Enabling Strong Storage Security with TLS

Maintaining secure systems is not just an ongoing task but an increasingly important focus and practice for all IT organizations. The key for software vendors is providing timely updates that ensure strong security enforcement and keep up with the constantly changing threat landscape.

With the recent activity around SSL and news about weak ciphers we went through an audit of our OpenSSL use and QuantaStor’s default security configuration. As a result, QuantaStor 3.15 now enforces strong security on the front end web interface with TLS 1.2 and TLS 1.0 for back-end protocol communication.

Existing customers will automatically get these new security upgrades with zero downtime by upgrading to the new release. QuantaStor 3.15 also introduces enhancements allowing for customization of security keys, certificates and certificate authority configuration files so that appliances can be customized to meet company specific security compliance policies.

What Happened to SSL?

As you may have read, the SSL 3.0 protocol has been replaced by the Transport Layer Security (TLS) protocol, and is considered outdated or “dead” due to it security vulnerabilities. This includes man-in-the-middle attacks using “POODLE” or “Padding Oracle on Downgraded Legacy Encryption” where an attacker can gain access to passwords, cookies and other authentication tokens passed within the encrypted web session.

According to the U.S. Computer Emergency Readiness Team, “the POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself.”

Even before POODLE was released, the U.S. Department of Commerce mandated in a NIST publication that SSL 3.0 not be used for sensitive government communications or for HIPAA (Health Insurance Portability and Accountability Act) compliant communications.

The key takeaway here is that you should no longer be using SSL 3.0, only TLS 1.0 and newer. Furthermore, there are specific ciphers that are to be avoided with TLS 1.x so it’s important that all servers and systems in your environment are using strong protocols with strong ciphers.

TLS and SSL Differences

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) both provide data encryption and authentication between applications and servers across insecure networks. Although the terms SSL and TLS may be used interchangeably or together as in “TLS/SSL,” SSL 3.0 served as the basis for TLS 1.0.

Beyond SSL 3.0 is TLS 1.0, TLS1.1 and TLS1.2 with 1.2 offering the highest level of data protection. All TLS protocols are designed to prevent eavesdropping, tampering, or message forgery with the primary goal of providing privacy and data integrity between two communicating applications.

The security protocol has two layers: the TLS Record Protocol and the TLS Handshake Protocol with the TLS Record Protocol existing at the lowest level and layered on top of a transport protocol such as TCP. The TLS Record Protocol provides connection security that has two main objectives: ensure that the connection is private and the connection is reliable.

QuantaStor 3.15 Protocols and Security

By upgrading to QuantaStor 3.15 you harden security at three network facing service points:

  • Core management service
  • Apache Tomcat web server for the web interface
  • REST API service

All of the network facing components only communicate using TLS 1.0 and newer. They also are configured to only use strong ciphers. The table below shows the three services, the network ports they’re exposed on, the protocol used and the ciphers allowed.

Service Port Protocol Default Cipher List
Core Management Service 5152 TLS 1.0 Link
REST API Service 8153 TLS 1.0 Link
Tomcat Web Server 443 TLS 1.2* Link

*TLS 1.2 on Tomcat Web Server with upgrade to Java7 with script command.

An overview of security administrator commands are on the OSNEXUS Wiki here.

TLS and HIPAA Compliance

Another benefit of QuantaStor 3.15 is the ability to achieve HIPAA compliance for your storage appliances. The U.S. Department of Commerce NIST 800-52 publication covers what is needed for strong TLS encryption for government use as well as security requirements for HIPAA compliance.

To achieve HIPAA compliance with QuantaStor you must take the following steps:

  • Upgrade to QuantaStor 3.15
  • Use ciphers from the approved U.S. Department of Commerce list

In short, for a storage system to be HIPAA compliant, below are three key guidelines to follow:

  • SSL 3.0 cannot be used
  • TLS v1.0+ is OK to be used
  • Only ciphers on a recommended can be used

The allowed ciphers conforming to HIPAA compliance guidelines are:

DES-CBC3-SHA:AES128-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-DES-CBC3-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384



Categories: QuantaStor 3.15, Security

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: