Distributed file systems allow networked computers (referred to as clients) to access remote storage devices as if the devices were on a local file system. These file systems allow for sharing of data among networked clients. Additionally, a user can access the networked data from other networked computers in the same way she accesses it from her own computer. This type of network file sharing is becoming increasingly prevalent as the computing industry becomes more network centric.
Distributed file systems have many security problems that local file systems do not have. The network itself is susceptible to security risks such as snooping (unauthorized break-ins), spoofing (impersonation), and packet eavesdropping (unauthorized receipt of data being transmitted over the network). The identity of a network client can be spoofed such as where a user id can be forged in requests to a file server. In addition, the distributed file systems still have the vulnerabilities of the local file systems. The disk containing file data can be stolen and mounted on another machine, bypassing the protection afforded by the operating system. The distributed file server can be broken into, giving the attacker root access to the disk. Backup tapes are not generally encrypted, and data is easily accessed if they are stolen.
There are three security areas that existing distributed file systems either fail to address, or address inadequately: confidentiality, integrity and authentication. Confidentiality refers to the requirement that the file system data can only be read by the parties that are intended to have access to the data. Integrity means that it is possible for the parties accessing the data to verify that the data read was not altered. Authentication requires that the exchanges between the data repositories and the file system clients are done such that both parties of the exchanges are able to verify the messages involved came from the other.
Network File System (NFS) was an early network file system that has gained wide spread adoption. (See, for example, reference 1). When NFS was introduced, it relied on the operating system to enforce confidentiality, integrity, and authentication. It allowed users to access the network file system as if it were a local file system. Network communications were unencrypted and unauthenticated. The administrators of the local machine could become any user on the machine and gain access to the users files. Other machines on the network could disguise as another machine and fool the NFS server. Since packets were not encrypted across the network, an eavesdropper could view and alter the contents of the packets. Authentication was later added to version 3 of the NFS protocol.
Another file system, the Andrew File System (AFS, reference 2), and its follow-on Decorum File System (DFS, reference 3) are other network file systems that allow users access to the file systems as if they were local file systems. AFS relies on the authorization service Kerberos (reference 4) to authenticate exchanges between the network client and the file system. AFS does not encrypt the file system data. So, an eavesdropper can view the data that is requested or sent to an AFS server. Version 1.2 of DFS added the option of encryption and integrity guarantees (reference 5).
Cryptographic File System (CFS, reference 6) is a file system that acts as a local file system and uses another shadow file system as a repository of data. Each directory of the file system has an encryption key associated that is used to encrypt important meta-data (such as filenames and symbolic links) and file data. CFS uses a modified Data Encryption Standard (reference 7) to perform the encryption. Data is encrypted and then stored in the shadow file system. Each file in CFS has a corresponding file in the shadow file system. Using NFS as the shadow file system allows CFS to act as a network file system. Since the shadow file system is the repository of data, it must provide authentication for changes to the files. If NFS is used as the shadow file system, for example, CFS can be subject to replays (i.e., a copy of the data is presented to pretend that it is coming from the originator).
In general, the above-described distributed file systems run on general purpose hardware and general purpose operating systems. There has been work done to design hardware and operating systems specifically for file serving. An example of this is the "file server appliance" described in reference 8. Special purpose file servers are able to outperform file servers running on general purpose platforms because they can be optimized for file serving. However, these file servers are still left with the security problems inherent in the distributed file systems they are supporting.
Other storage device configurations are defined in the Serial Storage Architecture (SSA, reference 9) and Fibre Channel Arbitrated Loop (FCAL, reference 10) to allow a network of the devices and host computers to share resources. These types of storage networks are inherently private. Thus, many of the above security problems can be ignored (and not adequately addressed) where the hosts and devices attached to the storage network are trusted.
Architectural convergence of LAN and I/O devices is occurring because one interconnect can often satisfy both environments. The network is emerging as the future "backplane" of high-performance systems. Studies have shown that attaching storage devices to an area network can reduce the load on file servers, resulting in improved performance of the distributed file system (reference 11). Traditionally, storage networks such as SSA and FCAL are isolated networks. Isolated networks limit access to only the hosts and devices directly connected to the network. In general, local area networks are interconnected to other networks. The interconnection of networks make it more difficult to limit access to hosts and devices. In particular, TCP/IP is vulnerable to a variety of security attacks. Often, proposals to LAN-attached storage devices ignore the security implications of controlling device access in this more vulnerable environment. In reference 11, Gibson et al. propose using time-limited capabilities and secure coprocessors to establish a secure communication channel to the storage device, in which the security of the data on the device rests with the security of the coprocessor.
Accordingly, there is still a need for a secure network of storage devices that can support a distributed network file system in which data can be moved, archived, and backed up in a secure manner, files can be securely copied directly from one device to another, and all data encryption is handled by the clients rather the devices to overcome the above-described security problems.