SAN Security FAQ
SAN Security Papers
SAN Security Books
SAN Security Industry Organizations
SAN Security Vendors

SAN Security SAN Security
 SAN Security Main Page  Contact the SAN Security Webmaster  SAN Security's Sponsor
SAN Security


SAN Security Vendors


McData SANtegrity Security Suite Software

SANtegrity Security Suite enhances business continuity by reducing the impact of human influences on your networked data. This robust suite of software applications provides unsurpassed storage area network (SAN) protection. SANtegrity lets you build secure storage networks by providing end-to-end security features for McDATA fabrics.

Using SANtegrity software, you can apply layers of security to individual storage network ports, switches and entire fabrics through:

SANtegrity Features and Functions

SANtegrity Zoning

SANtegrity Zoning, a security enhancement that complements world wide name (WWN) and port zoning, blocks ports from accessing devices outside user specified zones. This feature improves security against intruders that load non-standard HBA drivers.

Although SANtegrity Zoning is a new feature, it is compatible with legacy zone definitions including WWN and port zoning. No retraining of personnel or modification of current zoning management practices is necessary. Customers can use their existing zones and zone sets without any changes to the interfaces. SANtegrity Zoning is a standard feature of McDATA Enterprise Operating System (E/OS) 5.0.

SANtegrity Secure Management Zone

SANtegrity Secure Management Zone (SMZ), a McDATA solution, secures the management interface. SMZ provides management access to local and remote SAN devices over a secure connection. SMZ is a best practice that documents the LAN and WAN configurations required to securely manage distributed SANs using McDATA EFCM or SANavigator management software.

SANtegrity Binding

SANtegrity Binding protects your SAN from disruption by either intruders or unintended accidents. SANtegrity Binding creates multiple layers of access control barriers. These barriers at the port, switch or fabric level allow customers to fine tune their SAN authorization to meet their specific security requirements. SANtegrity Binding is an optional feature of McDATA E/OS and can be implemented without application downtime.


Brocade Secure Fabric OS

A Comprehensive SAN Security Solution

As a greater number of organizations implement larger Storage Area Networks (SANs), they are facing new challenges in regard to data and system security. Especially as organizations interconnect SANs over longer distances through existing networks, they have an even greater need to effectively manage their security and policy requirements.

To help these organizations improve security, Brocade has developed Secure Fabric OS™, a comprehensive security solution for Brocade-based SAN fabrics that provides policy-based security protection for more predictable change management, assured configuration integrity, and reduced risk of downtime. Secure Fabric OS protects the network by using the strongest, enterprise-class security methods available, including digital certificates and digital signatures, multiple levels of password protection, strong password encryption, and Public Key Infrastructure (PKI)-based authentication, and 128-bit encryption of the switch’s private key used for digital signatures.

With its flexible design, Secure Fabric OS enables organizations to customize SAN security in order to meet specific policy requirements. In addition, Secure Fabric OS works in conjunction with Brocade Advanced Zoning to further secure access to the SAN, simplify storage management, and reduce provisioning time.

Highlights of Brocade Secure Fabric OS


Hifn 4300 HIPP III Storage Security Processor

The HIPP III 4300 Storage Security Processor efficiently addresses your needs for a standards compliant gigabit Ethernet solution.

The Hifn™ HIPP III 4300 Storage Security Processor is the first security processor designed for the specific requirements of IP Storage applications. The 4300 offers a complete IPsec data path solution optimized for IP Storage based systems, combining inbound and outbound policy processing, SA lookup, SA context handling, and packet formatting – all within a single chip. Hifn’s 4300 delivers industry-leading cryptographic functionality, supporting the DES/3DES-CBC, AES-CBC, AES-CTR, MD5, SHA-1 and AES-XCBC-MAC algorithms. Hifn also provides complete software support, including an optional onboard iSCSI-compliant IPsec software stack, offering an embedded HTML manager application.

The HIPP III 4300 employs Hifn’s FlowThrough™ Security Architecture to deliver full-duplex Gigabit Ethernet encrypted throughput in iSCSI (Internet Small Computer System Interface), FCIP (Fibre Channel over IP) and other IP-based storage networking systems. The high-speed HIPP III 4300 is optimized for use in server host bus adapters, FCIP bridges, storage routers, and storage arrays.

Hifn’s FlowThrough Security Architecture

Hifn’s FlowThrough Security Architecture is the cornerstone of a new family of solutions that vitally change the way security is built into the network.

The new architecture enables security processors that sit directly in the data path, eliminating the inefficiencies of existing “look-aside” security designs.

Fundamental to the new FlowThrough architecture is the acceleration of the entire data path of the IPsec protocol, which previously represented a heavy processing load on the Storage Processor or other processing elements in the system. The new architecture incorporates packet processing, link layer processing for Ethernet, security association handling, and IPsec encryption/ authentication functions into silicon-based products. Hifn’s FlowThrough Security Architecture enables high-performance, cost-effective security processors that provide wirespeed performance for encrypted traffic in IP Storage and high-performance network equipment.

Easy Integration

The HIPP III 4300 uses industry-standard GMII/TBI interfaces, supported by numerous GigE TOE (TCP Offload Engine) and Storage Processor vendors. It is typically interfaced between the GMII port on a GigE TOE or Storage Processor and the Ethernet PHY. A second failover port on the Network side allows the 4300 to provide recovery if the primary data link goes down.

The control interface to the 4300 is achieved using in-band Ethernet frames. An additional 100Mbps Ethernet MII port allows an optional out-of-band control port, or it may be used to establish an inter-chip link for multi-chip designs. The chip also includes a 16-bit SDRAM memory interface for program and data storage for the on-board auxiliary processor. A single low-cost SDRAM is the only external part needed to work with the 4300. (For designs that don’t require on-chip IKE, this RAM can be omitted.) These standard interfaces enable easy integration into a variety of systems.


HP StorageWorks Secure Fabric OS

HP Secure Fabric OS solutions include a comprehensive SAN infrastructure security software tool and value added services for 1 Gb and 2 Gb SAN Switches environments. With its flexible design, the Security feature enables organizations to customize SAN fabric security in order to meet specific policy requirements. In addition, Security Fabric OS works with security practices already deployed in many SAN environments such as Advanced Zoning.

HP Services also provide a portfolio of services ranging from the broad SAN Design and Architecture that can provide a complete multi-site security design, to a single site Security Installation & Startup service that shows you how to configure your Secure Fabric OS environment using the most used industry tested aspects of security. HP Secure Fabric OS is a complete solution for securing SAN infrastructures.

Features and Benefits of HP StorageWorks Secure Fabric OS

Decru Dataform Security Appliances

Networked storage helps enterprises speed access to data and reduce administrative overhead, but can leave critical data vulnerable. Without the physical separation provided by traditional direct-attached storage, data assets become co-mingled in both NAS and SAN environments, putting them at much greater risk for unauthorized access, theft or misuse.

Technologies like firewalls and intrusion prevention systems seek to secure enterprise assets by protecting the perimeter of the network, but these approaches leave data at the storage core dangerously open to both internal and external attacks. Decru DataFort™ is a reliable, multi-gigabit-speed encryption appliance that integrates transparently into NAS, SAN, DAS and tape backup environments. By locking down stored data with strong encryption, and routing all access through secure hardware, DataFort radically simplifies the security model for networked storage.

DataFort appliances combine secure access controls, authentication, storage encryption, and secure logging to provide unprecedented protection for sensitive stored data. Because DataFort protects data at rest and in flight with strong encryption, even organizations that outsource IT management can be sure their data assets are secure. In short, DataFort offers a powerful and cost-effective solution to address a broad range of external, internal, and physical threats to sensitive data.

Hardened Architecture

DataFort hardware was designed from the ground up for maximum security. At the heart of the system is Decru’s Storage Encryption Processor (SEP) — a robust hardware engine enabling full-duplex, multi-gigabit-speed encryption and key management. Decru’s SEP, clustering and key management have passed certification testing for FIPS 140-2 level 3. DataFort's AES-256, SHA-1 and SHA-256 encryption implementations have also been certified by the National Institute for Standards and Technology (NIST.)

Robust Encryption Standards

Decru DataFort incorporates strong AES-256 encryption, optimized by Decru for protecting stored data. DataFort uses a True Random Number Generator (TRNG) to create keys, and cleartext keys never leave DataFort’s secure hardware, offering the highest level of security against attacks.

Compartmentalization

Security administrators can compartmentalize data in shared storage using Cryptainer™ storage vaults. Cryptainer vaults cryptographically partition stored data, and provide an additional layer of threat containment. DataFort also supports the creation of cleartext Cryptainer vaults, which enables administrators to enforce access controls centrally, but leave less sensitive data unencrypted.

Lifetime Key Management

Decru's Lifetime Key Management™ system (LKM) securely automates the archiving and recovery of encryption keys across the enterprise, ensuring data stored for decades can be decrypted. A software recovery tool ensures access to data in the event that DataFort hardware is rendered inoperable.

Authentication and Access Controls

DataFort provides a powerful, single point of secure access controls and authentication for heterogeneous client and storage environments. DataFort integrates transparently with directory servers such as LDAP, Active Directory and NIS, and adds a layer of hardware-based policy enforcement that prevents common attacks. DataFort also incorporates smart cards to ensure that only authorized DataFort administrators can configure and manage the DataFort. In SAN environments, DataFort can use Host Authentication to further lock down the fabric.

Storage VPN

In Ethernet environments, DataFort can secure data in flight from the desktop or server with integrated Storage VPN features. DataFort supports IPsec or SSL with hardware-based acceleration, and WebDAV support enables secure, drag-and-drop access to networked storage for remote users or partners over the Internet.

Secure Logging

Each DataFort keeps a cryptographically signed log of activities. Reports are fully customizable to track relevant events, including failed authentication attempts, Cryptainer access, administrative actions, or intrusion.

Cryptoshred Key Deletion

CryptoShred simplifies the process of permanently deleting data. By deleting an encryption key, all copies of associated data are instantly destroyed, regardless of physical location. CryptoShred provides vital functionality for a range of applications, including regulatory compliance, hardware redeployment or disposal, and protection for data in harm’s way.


Kasten Chase Assurency

Assurency™ SecureData provides comprehensive security for data storage, including SAN, NAS and DAS. Utilizing authentication, access control and strong industry-standard encryption, SecureData protects valuable information stored on online, near-line, and backup storage media. These safeguards extend to stored data both within the data center and at off-site data storage facilities.

Assurency SecureData protects valuable data assets, such as e-mail, financial and health care information, customer and personnel records and intellectual property. For government agencies, Assurency SecureData protects intelligence and national defense data, law enforcement information, and confidential citizen records.

Eliminating Business Risk

Assurency SecureData helps organizations to eliminate the risk in their most valuable and vulnerable information assets. The solution:

Reducing the Cost of Data Management

Assurency SecureData not only safeguards data assets, it introduces efficiencies in the management of stored data. With Secure Information Management™, Assurency SecureData enables rapid and cost-effective ‘no touch’ destruction of sensitive data — data that has reached the end of its useful life, yet still represents a considerable source of business risk.

Encrypted data can be rendered permanently unintelligible — effectively destroyed — by revoking or purging the cipher key used to encrypt the data. SecureData’s Secure Information Management system provides a very streamlined process of key management and revocation. When key revocation is controlled and managed, data destruction can be achieved at a fraction of the cost of full disk or tape cleansing. There is no requirement to retrieve and destroy the data itself.

Improving Storage Resource Utilization

Assurency SecureData enables more efficient utilization of data storage media. Encrypted storage disks and tapes can be repaired, recycled, resold or decommissioned without the need for audited erasure — a time-consuming and expensive process. These efficiencies in data management and storage resource utilization help organizations reduce operating costs.

Enterprise-class Solution

Assurency SecureData was designed for the data center, where quality of service, performance, scalability and interoperability are paramount:

Distributed, Scalable Architecture

Assurency SecureData’s two-component architecture separates encryption and key management tasks.

Assurency SecureData Server Encryption Driver / Crypto-Accelerator

Compatible with leading server operating systems, Assurency SecureData provides cryptographic services where they are most effective – within the host server. SecureData Server Encryption Driver requests encryption keys and filters sensitive storage data for encryption. Together, the Server Encryption Driver and SecureData Crypto-Accelerators offer transparent encryption for host applications and high data throughput. The Crypto-Accelerator is a dedicated, cryptographic co-processor supporting the PCI-X bus architecture. Crypto-Accelerators can be added as required to meet throughput and redundancy requirements.

Assurency SecureData Appliance

The Assurency SecureData Appliance delivers authentication, access control and key provisioning services for the SecureData Server Encryption Driver and Crypto-Accelerators. A centralized trust authority for storage networks, the Appliance provides the assurances of certificate-based authentication without the requirement for a third-party Public Key Infrastructure (PKI). For organizations looking to leverage an existing certificate management scheme, SecureData is readily interoperable with third-party PKIs.

The SecureData Appliance features a lockable front panel, tamper evident chassis and a hardened operating system. Root key material and master encryption keys are stored on a FIPS 140-1 Level 2 certified Hardware Security Module. These features render the Appliance virtually impervious to attack.



SAN Security Sitemap
© 2003 - 2010 SAN Security, All Rights Reserved.
SANSecurity.com is a service of Network System Architects, Inc.Network System Architects, Inc.