How To: Minimize Pain And Cost Of IP Storage Networks

Although numerous storage technologies were developed to address these challenges, the continued growth of Internet access and new, rich content-based Web applications have organizations turning to IP storage solutions for the distribution of stored data in a global IP-based network. IP storage networks can satisfy the need for fast access to enterprise data, but require new security technologies to enable safe access to global data repositories.

Repositories include traditional file systems, but are also inclusive of more structured data, such as in databases or e-mail stores. Structured data has historically been the domain of direct attached storage (DAS). At the same time, the popularity of the storage area network (SAN) has grown, where the block-based approach provides the benefit of greater performance over the file-based approach of traditional networked attached storage (NAS) systems.

However, with the proliferation of high-performing networks with multi-Gigabit Ethernet backbones, easier access to high-performance global networks such as Multiprotocol Label Switching (MPLS), and increasing popularity of Internet SCSI (iSCSI)--an IP-based protocol which enables block-level I/O--IP storage networks are in dire need of secure transport which will not impact its high performance. In addition to maintaining IP storage performance, a practical IP-based security solution must also be simple, compatible, non-intrusive and cost-effective.

It is safe to say that when combined with ubiquitous compatibility and any-to-any connectivity, IP networks are used with virtually all applications. Along with such benefits come vulnerabilities. Whether it's simple internal IP address to IP address FTP transfer, internal application usage over a network segment, replication between two geographically dispersed sites for disaster recovery or company wide fully meshed global MPLS networking, the hacker's playground has grown to a worldwide park.

The very nature of IP networks which makes it so easy for corporate communication to reach a global scale also enables hackers with simple laptops, free software and very little know how to make lots of money from stolen data. Experienced hackers can take advantage of the limitless routers that have never been changed from their default configuration with IP address 192.168.1.1 and with factory usernames and passwords. Hackers can just as easily tap into local data streams as they can into remote corporate networks outside of the United States. They can wreak unbelievable havoc by easily stealing corporate intellectual property with complete detection avoidance by utilizing port mirroring to "sniff" packets as they traverse a network in the clear.

In addition, protocols built into wireless routers, such as Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA); do not offer effective security either. Amateur hackers can use free, easily downloadable software to hack these protocols in a matter of minutes and gain access to corporate networks. Protecting IP storage networks from hackers is more important than ever with corporate privacy mandates such as Sarbanes-Oxley, Gramm-Leach-Bliley, SEC, HIPAA and PCI, etc., which require companies to truly take a serious look at securing their data.

When a company's intellectual property is compromised and sold for profit, the company has more to worry about than incurred fines from a privacy mandate. The company's brand recognition can be damaged irreparably from appearing on front page news stories. Ensuing audits can reveal several areas of non-compliance, and corporate officers can face jail time. What can be done to prevent this? To start, the company must make the realization of the impact that comes with not protecting themselves beforehand--the traditional decision of managing the risk versus managing the consequence. They must realize how to protect themselves from any threat, even those of an internal employee or contractor, as well as those from the anonymous hacker, thousands of miles away in another country.

The notion of IP storage, running on IP networks, creates a problem in protecting data in motion. Data anywhere, with any-to-any access, traversing countless routes makes the problem of protecting data in motion seem daunting. Consider securing that data stream which could comprise hundreds of thousands of data packets--hundreds of thousands of packets of corporate jewels per second, that is.

The key, both literally and figuratively, is to encrypt all those moving packets. This is the idea behind IPsec. Since there is a continuous stream of packets of varying sizes from various applications traversing the IP network from Voice over IP (VoIP) to EMC Corp's Symmetrix Remote Data Facility (SRDF) which is used for business continuity, the encrypting and decrypting of this data must also occur continuously and at the same rate to ensure performance. Doing anything continuously, let alone something as compute-intensive as encryption, requires high-performance on both the encrypting and decrypting sides.

Take into account the Advanced Encryption Standard (AES) encryption method, the U.S. government standard since 2002. The robustness of the AES algorithm, using 256-bit keys, is what makes it virtually impenetrable. According to the National Institute of Standards and Technology (NIST), if a machine could attempt a brute force attack of trying to decipher a 256-bit key 255 times per second, it would literally take 149 trillion years to crack the key. Thus the "virtual" guarantee that if AES with 256-bit keys is used as the data encryption method, the data encrypted via AES is then un-hackable. So even if a hacker were to break into a router on that network and sniff packets, the data he would obtain would be worthless because it would be encrypted and he wouldn't have the key to decipher it. It is, however, the very robustness of AES that not only stresses the components performing the encryption and decryption causing performance degradation, but which also creates the sheer amount of architecting, configuration and management involved in such an implementation.

So the answer to securing IP networks is to encrypt the packets, or data in motion. However, the solution as a whole is a superset of simply encrypting the data in motion. The manner in which this encryption is performed is just as important as the result. In other words, maintaining the ubiquitous, easy to use, high performing nature of IP is of paramount importance when considering applying encryption to a network.

Implementing this ultra-high form of security via encryption has to be transparent, both in terms of network configuration and performance, but also to the applications that use the network, regardless of the nature of the application. That VoIP application may utilize small 64 byte UDP packets, and that SRDF application may utilize FCIP encapsulated jumbo packets--both of which are at opposite sides of the spectrum when it comes to packet types, but both of which need to be treated equally as they may both traverse the same path.

Traditional methods have included purely software-based approaches, which include IPsec client software running on a client or server. Encrypting in software certainly does not scale and certainly does not provide the high performance necessary to be transparent on a 100Mbit network, let alone on a GigE network. Hardware based encryption is faster and traditionally is available on a router or switch via a compatible network module.

Although the network module based approach is faster than software, introducing this type of performance requirement on an existing piece of network hardware degrades the performance of the hardware hosting the module, sometimes by more than an order of magnitude. The router is simply not able to encrypt, decrypt and route packets with the level the performance achieved when it was just routing packets, its designed primary function. Encrypting within existing network components also can incur high operational expenses when upgrading the equipment to accept the encryption network module. These expenses typically include firmware updates, software updates, hardware upgrades, or worse case the unavoidable network forklift refresh.

Also, current router based encryption uses what is termed as tunneling, where a peer device is needed on the other end of an encryption tunnel to decrypt the corresponding traffic. Tunnels are manageable when there are two endpoints, but simple point-to-point tunneling negates the any-to-any advantage of IP storage. When there are many, possibly thousands of endpoints, tunneling becomes nearly impossible to manage as the number of tunnels becomes an n2 issue. That number of tunnels to be configured and managed only grows when there are multiple subnets behind the endpoint on the other side of the tunnel. Lastly, this traditional tunneling can break other aspects of existing IP networks that make them so beneficial like path redundancy and multicast ability.

Clearly, what is needed is a solution that encompasses hardware-based encryption that is transparent to the existing network, doesn't alter or break its configuration or usefulness and doesn't degrade current network performance; software to manage the hardware to facilitate ease of use; and scalable components that can just as easily handle a point-to-point replication scheme as a fully meshed, geographically-dispersed, remote site topology.

The first part of the solution is to provide encryption via a purpose-driven, wire-speed hardware Encryptor acting as a Policy Enforcement Point (PEP) that can be remotely and easily managed. This approach relieves the existing network components to do what they were originally designed to do, thus allowing the network to perform and route packets accordingly. This ASIC based appliance performs all the heavy lifting of encrypting and decrypting packets in full duplex mode at wire speed as those varying packets traverse the network. This Encryptor then becomes the foundation of securing the existing network transparently.

Figure 1. The Transparent IPSec Encryption Solution

The second part of the solution is to build on that foundation with ease of management. A Key Authority Point (KAP) can securely generate and securely distribute keys via Transport Layer Security (TLS) to the PEPs, eliminating traditional Internet Key Exchange (IKE), which ultimately negates the notion of those point-to-point encryption tunnels within a network. Instead of having to manually (which by default translates to error prone) create potentially hundreds of thousands of tunnels, proper management via a Management and Policy Server (MAP) can automate these processes via a simple GUI. The MAP also facilitates other new uses of encryption on networks like network groups and policies, using encryption to not only secure networks, but to also cryptographically segment networks into logical, meaningful business related groups.

This distributed approach of utilizing the existing components of traditional IPsec--encryption by PEPs, key management by KAPs, and policy creation by the MAP--effectively enables IPsec to be transparently overlayed onto existing IP networks. Because IPsec can now be an overlay to an existing network, it becomes simply another utility--in this case a security utility that is easily managed, scalable and cost-effective--much in the same way that the Dynamic Host Configuration Protocol (DHCP) was to IP. This dynamic implementation of IPsec truly enables the most robust form of encryption to be applied very easily to existing networks, and provides the highest form of secure data in motion for IP storage networks.

With the proliferation of MPLS networks, Metro Ethernet, as well as the corresponding compliance regulations to protect sensitive data, strong IP storage security is more important than ever to today's companies sharing data over IP networks. The need to secure data in motion has been coupled with the need to manage security in the network in a non-intrusive, transparent fashion. All too often companies forgo securing their network due to the complexities of existing solutions and their tendencies to break as much as they fix. These companies now have the choice to make a decision to become unique and tackle the problems associated with unsecure data communications, implementing a method to secure their networks without any of the typical pain and expense associated with previous network security solutions.

About the Author
Michael Spencer is a senior solutions architect for CipherOptics. He can be reached at: [email protected]