CHAP T E R
1
Storage Media Encryption Overview
Encrypting storage media in the data center has become a critical issue. Numerous high profile incidents
of lost or stolen tape and disk devices have underscored the risk and exposure companies face when
sensitive information falls into the wrong hands. To satisfy the most demanding requirements, Cisco
MDS 9000 Family Storage Media Encryption (SME) for the Cisco MDS 9000 family switches offers a
highly scalable, reliable, and flexible solution that integrates encryption transparently as a fabric service
for Fibre Channel SANs.
This chapter provides an overview of the SME and the hardware and software requirements for the product.
It contains the following sections:
• About SME, page 1-1
• About MIBs, page 1-9
• Software and Hardware Requirements, page 1-10
• SME Prerequisites, page 1-13
• SME Security Overview, page 1-14
About SME
Note When using SME, SSI images should not be loaded and installed on 18+4 cards and SSN-16. Also the
OL-29289-01
The SME solution is a comprehensive network-integrated encryption service with enterprise-class key
management that works transparently with existing and new SANs. The innovative Cisco
network-integrated solution has numerous advantages over competitive solutions available today:
• SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, SME
does not require rewiring or SAN reconfiguration.
• Encryption engines are integrated on the Cisco MDS 9000 18/4-Port Multiservice Module
(MSM-18/4), the Cisco MDS 9222i Multiservice Module Switch, and the 16-Port Gigabit Ethernet
Storage Services Node (SSN-16), which eliminates the need to purchase and manage extra switch
ports, cables, and appliances.
• Traffic from any virtual SAN (VSAN) can be encrypted using SME, enabling flexible, automated
load balancing through network traffic management across multiple SANs.
• No additional software is required for provisioning, key, and user role management; SME is
integrated into Cisco DCNM for SAN (DCNM-SAN), which reduces operating expenses.
bootvar should not be set to load these images
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1-1
About SME
Servers Storage
Fibre Channel SAN
Cisco MDS 9200
Series
Cisco MDS 9500
Series
Storage Media Encryption (SME)
Name: XYZ
SSN: 1234567890
Amount: $123,456
Status: Gold
!@#!rt%#!$+#$
opjj#!$)k#r_)i#r!
)#!ruj#rppojf)#!
)_!$)rjp+_!#@$(
184136
Chapter 1 Storage Media Encryption Overview
Figure 1-1 shows the integration of SME with SAN fabrics to offer seamless management of data
encryption.
Figure 1-1 SME
This section covers the following topics:
• SME Features, page 1-2
SME Features
• SME Terminology, page 1-6
• Supported Topologies, page 1-7
• In-Service Software Upgrade in SME, page 1-9
The Cisco MDS 9000 Family of intelligent directors and fabric switches provide an open,
standards-based platform for hosting intelligent fabric applications and services. As a platform, the
Cisco MDS 9000 family switches provide all essential features required to deliver secure, highly
available, enterprise-class Fibre Channel storage area network (SAN) fabric services. Cisco has
integrated encryption for data-at-rest as a transparent fabric service to take full advantage of this
platform.
SME is a standards-based encryption solution for heterogeneous disks, tape libraries, and virtual tape
libraries. SME is managed with Cisco DCNM-SAN and a command-line interface (CLI) for unified SAN
management and security provisioning. SME includes the following comprehensive built-in key
management features:
• Transparent Fabric Service, page 1-3
• Encryption, page 1-3
• SME Roles, page 1-3
• Key Management, page 1-4
• Clustering, page 1-5
• FC-Redirect, page 1-6
• Server-Based Discovery for Provisioning Disks and Tapes, page 1-6
• Target-Based Load Balancing, page 1-6
1-2
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
OL-29289-01
Chapter 1 Storage Media Encryption Overview
Transparent Fabric Service
Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an
MSM-18/4 module, a MDS 9222i switch, or a SSN-16 module anywhere in the fabric. There are no
appliances in-line in the data path and there is no SAN rewiring or reconfiguration.
Encryption
SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced
Cisco MDS 9000 SAN-OS and NX-OS software security features, such as Secure Shell (SSH), Secure
Sockets Layer (SSL), RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation
for the secure architecture.
SME uses the NIST-approved random number standard to generate the keys for encryption.
Encryption and compression services are transparent to the hosts and storage devices.
Encryption Algorithms
The IEEE-approved standard for encryption of disk drives is IEEE 1619—Standard Architecture for
Encrypted Shared Storage Media (1619.1 for tape drives). It specifies the XTS encryption mode
commonly used for disk encryption. The IEEE Security in Storage Working Group (SISWG) was
investigating the possibility of submitting the XTS mode to NIST for consideration as an Approved
Mode of Operation for FIPS 140-2 certification. It uses a narrow-block encryption algorithm, and the
standardization process for a wide-block algorithm is currently in progress as 1619.2. Other encryption
algorithms for consideration are LRW-AES and AES-CBS. Draft versions of the IEEE 1619 standard
had used LRW-AES, which was later replaced by XTS-AES.
About SME
SME Roles
SME services include the following four configuration and security roles:
• SME Administrator
• SME Storage Administrator
• SME Key Management Center (KMC) Administrator
• SME Recovery Officer
The SME Administrator configures and maintains SME. This role can be filled by multiple storage
network administrators. The SME Storage Administrators are responsible for SME provisioning
operations and the SME KMC Administrators are responsible for the SME KMC administration
operations. The security officer may be assigned the SME KMC Administrator role in some scenarios.
Note SME Administrator role includes the SME Storage Administrator and the SME KMC Administrator
roles.
The SME Recovery Officers are responsible for key recovery operations. During SME configuration,
additional Recovery Officers can be added. SME Recovery Officers play a critical role in recovering the
key database of a deactivated cluster and they are responsible for protecting the master key. The role of
the SME Recovery Officer separates master key management from SME administrations and operations.
In some organizations, a security officer may be assigned to this role.
OL-29289-01
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1-3
About SME
Key Management
Chapter 1 Storage Media Encryption Overview
At the advanced security level, a quorum of SME Recovery Officers is required to perform recovery
procedures. The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to unlock the
master key.
For additional information on SME Administrator and SME Recovery Officer roles, see the “Creating
and Assigning SME Roles and SME Users” section on page 2-32.
Cisco Key Management Center (KMC) provides essential features such as key archival, secure export
and import, and key shredding.
Key management features include the following:
• Master key resides in password protected file or in smart cards.
–
If the cluster security mode is set to Basic, the master key resides in the password protected file.
–
If the cluster security mode is set to Standard, the master key resides in only one smart card.
And the same smart card is required to recover the master key.
–
If the cluster security mode is set to Advanced, the master key resides in multiple smart cards.
Quorum (2 out of 3 or 2 out of 5 or 3 out of 5) of smart cards are required to recover the master
key based on the user selection.
• Unique key per tape for an SME tape cluster.
• Unique key per LUN for an SME disk cluster.
• Keys reside in clear-text only inside a FIPS boundary.
• Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC.
• Disk keys are wrapped by the cluster master key and deactivated in the CKMC.
• Option to store tape keys on tape media.
The centralized key lifecycle management includes the following:
• Archive, shred, recover, and distribute media keys.
–
Integrated into DCNM-SAN.
–
Secure transport of keys.
• End-to-end key management using HTTPS/SSL/SSH.
–
Access controls and accounting.
–
Use of existing AAA mechanisms.
The Cisco KMC provides dedicated key management for SME, with support for single and multisite
deployments. The Cisco KMC performs key management operations.
The Cisco KMC is either integrated or separated from DCNM-SAN depending on the deployment
requirements.
Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisite
deployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that
are used for fabric management. This separation provides robustness to the KMC and also supports the
SME deployments in different locations sharing the same Cisco KMC.
Figure 1-2 shows how Cisco KMC is separated from DCNM-SAN for a multisite deployment.
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1-4
OL-29289-01
Chapter 1 Storage Media Encryption Overview
Primary Data Center
Fabric A
Fabric A
Cisco SME
Cluster 2
Cisco SME
Cluster 3
Fabric A
Cisco KMC
Cisco
Fabric
Manager
Cisco
Fabric
Manager
Cisco
Fabric
Manager
Fabric B
Fabric B
Fabric B
Cisco SME
Cluster 1
Key catalog
Other Data Centers
188893
A Cisco KMC is configured only in the primary data center and DCNM-SAN servers are installed in all
the data centers to manage the local fabrics and provision SME. The SME provisioning is performed in
each of the data centers and the tape devices and backup groups in each of the data centers are managed
independently.
Figure 1-2 Multisite Setup in Cisco KMC
About SME
Clustering
OL-29289-01
In the case of multisite deployments when the Cisco KMC is separated from DCNM-SAN, fabric
discovery is not required on the Cisco KMC installation. The clusters that have connection to the Cisco
KMC will be online and the clusters that are not connected, but are not deactivated, appear as offline.
The SME clusters that are deleted from the fabric appear as deactivated.
The high availability Cisco KMC server consists of a primary server and a secondary server. When the
primary server is unavailable, the cluster connects to the secondary server and fails over to the primary
server once the primary server is available. The high availability KMC will be available after you
configure the high availability settings in DCNM-SAN Web Client.
Cluster technology provides reliability and availability, automated load balancing, failover capabilities,
and a single point of management.
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1-5
Loading...