296 Chapter 5 • Storage Solutions IBM SAN technology evolves in three stages: ■ SAN attached storage This leverages the any-to-any connectivity of SAN technology. ■ SAN optimized storage This makes use of SAN characteristics and delivers strong SAN solutions. ■ SAN optimized systems This leverages proven technologies and delivers SAN systemwide solutions. IBM’s SAN solution uses Fiber Channel architecture for connectivity and device-level management. It also provides businesses the basic building blocks that will enable IT resource management and information sharing anytime, anywhere across your storage area networks. Value can be added to the Fiber Channel infrastructure by adding new storage solutions and comprehensive fabric management, thus helping organiza- tions to manage, track, and more easily share the sophisticated and increasing volume of data created by business applications and the Internet. www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 296 Storage Solutions • Chapter 5 297 Summary Your ASP might provide storage solutions for your customers, or you might solely rely on data storage for your own internal purposes. Regardless, your ulti- mate storage goals and uses will dictate the model of storage you require. If you have minimal centralization and storage requirements, you may want to go with the age-old directly attached storage solution. This does offer a very simple and successful solution; otherwise, it would not be in such widespread use. If you are instead looking to deliver large amounts of data to your clientele, and need a system capable of performing this task, you will probably decide to use NAS devices that are distributed throughout your net- work.You might even have separate data and storage concerns that can justify designing an expensive SAN solution to connect several sites together and pro- vide for the most robust set of features. This, too, is a very viable solution depending on your model.The reality is that all the storage options that we have explained provide for excellent solutions depending on their use and purpose. Likewise, they can also provide for ineffi- cient or cost-deficient solutions when not understood or planned for correctly. In this chapter, we tried to explain some of the criteria you should consider when designing your storage solution.We covered the characteristics of directly attached storage, NAS, and SAN, in order to give you a better understanding of each and make an informed decision as to which solution best fits your com- pany’s goals and budget.We went into some detail as to the features and func- tionality that each solution has to offer, and explained the advantages and disadvantages of each. We spoke about scalability issues, in the hope that you will use this informa- tion to design a solution that will exist for as long as your company thrives. Finally, we spoke on the issue of fault tolerance, and some of the options that particular storage solutions have to offer. All of these topics were presented to help you build a solution that fits your particular criteria. In the end, only you know your goals and requirements, and can weigh these against the storage solutions we presented. Be careful in your selection, and always look for a solution that leverages good technology with adequate features that is the “right fit” for your organization rather than the cheapest solution or the “latest craze.” www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 297 298 Chapter 5 • Storage Solutions Solutions Fast Track Upfront Concerns and Selection Criteria ; Currently, there are many differing manufacturers of storage-based equipment, and several methods of delivering storage solutions to your servers and clients. ; With mass-storage products, some of the major manufacturers may only offer proprietary equipment, while others may standardize their equip- ment, using a technology such as fiber channel to ensure that their product will work with a similar offering from another manufacturer. ; Security should always be a concern, but it is especially important given the high visibility of ISPs and ASPs. ; Outboard security is any type of security feature that is located on the host. It might be an external authentication scheme that is provided by a firewall. ; You may already own storage devices that use interfaces other than fiber channel, such as small system computer interface (SCSI) or enhanced inte- grated drive electronics (EIDE) for host connections. It can sometimes prove difficult to port older hardware to some newer storage solutions. Directly Attached Storage in Your Infrastructure ; Server-to-storage access, or directly attached storage, has been in use in much of the history of computing, and still exists in over 90 percent of implementations today. ; In directly attached implementations, storage devices are directly con- nected to a server using either interfaces and/or bus architecture such as EIDE or SCSI. Network Attached Storage Solutions ; A NAS is a device that provides server-to-server storage.A NAS is basi- cally a massive array of disk storage connected to a server that has been attached to a local area network (LAN). www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 298 Storage Solutions • Chapter 5 299 ; QoS has the ability to delegate priority to the packets traversing your net- work, forcing data with a lower priority to be queued in times of heavy use, and allowing for data with a higher priority to still be transmitted. ; When designing NAS in your network, probably the most effective solution for latency and saturation issues is the location of your NAS servers in relation to the hosts and systems that access their data. Storage Area Networks ; A storage area network (SAN) is a networked storage infrastructure that interconnects storage devices with associated servers. It is currently the most cutting-edge storage technology available, and provides direct and indirect connections to multiple servers and multiple storage devices simultaneously. ; A SAN can be thought of as a simple network that builds off the familiar LAN design. ; Distributed computing, client/server applications, and open systems give today’s enterprises the power to fully integrate hardware and software from different vendors to create systems tailored to their specific needs. ; SANs remove data traffic—backup processes, for example—from the production network, giving IT managers a strategic way to improve system performance and application availability. ; Multihost arrays are the most simplistic and most common form of SAN virtualization implementation. Scalability and How It Affects Your Business ; A SAN is designed to span great distances, which allow it even more flexibility, since there is not a requirement for the SAN devices to be in close proximity to the hosts that access them. ; Wire speed plays an important role in delivering data to host devices. Whether your environment consists of directly attached storage, NAS, SAN, or a combination there of, you will still have bandwidth concerns that will limit the amount of actual data that can be sent across the wire at any given moment. www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 299 300 Chapter 5 • Storage Solutions Fault Tolerance Features and Issues ; One of the largest advantages a SAN has to offer is the true ability to share resources between other server and host systems. ; Remote mirroring is an excellent form of disaster recovery offered by SAN technology.Today, it allows for a complete copy of your data to be contained at a remote location that might be located up to 40 kilo- meters away. ; Redundant Array of Inexpensive Disks (RAID) provides methodology for storing the same data in different places on multiple hard disks. SAN Solutions Offered by Various Vendors ; IBM’s SAN strategy involves the migration to a SAN infrastructure over time. It tries to deliver its SAN strategy in phases, to leverage new tech- nologies once they are proven, and to help seamlessly integrate SAN technology into a company’s IT infrastructure; all this while protecting your investments in application resources, servers, and storage. ; IBM’s SAN solution uses Fiber Channel architecture for connectivity and device-level management. www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 300 Storage Solutions • Chapter 5 301 Q: What is NAS? A: NAS stands for network attached storage, and describes a device that is attached to a LAN and uses a communications protocol to provide file access functionality. Q: What is SAN? A: SAN is a network, much like a LAN, that exists solely for storage-based traffic. It interconnects storage devices with hosts to allow for data access and storage functionality, and incorporates numerous features that allow for complex data-sharing solutions. Q: How can we convince non-IT executives of the need for a storage infrastructure? A: The impact and features a SAN can provide is more far-reaching than your IT budget. SANs can affect your core business, regardless of what that is. If you’re in e-commerce, SANs should increase your availability, your system up time, and the functionality that you can provide to your customers. If you’re looking at backups, SANs should improve your uptime and your restore time. Assess what your needs are, what benefit you’re providing, and you should be able to provide a monetary benefit that’s more far-reaching than your IT expenditure. Q: What are some of the concerns when deciding on the right storage solution for my organization? A:You should be concerned with host independence, vendor support, security, legacy support, system availability, and price versus performance when you are planning your storage solutions. www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 130_ASP_05 6/19/01 2:46 PM Page 301 302 Chapter 5 • Storage Solutions Q: What is the difference between synchronous and asynchronous mirroring? A: Both of these techniques allow data stored at one site to be mirrored at another site. Synchronous mirroring writes the stored data to both sites at the same time, which creates a 10-kilometer distance limitation between the sites. Asynchronous mirroring will allow the data to be queued and buffered before transmission to the second site, in order to alleviate network congestion and remove the 10-kilometer distance limitation. Q: What is RAID? A: RAID stands for Redundant Array of Inexpensive Disks, and is a technology that allows data to be placed across multiple disks in an array in order to pre- sent them as one single logical disk. Depending on the version used, RAID can use parity and disk mirroring to provide fault tolerance and error checking, and can significantly improve the speed of data access Q: How can I determine if the SAN products I buy are interoperable and con- form to open standards? A:You have to look at openness and interoperability on two levels. Just as it is in the LAN world, physical connectivity is going to go away as a problem. Higher up in the protocol stack with management applications, you are going to have to do a reality check.You’re not going to see much convergence there for a while, because that’s how vendors differentiate.You won’t, for instance, see EMC supporting a remote data connection to a Hitachi disk storage system on the other end any time soon. www.syngress.com 130_ASP_05 6/19/01 2:46 PM Page 302 ASP Security System Provisioning Solutions in this chapter: ■ Security Policy ■ Security Components ■ Security Technologies and Attacks ■ Prevention Techniques ■ Capturing Evidence ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 6 303 130_ASP_06 6/19/01 2:50 PM Page 303 304 Chapter 6 • ASP Security System Provisioning Introduction Security is a primary concern for many application service provider (ASP) sub- scribers, whose fear of inadequate security is the biggest barrier to an ASP’s growth. In fact, one of the most important catalysts to market acceptance for an ASP is to demonstrate that it is addressing all of your customer’s security issues with your application or service. The notion of security is certainly not new. However, ASPs must now pro- vide many of the security controls and mechanisms that were previously neglected by Internet service providers (ISPs). Many ISPs assumed no responsi- bility for security, as they were only providing bandwidth to their customers. With the advent of high-speed, always-on connections such as digital sub- scriber line (DSL) and cable modem technology, millions of individuals and orga- nizations have joined the Internet community. Of these millions of new hosts, very few have gone to the trouble of securing their systems in any way, shape, or form. Although these hosts may not seem to contain data that would be of much interest to an attacker, they do make for a very easy target.These systems can be used as training grounds to help hone attackers’ abilities, or as testing grounds where new techniques can be tested and hardened. Even worse, an attacker might compromise one of these “lowly” hosts just to add it to his or her arsenal of “weapons.” Today, attack technologies are developing in an open source environment that allows nearly any individual to improve upon older or more archaic cyber attacks. There are countless applications and scripts currently available that will allow the average Internet user to launch cyber attacks upon whomever he or she feels like at that particular moment. With user demand for bigger and better applications at an all-time high, many applications are rushed through production and are not thoroughly tested. This makes for applications that are “buggy” and have “holes” that are susceptible to malicious attack. In addition, very few programmers understand the intricacies of security, and tend to write insecure code that can be easily attacked and com- promised. Since the Internet transcends all geographic boundaries, it is important for us to design tools and implement security solutions on a global basis. In fact, many of today’s cyber terrorists are from foreign countries, many of which are trying to gain some shred of notoriety. Most Internet-oriented publications these days seem to always include an article or story on computer crime or abuse.The recent distributed denial-of- www.syngress.com 130_ASP_06 6/19/01 2:50 PM Page 304 www.syngress.com service (DDoS) attacks are prime examples of potential security problems. In fact, in 2000, the Yankee Group reported that the total cumulative revenue lost due to DDoS attacks that were targeted on Yahoo!, eBay, Amazon.com and other Web sites was in excess of $1.2 billion. In the same year, the Computer Security Institute/FBI Computer Crime and Security Study found that 273 organizations reported $265,589,940 in financial losses as a result of computer-oriented crime in 1999.The Computer Security Institute created a 2000 Computer Crime and Security Survey, which was produced in association with the FBI. This survey reported that 90 percent of its respon- dents had detected computer security breaches, and approximately 27 percent had detected DoS attacks. Here are some other highlights from the CSI 2000 Computer Crime and Security Survey: ■ Ninety percent of respondents (primarily those considered large corpo- rations and government agencies) had detected computer security breaches to their networks in 1999. ■ Seventy percent of respondents had reported a serious computer security breach, other than computer viruses, laptop theft, or employee “Net abuse.”This comprises theft of proprietary information (internal and external), financial fraud, outside system penetration, DoS attacks, and sabotage of data or networks. ■ Seventy-five percent acknowledged that they had experienced financial losses due to computer breaches. The study also mentions that the average annual loss reported over the last three years was huge.The problem is that much loss goes unreported to avoid negatively affecting the standing of the affected organization within its market. Computer crimes do occur, so obviously the risks are real, and the costs are high.You should strive to minimize these risks by implementing sound security policies and practices to which your users must adhere.When building an ASP, one of your goals should be to protect your systems and develop strong security procedures and policies. ASP Security System Provisioning • Chapter 6 305 130_ASP_06 6/19/01 2:50 PM Page 305 [...]... three separate 56- bit keys that are combined when performing the encryption algorithm In this case, there is not a single 168 -bit key; instead, the three separate keys are appended to each other in any possible order This means that the formula for deriving the total number of possibilities would be (2^ 56) *6 for a total of 432,345, 564 ,227, 567 ,61 6.This number is quite larger than your normal 56- bit DES encryption...130 _ASP_ 06 3 06 6/19/01 2:50 PM Page 3 06 Chapter 6 • ASP Security System Provisioning Designing & Planning… Build Customer Confidence in Your Security System To have your customer trust your security system, you should be able to disclose your security policy, especially the procedures for incident response, and provide the customer access to your security logs Security Policy An ASP needs to... security policy defines how an ASP manages, protects, and distributes sensitive information and resources Any ASP, before connecting to the Internet, should develop a usage policy that clearly identifies the solutions they will be using and exactly how those solutions will be used www.syngress.com 130 _ASP_ 06 6/19/01 2:50 PM Page 307 ASP Security System Provisioning • Chapter 6 First, the policy should be... the size of the encryption key, several other factors determine the overall strength of an encryption technology, such as the type of encryption method www.syngress.com 315 130 _ASP_ 06 3 16 6/19/01 2:50 PM Page 3 16 Chapter 6 • ASP Security System Provisioning being used.There are two distinct types of key-based encryption algorithms, symmetric and asymmetric Symmetric Algorithms Symmetric algorithms use... permitted and established streams of data www.syngress.com 130 _ASP_ 06 6/19/01 2:50 PM Page 325 ASP Security System Provisioning • Chapter 6 Figure 6. 2 Packet Filtering Host-C Network #2 Host-D Network #3 Host-E Packet Filtering Device Host-A Host-B Network #1 When Host-C attempts to contact Host-A, the data will first need to flow through the firewall.The configuration of the firewall, its access-lists, and the... type of packet For instance, using the same example, we could modify our access-lists to only allow Host-C to access Host-A when it is using UDP packets www.syngress.com 325 130 _ASP_ 06 3 26 6/19/01 2:50 PM Page 3 26 Chapter 6 • ASP Security System Provisioning Conversely, we could have the firewall block all Transmission Control Protocol (TCP) packets bound for a particular node or network Most packet-filtering... level of security your ASP will need By denying all traffic that is not required to run your ASP, you will be eliminating thousands, if not hundreds of thousands, of possible ways to breach your security.When you are configuring a perimeter firewall, this is really the only way to go www.syngress.com 130 _ASP_ 06 6/19/01 2:50 PM Page 327 ASP Security System Provisioning • Chapter 6 Explicitly Deny Traffic... contained in this database is used to “understand” your applications and the upper layers of the OSI model (as in Chapter 1, “An Introduction to ASPs for ISPs”).Without the most current www.syngress.com 323 130 _ASP_ 06 324 6/ 19/01 2:50 PM Page 324 Chapter 6 • ASP Security System Provisioning information, the firewall might allow access that it should not, or even disallow access that it should allow Since... they incorporate and you employ throughout your network User Authentication A requirement for any ASP is the ability to positively identify and authenticate users Depending on the level of security required, the mechanisms to support www.syngress.com 309 130 _ASP_ 06 310 6/ 19/01 2:50 PM Page 310 Chapter 6 • ASP Security System Provisioning this requirement can range from identifying users based on usernames... user, but also enables the establishment of a www.syngress.com 130 _ASP_ 06 6/19/01 2:50 PM Page 311 ASP Security System Provisioning • Chapter 6 session encryption key to support confidentiality of the transaction once the user is authenticated If you use usernames and passwords solely for authentication services, you may be exposing your ASP to an easy attack If, for instance, an attacker were to gain . Questions Chapter 6 303 130 _ASP_ 06 6/19/01 2:50 PM Page 303 304 Chapter 6 • ASP Security System Provisioning Introduction Security is a primary concern for many application service provider (ASP) sub- scribers,. deriving the total number of possibilities would be (2^ 56) *6 for a total of 432,345, 564 ,227, 567 ,61 6.This number is quite larger than your normal 56- bit DES encryption. Types of Algorithms Besides the. access to your security logs. Designing & Planning… 130 _ASP_ 06 6/19/01 2:50 PM Page 3 06 ASP Security System Provisioning • Chapter 6 307 First, the policy should be clear, concise, and understandable,