SDS and securing storage area networks

Let's get a real-world example of software-defined security, and software-defined security comes from software-defined networking, and specifically, we're looking at a Cisco application-centric infrastructure. So in this environment, this would be our cluster of ACI controllers. Or these are called APICs, okay, the API controllers. And these are gonna be a cluster of three or five controllers. And what these really are are just Cisco servers running this special controller software or this APIC software on there. And then we have what we would call our data center environment or our VXLAN environment. So these are our spine switches, and these would be something like Nexus 9500 spine switches. And these would be our leaf switches. So these would be like, you know, Cisco Nexus 9300 switches, okay? And so we are going to have this in a VXLAN environment, so it's a full mesh. So we have a full mesh between all of these different leaf switches and spine switches. And of course, there's no trunk port. So we have no trunk ports between the leaf switches, okay, no trunk ports, no trunk ports between the spine switches, right? So this is a full mesh, right, in this environment. And we're getting software-defined security because we're obviously logging on to these controllers with multi-factor authentication and biometrics, and we're configuring these by sending digitally signed API calls to these devices. And we may have physical, you know, Nexus 9500 spine switches, but these leave switches may be virtual, okay, may be virtual. So we're going to have resourceful and dynamic countermeasures built in because this is going to be a zero trust environment with all the newest security measurements and metrics, we're going to be using updated hardware with firmware updates and you know service packs and updates. We're going to be dynamically managing this to it through usually a graphical interface to get the entire environment and it's so it's a synchronized logical view within our software-defined controller model and by the way this is also going to be you non-proprietary. So we're talking about Cisco hardware here, but with software-defined networking, one of the advantages is that we can have a hybrid of different hardware solutions, because this is basically taking our VXLAN frames with their 24-bit identifier. And again, this is going going to be encapsulated in UDP packets, OK? So this is a typical on-premise data center with a Cisco ACI environment and with all of the benefits of software-defined security. Next, let's look at the storage area network, OK? The storage area network and storage area networking security. Now, on this exam, you may have to have a traditional approach to storage area networking that's unlike what we just saw with the software-defined security of a Cisco ACI environment. So you may be expected to know that we have a traditional management console or management station. We've got our servers in our storage area network. They all have these special host bus adapters. We may have our SAN fabric. And this is special SAN switches, storage area networking switches. We have our storage arrays down here. And maybe we also have some redundancies and some backups. And this is all connected together. So you may have a traditional mechanism for storage area network. And of course, the language of love here is going to be some options. We may have iSCSI, and that'll affect the controllers we have as well. We may be using Fibre Channel or FC. We may be using Fibre Channel over Ethernet. Then we have initiators and targets in this environment. So we may have a traditional storage area network with different types of protocols and services at layer 2 or layer 3, and equipment that's proprietary. Now, what we're starting to see is more of the traditional storage area networkings moving away from traditional to a more controller-based. I'll just put CB, controller-based. And then like we saw in the previous diagram, we're making digitally signed API calls to the components and the hardware. Now, traditionally and looking at newer solutions that are using zero trust, we may be looking at some legacy solutions. So for example, you might be seeing IPsec authentication header being used in the storage area network between the front end and the back end. Now, authentication header means we're not going to have any encryption. So we're going to be using some type of HMAC, like SHA-256, to get integrity and origin authentication. You're starting to see in the storage area networks more often than not, introducing 802.1aE, which is MACSEC. So with MACSEC, we can actually get encryption of the frames themselves. And with MACSEC, we're gonna be using AES Galois Counter Mode 256. And if you're using 802.1aE MACSEC, you don't have to have a separate HMAC, okay? Because GCM AES has its own integrated GMAC. So this is what's called an authenticated encryption with associated data. So in other words, with AES-GCM and HMAC or MACSEC, it's kind of an all-in-one, it's combined, right? So we have encryption or confidentiality and we have origin authentication and integrity because you have an integrated GMAC with AES-256-GCM. More often than not, we're using a software-defined network and software-defined security with controllers. Obviously, whatever we're using as far as in the SAN fabric, our switches, or in our servers, we have to make sure that we're hardening and that we have tested patch management. And often in our data, we have our storage arrays. In our storage arrays and our backups, we're also going to encrypt data at rest. And typically we're going to be relying upon AES-256.