SANs have some inbuilt security says Stewart Buchanan, but this does not mean you should relax your guard
Taken at face value, SAN security seems like a strange concept to anyone who understands what a storage area network (SAN) does. In fact SANs have their own special security infrastructure that we all take for granted but it is not network security in any conventional TCP/IP sense.
In a straightforward SAN, there is no connection to a conventional local area network. A SAN is a separate high performance device network that links servers to centralised storage, typically using optical cabling. SANs are often called the network behind the server, but they are not networks in any conventional sense because they run the SCSI protocol over fibre channel.
The only way data on a SAN can be accessed is by the server to which it is allocated. The security of the SAN, PCI or SCSI bus is therefore simply the security of the server. SANs were not designed to use the TCP/IP protocol because it is neither efficient nor appropriate. Security concerns could also be added. Some SAN components have Ethernet ports for management that are typically SNMP and/or web enabled. It is clearly best practice to restrict access to such management networks, but these exact same security issues have existed for some time with conventional LAN hardware. Securing them is a LAN security issue not a SAN one.
Security levels in a SAN
SANs are designed with up to three levels of security. Servers never know that their storage is not local. Within a SAN storage subsystem, disk arrays are created with logical volumes, each identified by a logical unit number (LUN). Each volume can then be mapped through a specific storage controller port to a specific fibre channel adapter in the host computer. This technique is known as LUN mapping. Each server remains unaware that any other servers or disk volumes exist on their SAN. This illusion is enforced further by zoning on each fabric switch or director.
The fabric has more in common with ATM than Ethernet, but zones can be compared with virtual LANs that segment the network into groups of switch ports or worldwide names (WWNs). However, zones can and must often overlap for advanced applications and backup drive and library sharing. This is even more important in cases where a server's storage is being backed up to tape by a third party.
The third level of security is LUN masking, where a host computer is configured to ignore all but its allocated storage. This last layer has fallen into disuse because LUN mapping and switch zoning are effective and easier to configure. These layers of session security are even more important when multiple alternate paths are created between servers and storage for redundancy. Most enterprise SANs are now deployed with alternate paths for redundancy and advanced data protection.
Data can be mirrored between sites in real time over a 'wide area' SAN at light speed. While the skills and equipment needed to hack into a TCP/IP network are widely available, this is not the case for SCSI over fibre channel protocol SANs. Equipment is also available for real-time further signal encryption to demanding security standards.
The lower cost alternatives of leased line, Sonet, or DSL connections are especially attractive when only asynchronous mirroring or replication after write are being used to update a recovery site. Different devices exist to encapsulate the data within ATM or TCP/IP so that it can be transported over a conventional wide area network (WAN). Of course as soon as the data is encapsulated in TCP/IP it can be submitted to the same encryption and security regime as any other traffic on the WAN. At this point SAN security simply becomes a WAN security issue.
Stewart Buchanan is systems integration consultant for Sagitta Inc. (www.sagitta.com).
SANs security trends
Networked storage tends to fit into two camps. On one hand is network attached storage (NAS), which is more or less similar to traditional file-and-print services. As such, the traditional security methods apply.
Then there are fabric-attached SANs. These allow for new levels of flexibility, scalability and performance because new devices can be added with great ease, even in distributed networks. With a new network, and a new set of technologies, protocols and standards, there come new security challenges.
Today, many storage networks bridge both camps, providing elements of both NAS and SAN. Unfortunately, that usually means that security and management becomes more, not less, complex.
With the thirst for capacity exhibited by most computing environments, volume was traditionally the first priority for storage administrators. Management came second, with security straggling into third place.
But as SANs come to dominate the storage world, expect the black hats to focus more on the storage targets, finding weakness in protocols and implementations. Meta Group published research last year predicting that by 2007, 70 percent of worldwide storage will be fabric-attached, compared to only 25 percent at the time - a tempting target.
Access at the hardware level can be controlled by LUN masking and mapping, and zoning can improve performance, prevent accidental damage and limit the damage in the event of a node being compromised.