pdf 208KB
advertisement
FC-SP: An Overview of the Standard for Fibre Channel Security DISC: Third Intelligent Storage Workshop University of Minnesota DTC – Minneapolis, MN Fabio Maino <fmaino@cisco.com > <fmaino@cisco.com> Cisco Systems, Inc. © 2005 Cisco Systems, Inc. All rights reserved. 1 Agenda • Isn’t Fibre Channel already secure? • FC-SP, Fibre Channel Security Protocols Device Authentication Per Message Security Policy Distribution fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 2 Isn’t Fibre Channel Already Secure? • Data centers are physically secured • FC Zoning ensure fabric partitioning • Out-of-Band Management (e.g. SNMPv3) is secure fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 3 Yes, but… • Data Centers are growing Remote replication over FCIP, DWDM/CWDM, … • Networks are misconfigured • Fabric Configuration Databases are shared • Device impersonation is trivial • Management is done in-band fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 4 Agenda • Isn’t Fibre Channel already secure? • FC-SP, Fibre Channel Security Protocols Device Authentication Per Message Security Policy Distribution fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 5 FC-SP: Fibre Channel Security Protocol • INCITS/ANSI T11.3 grouped the Security Solutions for the Fibre Channel Architecture in FC-SP Started as a study group in mid 2001 Is going through a first round of letter ballot comment resolutions Standard will likely closed by the fall 2005 • Parts of the standard are already implemented and interoperable fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 6 FC-SP: Security Architecture • Device Authentication (sw2sw, sw2host, host2host) • Per-message data origin authentication, integrity protection, anti-replay, and secrecy • Fabric Management Policy Set (as a generalization of the zoning policy set) provides role management within a fabric, and access control to fabric membership, and fabric management fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 7 Device Authentication • Switch to switch, switch to host, and host to host authentication As an optional extension of the LOGI procedure • Enables secure fabric building, edge authentication, and end-to-end authentication • A shared key is derived as a by-product of authentication fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 8 Secure Fabric Building Fibre Channel Fabric Authentication Au th en tica c nti the Au tion on a ti New host wanting to join the fabric Authentication Authentica tio n New switch wanting to join the fabric Authentication FCIP Network New switches wanting to join the fabric over FCIP fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 9 Authentication Mechanisms • DHCHAP: password based, mandatory • FCAP: certificate based, optional • FCPAP: password/verifier based, optional SRP, Secure Remote Password • Transported over FC AUTH Protocol • All mechanisms provide bi-directional authentication Key exchange to enable Security Association Negotiation fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 10 DHCHAP • Challenge Authentication Protocol (CHAP), augmented with a Diffie-Hellman exchange Better resistance to off-line dictionary attacks Generates a Shared Key as a by-product of authentication • Can be integrated with a back-end AAA Infrastructure (RADIUS) Enables effective centralized management of device password fmajstor@cisco.com 11 © 2003 Cisco Systems, Inc. All rights reserved. DH-CHAP and RADIUS Management Network Fibre Channel Fabric Authentication RAD DH -C RADIUS server for device authentication DH HA P CH Equipped with HBA supporting DH-CHAP AP New host wanting to join the fabric Out-of-band Ethernet Management Connection DH-CHAP TACACS+ server for device authentication RADIUS servers can be used to hold DH-CHAP device accounts and passwords for centralized authentication fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. DH-CHAP TAC+ New switch wanting to join the fabric DH-CHAP FCIP Network New switches wanting to join the fabric over FCIP 12 Agenda • Isn’t Fibre Channel already secure? • FC-SP, Fibre Channel Security Protocols Device Authentication Per Message Security Policy Distribution fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 13 Per-Message Security • FC frame formats have been extended to provide per-message security ESP_Header: protection is afforded at the FC-2 Layer, the FC “network layer” that transports the bulk of FC traffic (including SCSI commands and data) CT_Authentication: protection is afforded for Common Transport Information Units (CT_IUs), a protocol used for many control protocols in FC • Security Services provided are: Data origin authentication Integrity protection Replay protection Confidentiality fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 14 ESP_Header (FCsec) • It’s the FC equivalent of IPsec Protects frames at the FC-2 layer Based on IETF’s ESP (Encapsulated Security Payload) Protocol • AES GCM (Galois Counter Mode) likely to be mandatory to implement High speed/highly efficient combined mode (Confidentiality+Integrity) fmajstor@cisco.com 15 © 2003 Cisco Systems, Inc. All rights reserved. FC-ESP: Frame Format FC-2 Payload: 2112 bytes 4 S O F 24 FC-2 Frame Header 4 S P I 4 16 S e q F C 2 F C 2 F C 2 N u m O pt H dr O pt H dr O pt H dr Payload Data (variable) P a d d I n g N H P L Auth. Data (var) C R C E O F Opt. Encryption Scope Authentication Scope DF_CTL bit-22 indicates that the ESP header is present fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. NH: Next Header PL: Pad Length 16 CT_Authentication • Protects Common Transport Information Units (CT_IU) Used for FC control protocols • A “Traditional” encryption + Integrity mode is likely to be mandatory (i.e. AES CBC + XCBC) • Typically implemented in SW to protect control traffic only fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 17 FC Security Association Negotiation Protocol • A subset of IKEv2 (over FC AUTH protocol) is used to negotiate ESP_Header SAs, or CT_Authentication SAs • The shared key resulting from the authentication exchange is used to authenticate the IKEv2 exchange • It’s also possible to use a static pre-shared key, without going through authentication fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 18 Authentication + SA Negotiation AUTH_Negotiation DH-CHAP FCPAP FCAP Authentication + Shared Key Security Association Establishment (IKEv2) FC ESP per-message Security fmajstor@cisco.com Common Transport Security 19 © 2003 Cisco Systems, Inc. All rights reserved. Secure Fabric AAA Server Secure Fabric Host to Disk Authentication and Encryption FC Isolated Switch fmajstor@cisco.com FC Isolated Host © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. Authenticated Links Un-Authenticated Links 20 Agenda • Isn’t Fibre Channel already secure? • FC-SP, Fibre Channel Security Protocols Device Authentication Per Message Security Policy Distribution fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 21 FC-SP Policy Management • A framework for policy management of a FC fabric • Generalization and extension of the zone set management • A generic Policy Set defines the policies enforced by the fabric Fabric Wide Policies Switch-related Policies fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 22 Policy Objects • Policy Summary: is an ordered list of pointers to policy objects • Switch Membership List: fabric-wide list of switches member of a fabric • Device Membership List: fabric wide list of devices (hosts/disks) member of a fabric • IP Management List: fabric wide list of IP addresses enabled for out-of-band management • Switch Connectivity: per-switch topology policy • Attribute: fabric wide extensible attribute to be associated with members of a fabric fmajstor@cisco.com 23 © 2003 Cisco Systems, Inc. All rights reserved. Policy Objects Policy Summary Object Switch Connectivity Objects Switch Membership List Device Membership List IP Management List Attribute Objects fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 24 Scalability • Scalability for policy information management is obtained specializing the behavior of the switches Autonomous Switches, that maintain the Fabric-wide Policy Objects, their own Switch Connectivity Object, and a full copy of the FC-SP Zoning Database; Client Switches, that maintain the Fabric-wide Policy Objects, their own Switch Connectivity Object, and a subset of the FC-SP Active Zone Set; and Server Switches, that maintain the Fabric-wide Policy Objects, all the Switch Connectivity Objects, and a full copy of the FC-SP Zoning Database. fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. 25 References ftp://ftp.t11.org/t11/pub/fc/sp/05-163v1.pdf (FC-SP v1.71) http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ciphaes-gcm-00.txt (GCM) http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev217.txt (IKEv2) fmajstor@cisco.com © 2003 Cisco Systems, Inc. All rights reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 26 OPT-2054 7988_05_2003_c1 fmajstor@cisco.com © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Printed in USA. 27
