Home » Seguridad en una SAN Brocade I – Políticas SCC, DCC y AUTH

Seguridad en una SAN Brocade I – Políticas SCC, DCC y AUTH

En la administración de una red de fibra para almacenamiento más que medidas de seguridad de caracter preventivo son una práctica habitual el zoneado del switch ( o fabric) y el enmascaramiento de lunes (lun masking) desde la cabina en la provisión rutinaria de almacenamiento. Adiccionalmente, se puede añadir niveles de seguridad en la SAN con funcionalidades que proporcionan los fabricantes de switches de fibra. Ejemplos para tecnología Brocade son las políticas de control de las conexiones entre switches ( Switch Connection Control  – SCC)  y de control de dispositivos ( Device Connection Control – DCC). Lo que nos permiten hacer estas los políticas es restringir que switches y dispositivos se conectarán a la fabric.

SCC – Proteje las conexiónes inesperadas entre switches, se trata de verificar cada vez que se intenta realizar una conexión entre switches (ISL)  contra un listado de switches definido por la política.

DCC –   Proteje la conexiónes inesperadas entre dispositivos (HBAs de servidores, librerías, drives, VTLs, cabinas) con switches, se trata de verificar cada vez que se intenta realizar una conexión de un dispositivo de fibre  contra un listado de dispositivos definido por la política.

La aplicación de estas políticas pueden considerarse interesante en muchos casos, por ejemplo, si el parcheo de fibra y sus cambios es ajeno al personal de administración de la SAN, si se quiere minimizar el fallo humano, o evitar un intento de acceso no deseado de un equipo o un analizador de tráfico, …

La  SAN, al estar aislada sin acceso externo por otras redes es considerada segura, no necesitando medidas de protección especiales en apariencia. Pero si alguien consigue la contraseña de administración de alguno de los servidores conectado a la SAN, puede introducir driver de la HBAs modificados (o ni eso) para una  práctica de hack que es "wwn spoofing", es decir, modificar la HBA de un servidor con el wwn de otra que le permita tener acceso al recurso de almacenamiento  … y a sus datos. Recordemos que el sentido del hackering puede ser robar, corromper o destrozar el núcleo de información de la compañía. y … ¿ ésto lo evitaría DCC ? Si, ya que es una aplicación de "port locking" ( o "port binding") que es la asociación de un puerto a un wwn.

Para añadir un nivel mayor de seguridad se pueden usar protocolos de autenticación como DH-CHAP que pertenece a los protocolos FC-SP (Fibre Channel Security Protocols) definidos por la T11 y asegura mediante par de claves asociadas a wwn la negociación entre conexiones de forma segura. Aparte del "wwn spoofing" existen otras técnicas de hack en la fabric tales como "S_ID spoofing", " M-I-T-M attack" donde la aplicación de protocolos FC-SP  son eficaces para evitar cualquier riesgo de intrusión.

Para la tecnología Brocade está la política AUTH que implementa la autenticación entre switches y dispositivos a través de DH-CHAP / FCAP.

Otros puntos a revisar son las políticas de administración de contraseñas en los servidores de acceso a la SAN, en grandes compañías suelen haber muchos servidores que no son de produción con acceso a la SAN cuyas políticas de claves de administrador no suelen ser seguras y además son servidores que pueden estar fuera de las políticas restrictivas de la seguridad perimetral impuesta en el entorno de producción, y como podemos suponer ponen en grave compromiso el almacenamiento.
También es interesante para controlar este tipo de ataques la monitorización de las conexiones y desconexiones en la fabric, reinicios de servidores inesperados y wwn duplicados, además de tener procedimentados las acciones correspondientes para identificar lo más rápidamente la intrusión y aislarla. Hay muchos temas referentes a la seguridad como las virtual fabric, NPIV, interfaces de administración, políticas de distribución en la fabric,  que son muy interesantes su revisión. 

¿ Es vuestra SAN segura ? y … ¿ estás preparado para una intrusión?

734 Responses to “Seguridad en una SAN Brocade I – Políticas SCC, DCC y AUTH”

  1. Having read this I thought it was very enlightening.
    I appreciate you finding the time and effort to put
    this content together. I once again find myself personally spending way too
    much time both reading and leaving comments. But so what, it
    was still worth it!

  2. Mersin ilinin en kaliteli Escort Bayan ilanlarını sitemiz Escort Mersin sayfamızda bulabilirsiniz. Üniversite civarında Suriyeli ve Rus Bayanlar ile keyifli dakikalar sizleri bekliyor.

  3. Hey there! Do you know if they make any plugins
    to safeguard against hackers? I’m kinda paranoid about losing everything I’ve
    worked hard on. Any tips?

  4. Malatya ilinin en kaliteli ve seksi Escort Bayan ilanlarını güncel Escort Malatya sitemizde bulabilirsiniz.

  5. gaziantep escort ilanları

  6. Thank you for sharing. Come back our website.

  7. WendiBig dice:

    Hello. I have checked your almacenamientoabierto.com and i see you’ve got some duplicate content
    so probably it is the reason that you don’t rank high in google.
    But you can fix this issue fast. There is a tool that generates content like human, just search in google:
    miftolo’s tools

  8. First of all I would like to say superb blog! I had a quick question that
    I’d like to ask if you do not mind. I was curious to find out how you center yourself and clear your head prior to
    writing. I’ve had a difficult time clearing my mind in getting my thoughts out there.
    I truly do take pleasure in writing however it just seems like the first 10 to 15 minutes are wasted simply just trying to figure out how
    to begin. Any recommendations or hints? Many thanks!

  9. MarissaBig dice:

    Hi. I have checked your almacenamientoabierto.com and i see
    you’ve got some duplicate content so probably it is the reason that you don’t rank high
    in google. But you can fix this issue fast. There is a tool that rewrites articles like human, just
    search in google: miftolo’s tools

  10. Thank you for sharing. Come back our website.

  11. I’ll right away grasp your rss feed as I can’t in finding
    your email subscription hyperlink or e-newsletter service.
    Do you have any? Please permit me realize so that I may subscribe.
    Thanks.

  12. I read this paragraph fully regarding the resemblance
    of most recent and previous technologies, it’s awesome article.

  13. Hi to every one, as I am in facxt eager of reading tbis blog’s post to bbe updated daily.
    It contains goodd information.

  14. magnificent issues altogether, you just gained a logo new reader.
    What might you recommend in regards to your put
    up that you just made a few days ago? Any positive?

  15. Thank you for sharing. Come back our website.

  16. Fallon Marden dice:

    Hi almacenamientoabierto.com

    But the truth is when you use this formula, it becomes REALITY almost instantly!
    Keep on reading and pay close attention to what I’m about to reveal: You don’t need a product, list, domains, website, experience, or even MONEY to do it!

    This is how SIMPLE it is:
    1. Copy a listing from location A
    2. Paste it in location B & make $20-$80 every single time… You ALWAYS keep the profit!

    ANYONE Can Do This, Even Total Noobs
    Literally anyone can pick this up, implement the same day and see Real Results of this formula working VERY FAST, without
    working hard, spending a ton of Cash!
    You’ll be successful faster than you ever though was even possible.

    Is a brand new arbitrage formula – very few people know about it and even less are actually using it.
    We focus on an overlooked area when it comes to arbitrage – and it’s pretty crazy because EVERYONE wants these services.
    Anyone that does this makes an absolute killing – and there’s no end to how many customers you can have.

    If you’ve ever tried arbitrage, you know how POWERFUL it is…
    Regular evryday people that aren’t marketers have been using it for YEARS to make a steady online income… but if you think that you know the formula we’re revealing inside THIS FORMULA – think again!

    IF YOU’RE INTERESTED, CONTACT ME ==> getprofitonline@mail.com

    Regards, Fallon
    Sweden, NA, Askim, 436 80, Eriksbo Vastergarde 89

  17. Thank you for any other informative website. The place else may just I
    get that kind of info written in such a perfect manner?
    I’ve a challenge that I am just now running on, and I have been on the glance out for such info.

  18. Google dice:

    Google

    Very few web sites that transpire to become detailed below, from our point of view are undoubtedly properly really worth checking out.

  19. Yes the partner is dirty. He just killed the suspect. Evil. Good movie? Hollywood Latest Movies

  20. Asking questions are in fact nice thing if you are not understanding
    anything completely, except this post gives good
    understanding even.

  21. Its like you read my thoughts! You appear to grasp a lot about this, such as you
    wrote the guide in it or something. I believe that you could do with a few p.c.
    to drive the message house a little bit, but other than that, this is magnificent
    blog. A fantastic read. I will definitely be back.

  22. This is really attention-grabbing, You’re a very professional blogger.
    I’ve joined your feed and look ahead to in the hunt for extra of your great post.
    Also, I have shared your website in my social networks

  23. When I originally commented I clicked the «Notify me when new comments are added» checkbox and now each time a comment is added I
    get several emails with the same comment. Is there any way you can remove me from
    that service? Many thanks!

  24. Way cool! Some very valid points! I appreciate
    you penning this write-up and the rest of the
    website is extremely good.

  25. úitimos dice:

    Great article! We will be linking to this particularly great post on our site.
    Keep up the good writing.

  26. Hello! Would you mind if I share your blog with my zynga group?
    There’s a lot of folks that I think would really appreciate your content.
    Please let me know. Cheers

  27. here dice:

    I used to be suggested this website via my cousin. I
    am not positive whether this put up is written via him as nobody else recognise such special about my difficulty.
    You are amazing! Thanks!

  28. Google dice:

    Google

    Please take a look at the websites we adhere to, like this one, because it represents our picks through the web.

  29. deitou dice:

    Good day! Do you know if they make any plugins to help with
    SEO? I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good results. If you know of any
    please share. Thank you!

  30. Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.

  31. here dice:

    I really like your blog.. very nice colors & theme. Did you make this website yourself or did you hire someone
    to do it for you? Plz respond as I’m looking to construct my own blog and would like to know where
    u got this from. thanks

  32. Link exchange is nothing else except it is simply placing the other person’s webpage link on your page at appropriate place and other person will also do same in favor of you.

  33. Hurrah, that’s what I was searching for, what a information! existing here at this website, thanks admin of
    this site.

  34. source dice:

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
    I’ve been looking for a plug-in like this for quite some time and was hoping maybe you
    would have some experience with something like this. Please
    let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.

  35. source dice:

    Hey there just wanted to give you a quick heads up and let you
    know a few of the pictures aren’t loading properly.

    I’m not sure why but I think its a linking
    issue. I’ve tried it in two different web browsers and both
    show the same results.

  36. source dice:

    These are in fact impressive ideas in concerning blogging. You have touched some good factors here.

    Any way keep up wrinting.

  37. Danna Holak dice:

    Just wish to say your article is as astonishing. The clarity on your submit is simply spectacular and that i could suppose you’re an expert on this subject. Well with your permission allow me to take hold of your RSS feed to keep updated with coming near near post. Thank you a million and please carry on the gratifying work.

  38. propecia dice:

    What a material of un-ambiguity and preserveness of precious know-how on the topic
    of unexpected emotions.

  39. We’re a group of volunteers and starting a new scheme in our community. Your site offered us with valuable information to work on. You’ve done an impressive job and our entire community will be thankful to you.

  40. Only a smiling visitant here to share the love (:, btw outstanding style and design .

  41. here dice:

    It’s the best time to make some plans for the future
    and it’s time to be happy. I’ve read this post and
    if I could I want to suggest you some interesting things or
    suggestions. Perhaps you could write next articles referring
    to this article. I desire to read more things about
    it!

  42. source dice:

    Sweet blog! I found it while browsing on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there!
    Many thanks

  43. omni dice:

    Nice weblog here! Additionally your website so much up fast!
    What host are you using? Can I get your associate hyperlink on your host?

    I want my website loaded up as fast as yours lol

  44. urchins dice:

    I think everything published made a bunch of sense.
    However, what about this? suppose you added a little information? I am not saying your content
    isn’t solid., but what if you added a post title
    that makes people desire more? I mean Seguridad en una SAN Brocade I – Políticas SCC, DCC
    y AUTH | Almacenamiento Abierto is a little plain.
    You should glance at Yahoo’s front page and see how they create article headlines to grab viewers
    interested. You might add a related video or a related pic or two to grab readers excited about everything’ve got to say.
    Just my opinion, it could bring your posts
    a little bit more interesting.

  45. granny's dice:

    This is really interesting, You’re a very skilled blogger.
    I have joined your feed and look forward to seeking more of your excellent post.
    Also, I’ve shared your site in my social networks!

  46. laundering dice:

    I am regular reader, how are you everybody? This article posted at
    this web site is truly nice.

  47. weller dice:

    Asking questions are actually pleasant thing if you are not understanding something fully,
    except this article presents good understanding yet.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *