Section 7.7. SAN Security

Previous page
Table of content
Next page
   

7.7 SAN Security

SAN security is still evolving. As of now, SAN security consists of guarding physical access and ensuring that two different entities have two physically separate SANs deployed. As will be discussed later in this section, switch vendors , for instance, have developed some solutions, and the Storage Networking Industry Association (SNIA) Security Working Group actively advocates solutions and educating the industry.

The SNIA Security Working Group is active in

  • Defining the problems and threats

  • Developing and evangelizing about best practices

  • Developing educational materials for the industry

The working group has identified some areas that need attention, in order to ensure SAN security. Here are the highlights:

  • Solutions developed for SAN security need to secure both data access and storage management activities.

  • Data confidentiality needs certainty on an end-to-end basis ”not just between the two communicating end nodes, but also between the two communicating applications.

Fibre Channel switches, especially high-end Fibre Channel switches, play an increasingly important role in SAN management and SAN security. Switches play a role in fabric management, port enabling and disabling, and zone management. Switch vendors such as Brocade and McDATA have added features in their switches to enhance SAN security, including the following:

  • The ability to associate a device with a particular port on the switch; for example, an HBA connected to a server connects to only a particular switch port. The association uses the World Wide Name of the device, in this case, the HBA WWN. Any attempt at access from a port that fails the match fails. In this example the server will not function on a different port, and a new malicious server cannot connect to the fabric using a random port.

  • The requirement of authorization for switches to join the fabric. Authorization is enforced by several techniques. If no new switches can join a fabric without explicit administrator intervention, the fabric ports will allow operation on F, G, or E ports only. (See Chapter 4 for a review of the different Fibre Channel port types.) The basic idea is to restrict the ability of the port to autodetect the type of device at the other end and configure itself accordingly . Another way is to require new switches joining a fabric to provide security information such as a digital certificate and password.

  • Secure configuration changes made to the SAN by well-known security techniques; for example, all configuration changes require a digital certificate, user identity, and password.

  • Restriction of ways to allow changes; for example, only certain designated switches can make fabric changes, resulting in a rejection of all changes initiated by other switches.

  • Zoning (explained in Chapter 4), which is another way to ensure SAN security.

   
Top

Previous page
Table of content
Next page
Inside Windows Storage
Inside Windows Storage: Server Storage Technologies for Windows 2000, Windows Server 2003 and Beyond
ISBN: 032112698X
EAN: 2147483647
Year: 2003
Pages: 111
Authors: Dilip C. Naik
BUY ON AMAZON
VBScript Programmers Reference
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Building Web Applications with UML (2nd Edition)
Network Security Architectures
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy