful in enumeration


Closing the back door


Protect Management Interfaces

• Encrypt plain text interfaces– Put management interfaces on separate LAN– Require access through VPN or SSH tunnel to

access management LAN• Use encrypted interfaces

– Upgrade to non-plain text interfaces (SSL, SSH, Secure Telnet)

– Stop using plain text plain text protocols – disable if possible


Secure the SAN

• Use port-based zoning, or port-binding for authentication

• Use hardware-enforced zoning for authorization

• Investigate in-band increased authentication systems, such as FC-CHAP

• Investigate in-band encryption


Secure NAS

• Acknowledge the insecure nature of NFS & CIFS

• Investigate recent advancements in authentication (Kerberos, NFSv4)

• Consider private network for NFS/CIFS• Consider in-band authentication

systems


Secure the Backup Server

• Minimize the number of people with full access to backup server

• Remove all plain text access, separate mgmt port• If admin/root is required, use a Unix backup server

& sudo if possible• Use a honeypot to watch for rogue servers• Work with security department to ensure security• Investigate the role-based security options of your

backup product• Consider encryption of any tapes leaving the

campus


Discarding Used Media

• Many modern media cannot be degaussed and re-used

• Therefore, any reselling service claiming to do so with these media is lying

• Secure media shredding services are available

• You can also encrypt it in the first place


Finally

• Start thinking about Storage Security• Learn what you can about weaknesses and

work around them where you can• Make friends with the security team• Put pressure on vendors to make things more

secure (they are listening!)• GlassHouse can help with a storage security

assessment

storage security - securing stored data: protecting storage networks and backups

Documents