SAN

 

 

SECURITY 

 

In this day and age there is a big concern with security to protect your data from the outsiders that could pose a threat.  According to IBM “SANs have “broken” the traditional direct-attached storage paradigm of servers being cabled directly to servers, the inherent security that this provided has been lost. The SAN and its resources may be shared by many users and many departments. The SAN may be shared by different operating systems that have differing ideas as to who owns what storage. To protect the privacy and safeguard the storage, SAN vendors came up with a segmentation tool, zoning, to overcome this. The fabric itself would enforce the separation of data so that

only those users intended to have access could communicate with the data they

were supposed to. Zoning, however, does not provide security. For example, if data is being transmitted over a link it would be possible to “sniff” the link with an analyzer and

steal the data. This is a vulnerability that becomes even more evident when the data itself has to travel outside of the data center, and over long distances. This will often involve transmission over networks that are owned by different carriers.

 

More often than not, not all data is not encrypted before being sent and this itself means that stealing data could be extremely fruitful. The introduction of multiprotocol devices that allow Fibre Channel hosts to connect to Gigabit Ethernet switches have, in a touch of irony to those that see these as competing technologies, allowed the introduction of IP Security (IPSec) into the Fibre Channel world. There is also third-party devices that will provide encryption using tried and trusted algorithms. It would be naive to expect that the required level of security can be achieved from any one of the methodologies and technologies, independent of all others, that we will discuss in this chapter. The storage architect needs to understand, and administrators accept, that in a SAN environment, often with a combination of diverse operating systems and vendor storage devices, that some combination of technologies could be required to ensure that the SAN is secure

from unauthorized systems and users. In terms of making the fabric and the data as secure as possible, these are some of the questions that need to be answered:

 

How do we stop hosts in the SAN from taking over all the storage (LUNs) that they see?

 

How can we segregate operating systems and at what level?

 

How can we segregate different applications on the fabric?

 

How do we allow a host to access some LUNs and not others?

 

How do we provide switch-to-switch security?

 

How do we protect the fabric from unauthorized hosts logging in?

 

How do we provide users with different authorization levels?

 

How do we track, or audit, and changes?

 

SANs and their ability to make data highly available, need to be tempered by well thought out, and more importantly implemented security policies that manage how devices interact within the SAN. It is essential that the SAN environment implements a number of safeguards to ensure data integrity, and to prevent unwanted access from unauthorized systems and users. .” (IBM Introduction to Storage Area Networks, P155).

 

INTRODUCTION   CONNECTIVITY   PROTOCOLS   MANAGEMENT   STORAGE   SECURITY   CONCLUSION   REFERENCES