Sidebar: New Security Standards May Solve Storage Gaps

Computerworld - Standards bodies, such as the International Committee for Information Technology Standards (INCITS) and the Internet Engineering Task Force (IETF), are working on Fibre Channel security standards as well as extending existing Internet protocols for moving block-level and file data over Ethernet networks, which are crucial to securing data as companies continue to push disaster recovery sites farther away from primary data centers.
The INCITS T11.3 committee is working on a draft of the Fibre Channel Security Protocol that it expects to release by the end of 2003. The protocol will address authentication at the management interface level between devices on a storage-area network (SAN), mostly likely using a public-key-infrastructure-based digital certificate.
The committee is also working on a frame-by-frame authentication method similar to packet-to-packet authentication in the IPsec protocol. The goal is to enhance the Fibre Channel frame with the definition of a new optional header that would contain something analogous to IPsec's Encapsulating Security Payload (ESP) protocol. ESP would allow SANs to support authentication, confidentiality and data integrity protection.
"Basically, the storage server won't accept frames unless they have proper security authorization," says Craig Carlson, chairman of the T11.3 committee and a systems architect at QLogic Corp. in Aliso Viejo, Calif.
For example, frame authentication will ensure an unauthorized user won't be able to manufacture a fake frame to tell the management application to take down a switch port or open access to a disk on an array, Carlson says.
Also, the IETF's IPsec Working Group is studying how to extend the Internet key exchange for network-address translators and firewalls. The group has produced a draft defining security requirements for Fibre Channel over IP standards, such as iSCSI, iFCP and FCIP.
But the standards bodies' work only addresses access, which leaves the door open to hackers, according to Michael Peterson, an analyst at Strategic Research Corp. in Carpinteria, Calif.
"There's all kinds of data still floating around," he says. "What do you do with old backup tapes, for instance?"

Read more about storage in Computerworld's Storage Knowledge Center.