Storage-Based Intrusion Detection for Storage Area Networks (SANs) Mohammad Banikazemi Dan Poff Bulent Abali Thomas J. Watson Research Center IBM Research Yorktown Heights, NY 10598 fmb, poff, [email protected] Abstract ate as a part of the host operating environment [2, 13, 16] and monitor local activities for signs of intrusion. Storage systems are the next frontier for providing Network-based IDSs monitor network traffic for signs protection against intrusion. Since storage systems see of suspicious activities [3, 14]. Storage systems are changes to persistent data, several types of intrusions the next frontier for providing protection against intru- can be detected by storage systems. Intrusion detec- sion [15]. Storage systems see changes to persistent tion (ID) techniques can be deployed in various stor- data and can therefore detect several types of intrusions, age systems. In this paper, we study how intrusions can especially those persisting across boots. Storage sys- be detected at the block storage level and in SAN en- tems are particularly suited for this purpose because vironments. We propose novel approaches for storage- they continue operating even after the host system is based intrusion detection and discuss how features of compromised. Furthermore, since they provide a nar- state-of-the-art block storage systems can be used for row interface to the outside world (such as the SCSI intrusion detection and recovery of compromised data. command set), they are more difficult to be compro- In particular we present two prototype systems. First mised themselves. Intrusion detection techniques can we present a real time intrusion detection system (IDS) be deployed in a diverse group of storage systems. In which has been integrated within a storage manage- this paper, we study how intrusions can be detected in ment and virtualization system. In this system incom- environments with SAN block storage systems. These ing requests for storage blocks are examined for signs systems include a large number of commercial systems of intrusions in real time. We then discuss how intru- such as IBM ESS, SVC, and DS4000 series, EMC Sym- sion detection schemes can be deployed as an appliance metrix, and Hitachi TagmaStore. loosely coupled with a SAN storage system. The major We propose two approaches for storage-based in- advantage of this approach is that it does not require trusion detection and discuss how existing features of any modification and enhancement to the storage sys- block storage systems can be used for intrusion detec- tem software. In this approach, we use the space and tion and for recovery of compromised data. In particu- time efficient point-in-time copy operation provided by lar we present two storage-based IDSs which we have SAN storage devices. We also present performance re- built in our labs. First we present a real time intrusion sults showing that the impact of ID on the overall stor- detection system which has been integrated within the age system performance is negligible. Recovering data IBM SVC, a storage management and virtualization en- in compromised systems is also discussed. gine for Storage Area Networks (SANs). In this system file-based ID access rules are converted to block-based rules such that incoming requests for storage blocks are examined for any sign of intrusion. When there is a 1. Introduction possible sign of intrusion, the content of the data block is inspected if necessary. Whenever an intrusion is de- Intrusion detection systems (IDSs) are mainly either tected, various actions such as informing the system ad- host-based or network-based. Host-based IDSs oper- ministrators, rejecting suspicious IO requests, or delay- Proceedings of the 22nd IEEE/13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST 2005) 0-7695-2318-8/05 $20.00 © 2005 IEEE ing them. Furthermore, we show that the performance groups: Network Attached Storage (NAS) and Storage impact of the integration of the IDS into IBM SVC stor- Area Networks (SAN). NAS systems typically provide age system is negligible. a file system interface while SANs provide block stor- We then discuss a second IDS which can be deployed age services. NAS systems are usually Ethernet-based as an intrusion detection appliance loosely coupled with while SAN systems mostly rely on the Fibre Channel the storage system. The major advantage of this ap- interconnect. Introduction of iSCSI and Object Store proach over the first IDS is that it does not require any Devices are blurring the line between SAN and NAS. modification and enhancement to the storage system In this paper we focus on SANs. software. In this approach, we use the space and time SAN systems are made of storage devices, special- efficient point-in-time copy operation provided by the ized networks for connecting data storage devices to IBM DS4000 series storage controllers, called Flash- servers and the required management layer for setting Copy. These operations are used to create copies of up and maintaining connections between these servers the logical volumes of interest. These copies are then and data storage devices. Fibre Channel interconnect mounted for inspection and necessary operations are is the primary interconnect used in SAN environments. performed on them to detect signs of intrusion. We use Similar to direct attached disks, SAN systems provide a the last known good copy volumes to recover compro- simple block level (fixed size) interface for storing and mised data if an intrusion is detected. We also discuss retrieving data [5]. Figure 1 shows a SAN environment how a minor enhancement to storage systems, for pro- with multiple storage devices. viding a list of modified blocks to the IDS, can improve Even though SANs have gained a wide acceptance, the scalability of such a scheme. the problem of managing a heterogeneous storage sys- The major contributions of this paper are as follows. tem is still a major challenge [6]. Block virtualization approach is used to address some of the complexities • Design and implementation issues for building an involved in managing such systems by aggregating the IDS as an integrated part of a block storage system storage into a common pool. Storage units are assigned are discussed. to host systems (i.e., servers) from this common pool. • Performance results show that the performance im- Furthermore, SAN storage virtualization and manage- pact of using such an IDS on the storage system is ment systems may provide performance enhancing ser- negligible. vices such as caching, and other services such as copy services. In the rest of this paper we refer to the storage Another storage-based IDS is presented which • area network and the storage devices attached to it as uses features of modern SAN storage systems such the SAN system. as point-in-time copy to provide intrusion detec- tion schemes without requiring any changes in storage devices. Host Systems • Recovering data in compromised systems is also discussed. The rest of this paper is organized as follows. We briefly discuss Storage Area Networks in Section 2. The Storage Network main components of rule base IDSs are discussed in (switches, bridges, hubs, etc.) section 3. Then we describe the environment in which we have developed our prototypes in Section 4. Sec- tion 5 presents our prototype implementation. The per- formance results are presented in Section 6. Related Storage Devices Storage Area Network (SAN) Storage Area work is discussed in Section 7. Future work and our Figure 1. Storage Area Network (SAN). conclusions are presented in Section 8. 2. Storage Area Networks (SANs) 3. Intrusion Detection in SAN Environ- ments The networked storage market has been growing as a result of growing demand for storage capacity. Net- Rule-based (policy-based) IDSs are one of the major worked storage systems can be divided into two major kinds of IDSs. In this paper we focus on such IDSs. A Proceedings of the 22nd IEEE/13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST 2005) 0-7695-2318-8/05 $20.00 © 2005 IEEE rule-based Intrusion Detection system has three major provided by modern SAN systems can be used to facil- components: 1) access rules and mechanisms for spec- itate the ID task. In particular, copy services provided ifying rules, 2) mechanisms for monitoring for rule vi- by block storage systems can be used to create a copy of olations, and 3) actions taken in response to rule viola- volumes of interest for mounting file systems and mon- tions. Storage-based IDSs have the same major compo- itoring and evaluating the system at file system level. In nents. In this section we discuss these components for Section 5, we will discuss two implementations where IDSs in SAN environments. each deploys one of these approaches. 3.1. Access Rules 3.3. Response to Intrusions Since files are what system users and administrators A set of potential methods for responding to intru- mostly deal with, it is desirable and perhaps required to sion has been discussed in [7, 15]. These methods in- define the IDS access rules with respect to files rather clude generating alerts, preventing requests from com- than storage data blocks. File-based access rules can be pleting, and slowing storage requests while awaiting used to monitor accesses to the content of a file and/or response from system administrators. These methods the corresponding metadata, such as the file access per- can be deployed by storage-based IDSs. In addition to mission fields. Access rules specify which files and these schemes, operations such as block level version- which parts of their metadata are to be monitored and ing [4], point-in-time copy and continuous copy can be what types of access to these fields constitute a rule vi- employed whenever a possible violation is detected to olation.