You are in:
- EDITORIAL CONTENT » Information Technology
High performance security for IP storage networks
By Michael Spencer, Senior Solutions Architect, CipherOptics
Since the beginning of computing, enterprises have depended on reliable management of data. Information has to be easily, quickly and constantly accessible - and completely secure. With the growth of Web-based applications, secure accessible data is absolutely essential to the viability of an enterprise. The unpredictable growth and ubiquitous access of today's Web commerce has the enterprise struggling to provide storage solutions that are available around the clock, satisfy peak demands, manage storage growth and protect data from malicious attacks.
Although numerous storage technologies have been developed to address these challenges, the continued growth of Internet access and new, rich content-based Web applications have organisations turning to IP storage solutions for the distribution of stored data in a global IP-based network. IP storage networks can satisfy the need for fast access to enterprise data, but require new security technologies to enable safe access to global data repositories.
Structured data
These repositories include traditional file systems, but are also inclusive of more structured data such as in databases or e-mail stores. Structured data has historically been the domain of direct attached storage (DAS). At the same time, the storage area network (SAN), where a block-based approach has the benefit of greater performance over the file-based approach of traditional networked attached storage (NAS). However, with the proliferation of higher performing networks with multi-Gigabit Ethernet backbones, easier access to high-performance global networks such as Multiprotocol Label Switching (MPLS), and increasing popularity of Internet SCSI (iSCSI), an IP-based protocol which enables block-level I/O, IP storage networks are in dire need of secure transport which will not impact performance - its main enabling, competitive quality. In addition to storage performance, a practical IP- based security solution must also be simple, compatible, non-intrusive and cost- effective.
It is safe to say that when combined with ubiquitous compatibility and any-to-any connectivity, it's hard not to find an application using IP storage. Of course, along with these benefits, come negatives. The hacker community is all too aware of this. Whether it's simple internal IP address to IP address FTP transfer, internal application usage over a network segment, replication between two geographically dispersed sites for disaster recovery or company wide fully meshed global MPLS networking, the hacker's playground is just as dispersed. The very nature of IP networks which makes it so easy for corporate acceptance also enables hackers with cheap laptops, free software and very little know-how to make lots of money from stolen data. Forget about experienced hackers tapping into local streams or even remote corporate locations outside of the United States, because these professionals can -wreak unbelievable havoc and never be detected. Unfortunately, protocols built into wireless routers, such as Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA), do not offer effective security either. Amateur hackers can use free software to break into one of these protocols in a matter of minutes. Protecting your IP storage network from hackers is more important than ever with corporate privacy mandates such as Sarbanes-Oxley, Gramm-Leach-Bliley, SEC, HIPAA and PCI.
Protecting data in motion
The notion of IP storage, running on IP networks, creates a problem in protecting data in motion. Data anywhere, with any-to-any access, traversing countless routes makes the problem of protecting data at rest seem like the easiest problem in the world to solve. Locking down data at rest is absolutely part of a secure strategy. Securing that tape, that CD, that hard drive, that file or that laptop is a one time thing. How about securing that data stream which comprises hundreds of thousands of packets? Hundreds of thousands of packets of corporate jewels per second, that is.
The key, both literally and figuratively, is to encrypt that data in motion. Easy, end of story, right? Not quite. Again, since there is a continuous entity of data traversing the IP network, the encrypting and decrypting of this data must occur continuously.
Doing anything continuously, let alone something as compute intensive as encryption, requires high-performance. Take into account the Advanced Encryption Standard (AES) method, the U.S. government standard since 2002. The robustness of the AES algorithm, using 256 bit keys, is what makes it virtually impenetrable.
According to the National Institute of Standards and Technology (NIST), if a machine could attempt a brute force attack of trying to decipher a 256 bit key 255 times a second, it would literally take 149 trillion years to crack the key. There is a “virtual” guarantee that if AES with 256 bit keys is used on a network, data in motion on that network is un-hackable. Even if a hacker were to break into a router on that network and sniff packets, the data he would obtain would be worthless because it would be encrypted.
So the answer is to encrypt the data in motion. However, the solution as a whole is the superset of just encrypting the data in motion. The manner in which this encryption is done is just as important as the result. In other words, maintaining the ubiquitous, easy to use, high performing nature of IP is of paramount importance when considering applying encryption to a network. Implementing this ultra-high form of security via encryption has to be transparent, both to the network and to the applications that use the network, regardless of the nature of the application. This encryption solution must be implemented in terms of performance, scalability, redundancy, and manageability. And lest not forget cost effectiveness.
Traditional methods include a software based approach. Encrypting in software does not scale and certainly does not provide the high performance necessary to be transparent on 10/100 Mbit network, let alone a GigE network. Hardware based encryption is faster and traditionally is available on a router or switch via a compatible network module.
Although the network module based approach is faster than software, introducing this type of performance requirement on an existing piece of network hardware degrades the performance of the hardware hosting the module, sometimes by more than an order of magnitude. The router is not able to both encrypt and route the data. With this solution, there will also be a high operational expense incurred when upgrading the router accept the network module. Also, current router based encryption uses what is termed as tunneling, where a peer device is needed on the other end of an encryption tunnel to decrypt the corresponding traffic. Tunnels are manageable when there are two endpoints, but let's not forget about what makes IP storage so attractive - any-to-any connectivity. When there are many, possibly thousands or more endpoints, tunneling is next to impossible to manage as the number of tunnels becomes an n2 issue. And, that is only if there are not multiple subnets behind the endpoint on the other side. If so, then tunnel management truly becomes impossible. In addition, traditional tunneling can break aspects of existing IP networks like redundancy and multicast ability.
Transparent encyrption
Clearly, what is needed is hardware based encryption that is transparent to the existing network, doesn't alter or break its configuration or usefulness, doesn't degrade performance and is easy to manage. The first part of the solution is encryption via a purpose-driven, hardware appliance acting as a Policy Enforcement Point (PEP) that can be remotely and easily managed.
This approach relieves the existing network components to do what they were originally designed to do, while allowing the network to perform. The ASIC based appliance performs all the heavy lifting of encrypting and decrypting packets as they traverse the network. This appliance can then become the foundation of securing the existing network transparently.
The second part of the solution is to build on that foundation with ease of management. Instead of manually creating potentially hundreds of thousands of tunnels, proper management can automate these processes - or, even better, eliminate the burden of creation and configuration tunnels. These tunnels can be replaced with the utilisation of network groups and policies. Hence, transparently overlaying security on the existing networks - a simple-to-use utility is the scalable, transparent, flexible, cost-effective solution to secure data in motion, thus, effectively eliminating the traditional limitations of legacy encryption solutions.
With the proliferation of MPLS networks, as well as the corresponding compliance regulations to protect sensitive data, IP storage security is more important than ever. The need to secure data in motion has been coupled with the need to manage security in the network in a non-intrusive, transparent fashion. All too often companies forgo securing their network due to the complexities of existing solutions and their tendencies to break as much as they fix.
These companies have the choice to make a decision to become unique and tackle the problems associated with IPSec, implementing a method to secure networks without any pain.
With today's encryption solutions, things like network topology, the number of PEPs, type or speed of IP networks and the manner of encryption do not get in the way of securing a network quickly, easily and transparently. By overlaying standard-based IPSec onto existing networks, companies can now implement a security utility much the same way Dynamic Host Configuration Protocol (DHCP) made it easy for a computer to connect to a network.
Note:
CipherOptics is exhibiting at Infosecurity Europe 2007, Europe's number one dedicated Information security event. www.infosec.co.uk
