The Basics of SAN Security, Part II
With the development of Fibre Channel technologies, SANs are becoming a viable and even preferred solution for data management in enterprise, mid-sized and smaller networks. As previously defined in Part I, SANs are simply a means of centralizing data to provide high performing and easy to manage data access. Therefore, while maintaining the ability to easily manage your data, an open system architecture is vital to having an effective, versatile and broad SAN, which will attach multiple components. In other words, managing a storage area network not only involves providing highly-available data access and optimal performance, it is essential that all data on the SAN be completely secure at all times.
Fibre Channel Security Management
Fibre Channel continues to grow as the architecture of choice for providing high-speed, robust, and scalable interconnects for SANs. The storage industry is witnessing a rapid increase in servers and storage considerations within SANs. As system administrators become more comfortable with the highly-available, consolidated data access that a SAN brings to their storage environment, SANs themselves are growing in complexity. As a result, security measures are required to ensure safe server and storage access and to guard against accidental reconfiguration that could compromise security.
In other words, driven by the storage administrator's security policies, security is a broad topic and one that evokes a myriad of solutions. Fibre Channel enables the separation of storage and server, unlike the small computer system interface (SCSI), where the interconnect scheme is confined to the servers' cabinetry. A host of new security challenges consists of the exposure of critical business data to increased distances, greater availability, heterogeneous implementations, automatic re-configuration, increased services and changes in strong model administration.
Fibre Channel is not a secure protocol by itself. Application servers will be able to see all devices on the SAN and could even write to the same physical disk without implementing certain security measures within a Fibre Channel SAN. As previously discussed in Part I, the two most common methods of providing security on a Fibre Channel SAN are zoning and LUN masking.
As you know, zoning is a function provided by fabric switches that allows segregation of a node by physical port, name or address. The zones are similar to virtual local area networks (VLANs) in data networking in the way they establish a "virtual SAN" within a SAN. Zoning works by inclusion. Zone members have any-to-any connectivity within the zone and non-members have none. Zoning can be implemented using either hardware or software.
As previously discussed in Part I, hardware zoning includes hard zoning, where zones are established by linking ports on the Fibre Channel fabric; and, soft zoning, where zones are established by using the World Wide Name (WWN) of the Fibre Channel devices connected to the Fibre Channel fabric. Zoning by ports is easier to implement, but less flexible than zoning by WWN. Hard zoning does not allow zones to overlap or "follow" a zone member that has its switch port changed. In other words, the zones need to be reconfigured whenever a Fibre Channel device in the SAN changes its switch port when hard zoning is used. When soft zoning is moved from one port to another, soft zoning can follow a Fibre Channel device.
Zoning can also be implemented through software (Simple Name Server (SNS)) that runs inside the fabric switch. By using the World Wide Node Name and the World Wide Port Name, software zoning allows members of the zone to be defined. When a specific host logs into the SAN and requests available storage devices, there is a potential security issue in using software zoning. The SNS will check the zoning table for all storage devices available for that host. And, the host will only see those devices that have been defined in the zoning table. Also, the host could make a direct connection to the storage device without asking the SNS for the information in the zoning table, in certain operating systems.
Many IT administrators use LUN Masking to limit access to storage devices to further protect the SAN. By filtering access to certain storage resources on the SAN, LUN Masking goes one step beyond zoning. Also, by utilizing a piece of code residing on each computer connected to the SAN, LUN Masking can be provided through hardware (i.e. intelligent bridges, routers, or storage controllers) or software. LUN Masking effectively masks off the LUNs that are not assigned to the application server (allowing only the assigned LUNs to appear to the application server's operating system), for each application server connected to the SAN,. The hardware connections to other LUNs still exist, but the LUN Masking makes those LUNs invisible. Managing paths by LUN Masking is a reasonable solution for small SANs, however, due to the extensive amount of configuration and maintenance involved, it is cumbersome for larger SANs.
Thus, with the preceding in mind, the Fibre Channel security areas to manage are:
- Authentication and authorization
- Configuration management
- SAN areas