9818247276

SAN Security Protocols and Mechanisms 13

4.1.3 Fibrę Channel Security Protocols

To address additional security concerns of FC fabric, top SAN industry players have developed the Fibrę Channel Security Protocols (FC-SP) specification which is the effort of a working group of the International Committee for Information Technology Standards (INCITS) Tl 1.3 committee. The result is the draft of the futurę FC-SP standard that extends the Fibrę Channel architecture with:

•    switch-to-switch, switch-to-device, and device-to-device authentication

•    frame-by-frame FC-2 level encryption that provides origin authentication, integrity, anti-replay and privacy protection to each frame sent over the wire

•    consistent and secure policy distribution across the fabric

With implementing FC-SP, switches, storage devices and hosts shall be able to prove their identity through a reliable and manageable authentication mechanism. FC-SP can protect against impersonation attacks from rogue hosts, disks, or fabric switches, as well as providing protection from common misconfigurations when cabling devices in a fabric. With FC-SP, Fibrę Channel traffic can be secured on a frame-by-frame basis to prevent snooping and hijacking, even over non trusted links. A consistent set of policies and management actions are propagated through the fabric to provide a uniform level of security across the entire fabric. FC-SP includes support for data integrity, authentication for both switch-to-switch and host-to-switch communication as well as optional confidentiality.

4.1.3.1 FC-SP Authentication and Key Management Protocols

Authentication is the process by which an entity is able to verify the identity of another entity. As such, authentication is the foundation of security. A Fibrę Channel device may authenticate the entity trying to access resources by verifying its identity. Different authentication protocols may be used to validate an entity on the basis of different parameters. Each Fibrę Channel entity is identified by a name. The purpose of an authentication protocol for Fibrę Channel is to verify, by using some form of digital credentials, that a claimed name is associated with the claiming entity. FC-SP specify three optional authentication mechanisms, whose first role is to address the threat of identity spoofing within or when accessing the FC fabric.

4.1.3.1.1 Diffie-Hellman Challenge Handshake Authentication Protocol

Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) is a password based authentication and key management protocol that uses the CHAP algorithm (RFC 1994) augmented with an optional Diffie-Hellmann algorithm. DH-CHAP provides bidirectional and optionally unidirectional authentication between an authentication initiator and an authentication responder. In order to authenticate with the DH-CHAP protocol, each entity, identified by a unique name, shall be provided with a secret. Each other entity that wants to verify that entity shall know the secret associated with that name or defer the verification to a third party, such as a RADIUS or TACACS+ server that knows that secret. When the Diffie-Hellmann part of the protocol is not performed, DH-CHAP reduces its operations to those of the CHAP protocol, and it is referred to as DH-CHAP with a nuli DH algorithm. DH-CHAP with a nuli DH algorithm is the authentication protocol mandatory to implement in each FC-SP compliant implementation, for interoperability reasons. DH-CHAP protocol has the other parameters that are possible to negotiate such are the list of hash functions (e.g. SHA1, MD5) and the list of the usable Diffie-Hellman Group Identifiers. Diffie-Hellman Group Identifiers that are possible are 1, 2, 3 or 4, with group bit sizes of 1024, 1280, 1536 and 2048 respectively.