How Secure Is IP-Based Storage?


Wayne Lam, co-founder and vice president of FalconStor Software in Melville, N.Y., has a word of caution for administrators toying with the idea of putting storage data on an Internet protocol (IP) network where hackers, viruses and denial-of-service attacks are a daily threat: "Mimicking or hijacking an IP address is child's play," he says."My 6-year-old can do it. IP is very easy to hack, unfortunately."

By and large, in the past few years, the storage world has been immune from such security threats. Built-in capabilities such as zoning, host masking and logical unit numbers (LUNs) have kept the peace among servers by designating disk space. Consolidating storage into storage area networks (SANs) has paved the way for less distributed storage, thereby reducing access.

But Fibre Channel's shortcomings, including its expense and lack of interoperability, have opened the door for companies such as Cisco Systems, FalconStor, IBM, Nishan Systems and SANValley Systems to design switches and solutions using IP and Ethernet networks to transport storage. IP's best attribute is that it is ubiquitous and less costly: More than 90 percent of networks are based on it. But by bringing IP back into the storage environment, are VARs opening the door to all the security concerns that come along with it?

"Remember an IP-based storage server is just as vulnerable as anything else on IP," says Michael Karp, an analyst with Enterprise Management Association, Boulder, Colo. "All the security problems associated with IP don't go away. Once data is out there in transmission, anything can capture it."

Trying to stay one step ahead of the naysayers, companies including FalconStor and Nishan have installed security mechanisms within their IP storage products before the iSCSI protocol is even standardized. For instance, Nishan staged a demonstration last year in which the company simulated a wide area IP-based SAN and used SonicWall GX series Internet security appliances to encrypt data flowing through an exposed link. Meanwhile, FalconStor has installed a key-based authentication mechanism in its IP Stor software that creates virtualized SANs and NAS. In addition, SANValley Systems' SL1000 IP-SAN gateway has software-based authentication and authorization security capabilities, and the San Jose, Calif.-based company plans to add hardware-based encryption as well.

"Security requires backward thinking," says Pete Lindstrom, an analyst with the Hurwitz Group. "It's not about 'How do I make things work?' It's about 'How do I break it?' People assume technology will be used the way it was intended. But in security, the idea is how to use it in completely unintended ways," he says. "Security often has taken a back seat to functionality. That's the traditional challenge we face."

Fibre Channel Not Bulletproof

In a recent interview, James Staten, director of strategy at Sun Microsystems, revealed Fibre Channel's dirty little secret: A protocol designed specifically for storage traffic, Fibre Channel security is limited to zoning, host masking and LUNs. "If you think IP has holes, wait until you see Fibre Channel," Staten says. "It has almost no security."

The masking and LUN capabilities are in place to keep the peace among servers by blocking off portions of disk space, instead of letting each server think it controls all the storage. It's the equivalent of limiting what you can see by covering your left eye.

Fibre Channel was designed with the presumption that storage would exist on a dedicated network,far removed and isolated from the reach of most end users, except for a few IT managers. More stringent security mechanisms were not incorporated into the protocol because it was assumed that storage would be isolated from typical messaging traffic making its way through the Internet.

"How do you secure a storage area network in today's environment?" FalconStor's Lam asks. "Quite frankly," he answers, "there is no security. And that is why people don't talk about it."

The issue is particularly thorny for those in the storage service-provider market, where data from 20,000 companies may be in co-locations across the country. Proponents of IP storage use that to their advantage to build a case for putting storage on an IP network. Unlike Fibre Channel, IP networks have at least 20 years of practical experience. The IP security (IPSec) protocol standard, which includes authentication, authorization and encryption, is prevalent in many existing products,making it easy for companies like Nishan Systems to add security functions into their products through partnerships.

"Today, the chipsets that do IPSec encryption are available, and you can integrate them right into your products," says Tom Clark, director of technical marketing at Nishan Systems. "The encryption functionality is already stable. It's standards-based, so we don't have to go through the arduous task of engineering a security solution from scratch."

Encryption may be one of the highest levels of security out there, but even that technology can't protect environments from the nefarious e-mail carrying a virus. The only way to ensure against that is to make sure end users are on high alert for any e-mail with an unusual attachment.

"I'm not sure there are easy solutions to this," says Sandy Helton, CTO and executive vice president of SANValley Systems.

"You can only attack certain problems with certain solutions. Traffic may be authorized, but it may also be malicious. And once it's inside, it can wreak havoc.