An effective storage management solution must consider the role of SAN security in ensuring network and data integrity. When Direct Attached Storage (DAS) was the majority of storage, security was not an issue. By preventing access to the server you could stop access to the server-owned storage resources of disk and tape. Holes in SAN security practices can threaten data integrity and system availability.
The Role of Security in
Storage Operations Management
An effective storage management solution must consider the role of security in ensuringnetwork and data integrity. When Direct Attached Storage (DAS) was the majority ofstorage, security was not an issue. By preventing access to the server you could stopaccess to the server-owned storage resources of disk and tape. Unlike DAS, StorageArea Networks (SANs) allow multiple access points. Holes in SAN security practicescan threaten data integrity and system availability.
An effective storage management solution should implement security practices for:. Storage array volume access control. Volume access control on the host. Device configuration access control. Storage management software access. Proactive detection and notification of access violations, auditing and logging
Storage Array Volume Access ControlR The complexity of future SANs andE the choices that need to be madeP Direct-attached storage technology assumes that a to ensure security and propersingle host system controls access to each storage access require system andA
device or subsystem. Most operating and file storage administrators to possessP
systems weren't developed to support shared access a tremendous amount ofE to storage for more than one host system as enabled knowledge. This complexity canin today's storage networks. For example, a file be resolved by having one centralT
I system's volume table of contents (VTOC) is a data point of control for configuring andmanaging your networked storageH structure that the file system uses for tracking of its environment.internal configuration. Some operating and fileW
systems, particularly Microsoft Windows, willoverwrite an existing VTOC with its own signature when accessing another system'sstorage. The result is that the existing data on the storage subsystem becomesinaccessible and the data can become corrupted.
Three methods of storage access control segregate the I/O path to prevent incom-patible systems from accessing another system's storage. A well designed storagemanagement solution should automate the configuration of your SAN to enforce thebest security methods. The three methods are:1. Switch or fabric-based zoning2. LUN management and port zoning at the storage subsystem3. LUN masking at the server
Page 1Switch or fabric-based zoning
The Fibre Channel standard governing SAN products is wide open by default. Applicationservers are potentially aware of all SAN devices, with unrestricted access to any disk.Zoning is a switch function that addresses this problem by creating a logical, closedpath from the host server to the storage array. Devices can be restricted to singlezones or shared zones. For example, a server may be in one zone with a RAID andshare a second zone with a tape library. A well designed storage operationsmanagement solution should allow you to define, by policy, which zone a givenapplication's volume or database should belong to ensure automatic securityenforcement. Figure 1 depicts a typical zone configuration. In this diagram, server 1and server 2 share two disk subsystems, 1 and 2, in Zone A. Note that server 2 is alsoin Zone B. Also in Zone B is storage subsystem 3, only accessible by server 2. Thissubsystem could be used for a snapshot mirror of the clustered servers in Zone A. InZone C, the server 3 and storage subsystem 4 are not shared by any other zones butuse the same switch infrastructure for connectivity.
ZZoonnee BB
SSStttooorrraaagggeee SSSuuubbbsssyyysssttteeemmmsss 333SSeerrvveerr 22
SSeerrvveerr 11
TTaappee LLiibbrraarryySSSwwwiiitttccchhh
SSStttooorrraaagggeee SSSuuubbbsssyyysssttteeemmmsss 111 SSeerrvveerr 33SSStttooorrraaagggeee SSSuuubbbsssyyysssttteeemmmsss 222 SSStttooorrraaagggeee SSSuuubbbsssyyysssttteeemmmsss 444
ZZoonnee AA ZZoonnee CC
Figure 1: Example of switch or fabric-based zoning
As the complexity of your fabric(s) grows, ensuring that your zoning policies areenforced becomes a difficult manual task. This task becomes even more exasperatingif you add different manufacturer's switches and/or directors which result in multipleuser interfaces. Even different models from the same manufacturer may have a differentuser interface. A well-design... [download for more]
