Reading Time: 5 minutes

Cybersecurity is a focal point of enterprises and governments globally. The longstanding approach of protecting critical data via firewalls or using segregated/dedicated networks is no longer sufficient!

This also includes Fibre Channel (FC) SAN where security was historically considered intrinsic in the SAN, due to the usage of fiber cables and dedicated (and isolated) fabrics.

But what are the most effective ways to ensure FC security?

Update and patch software and firmware

Updating and patching are two processes that install the latest versions and fixes of software and firmware on devices in a FC SAN.

Software and firmware are the programs and instructions that control the operation and functionality of devices, such as hosts, switches, or storage devices. Most FC switches have complex OSes inside!

Updating and patching can improve the security, performance, and compatibility of devices in a FC SAN. They can also fix the vulnerabilities, bugs, and errors that may expose devices to attacks or malfunctions. Updating and patching should be done regularly and carefully, as they may require downtime, testing, and verification.

Use zoning and masking

This is the common way! Zoning and masking are two techniques that limit the visibility and access of devices in a FC SAN.

Zoning is the process of dividing a FC fabric into logical groups of devices that can communicate with each other. Masking is the process of restricting the access of hosts to specific logical unit numbers (LUNs) on a storage device. Zoning and masking can prevent unauthorized devices from accessing sensitive data, reduce the attack surface, and improve performance and manageability.

However, zoning and masking are not enough to secure a FC SAN, as they can be bypassed by skilled attackers.

Implement authentication and authorization

As written zoning and masking are not enough anymore! Authentication and authorization are two mechanisms that verify the identity and permissions of devices and users in a FC SAN and are much better.

Authentication is the process of proving the identity of a device or user, such as by using a password, a certificate, or a token. Authorization is the process of granting or denying access to resources based on the identity and role of a device or user. Authentication and authorization can prevent impersonation, spoofing, and unauthorized access in a FC SAN.

There are different protocols and standards that support authentication and authorization in a FC SAN, such as Fibre Channel Security Protocol (FC-SP), Challenge-Handshake Authentication Protocol (CHAP), or Role-Based Access Control (RBAC).

Encrypt data in at rest

Encryption is the process of transforming data into an unreadable format using a secret key. Encryption can prevent data leakage, theft, or corruption by making the data unreadable to anyone who does not have the decryption key. Encryption can also help you meet regulatory requirements, such as PCI DSS, HIPAA, or GDPR, that mandate data protection and privacy. Encryption can also reduce the risk of legal liabilities, reputational damage, or financial losses in case of a data breach.

Encryption can add some overhead and complexity to a FC SAN, but it can also enhance data security and compliance.

Encrypting data at rest means that data is encrypted when it is stored on the disk and has become a common feature of almost all enterprise storage.

Encrypt data in transit

Encrypting data in transit means that data is encrypted when it travels across the FC fabric and this can be the most challenging part!

Encrypting fibre channel traffic can also pose some challenges for your network performance and management. Encryption can introduce latency, overhead, and complexity to your fibre channel network. Encryption can affect the speed, throughput, and availability of your data transfers. Encryption can also require additional hardware, software, and configuration to support the encryption and decryption processes. 

Switch-based encryption involves encrypting and decrypting the data at the fibre channel switch level, using built-in or external encryption modules. Switch-based encryption can offer high performance, scalability, and transparency, but it can also be costly, vendor-specific, and difficult to manage.

Several FC switches have this feature, for example, for Broadcom switches see: Enabling In-Flight Encryption.

But also some FC HBA can perform encryption, like the Emulex LPe38102 Secure FC Host Bus Adapter.

Emulex Secure HBAs introduce a cost-effective, easy-to-manage solution that encrypts all data in-flight (EDIF), protecting data as it moves across databases, applications, servers, and storage. Emulex Secure HBAs integrate post-quantum cryptography (PQC) algorithms to ensure that encrypted data remains encrypted even as quantum computing and AI put legacy encryption at risk. The session-based key management solution, based on the emerging ANSI/ INCITS FC-SP-3 standard, does not require complex and prohibitively expensive key management software. Compared to other encryption methods, such as application-based encryption, Emulex Secure HBAs can encrypt all applications, at a lower cost, and with no impact to storage array services such as compression, dedupe, and ransomware detection.

The session-based key management solution, based on the emerging ANSI/INCITS FC-SP-3 standard, does not require complex and prohibitively expensive key management software. Compared to other encryption methods, such as application-based encryption, Emulex Secure HBAs can encrypt
all applications, at a lower cost, and with no impact to storage array services such as compression, dedupe, and ransomware detection.

Share

Related Posts

  • Free Intro to SAN and NAS Storage course

    Do you need to understand SAN and NAS storage? There are several resources available online, but I would like to suggest a free course by Neil Anderson. You’ll learn the theory of the CIFS (SMB), NFS, Fibre Channel, iSCSI and FCoE protocols, and see how…