The Basics of SAN Security, Part I Page 2
Data Integrity and Security
SAN implementations make data highly accessible; as a result, heightened network security and processes optimized for data transfers are needed. Fabric zoning establishes the way devices in the SAN interact, establishing a certain level of management and security.
So What Is Zoning?
Zoning is a fabric-centric enforced method of creating barriers on the fabric to prevent set groups of devices from interacting with each other. SAN architectures provide port-to-port connections among servers and storage devices through bridges, switches, and hubs. Zoning sets up efficient methods of managing, partitioning, and controlling pathways to and from storage devices on the SAN fabric; as a result, storage resources are maximized, and data integrity and data security are maintained. Additionally, zoning enables heterogeneous devices to be grouped by operating system, and further demarcation based on application, function, or department.
There are two types of zoning: Soft zoning and Hard zoning.
Soft zoning uses software to enforce zoning. The zoning process uses the name server database located in the fibre-channel switch. As previously mentioned, the name server database stores port numbers and world wide names (WWN) used to identify devices during the zoning process. The devices in the database receive Registered State Change Notification (RSCN) when a zone change is made. In order to change related communication paths, each device must correctly address the RSCN. Any device that does not correctly address the RSCN (yet continues to transfer data to a specific device after a zoning change), will be blocked from communicating with its targeted device.
For a specific zone, hard zoning uses only WWNs to specify each device. So that the switch can regulate data transfers by verified zone, hard zoning requires each device to pass through the switch's route table. For example, if two ports are not authorized to communicate with each other, the route table for those ports is disabled, and the communication between those ports is blocked.
Configuring Zoning Components
Zone configurations are based on either the WWN of the device or the physical port that the device plugs into. Zoning components include:
- Zone members.
- Zone sets.
A zone is made up of servers and storage devices on the SAN fabric that can access each other through managed port-to-port connections. Devices in the same zone can recognize and communicate with each other, but not necessarily with devices in other zones, unless a device in that zone is configured for multiple zones.
Zone members are devices within the same assigned zone. Zone member devices are restricted to intra-zone communications, meaning that these devices can only interact with members within their assigned zone. Unless a device is configured for multiple zones, a zone member interacting with devices outside its assigned zone is not permitted.
Identifying Zone Members
Zone members are recognized by port number or world wide name (WWN). As previously explained, a WWN is a 64-bit number that uniquely identifies zone members.
A group of zones that function together on the fabric, are known as a zone set. Each zone set can accommodate up to 256 zones. All devices in a zone see only devices assigned to their zone, but any device in that zone can be a member of other zones. Now, let's look at the zoning limitation of logical unit number (LUN) masking. Today, fabric zoning cannot mask individual tape or disk logical unit numbers (LUNs) that sit behind a device port.
LUN masking is a Redundant Array of Independent (or Inexpensive) Disks (RAID) system-centric enforced method of masking multiple LUNs behind a single port. By using World Wide Port Names (WWPNs) of server HBAs, LUN masking is configured at the RAID-array level. LUN masking also allows disk storage resource sharing across multiple independent servers. A single large RAID device can be sub-divided to serve a number of different hosts that are attached to the RAID through the SAN fabric with LUN masking. So that only one or a limited number of servers can see that LUN (e.g., disk slice, portion, unit), each LUN inside the RAID device can be limited.
LUN masking can be done either at the RAID device (behind the RAID port) or at the server HBA. It is more secure to mask LUNs at the RAID device, but not all RAID devices have LUN masking capability. Therefore, in order to mask LUNs, some HBA vendors allow persistent binding at the driver-level.
Persistent binding is a host-centric enforced way of directing an operating system to assign certain small computer system interface (SCSI) target IDs and LUNs. For example, a specific host will always assign an SCSI target ID to the first router it finds, and LUNs to three tape drives attached to the router. Operating systems and upper-level applications (such as backup software) typically require a static or predictable SCSI target ID for their storage reliability; and, persistent binding affords that happening.