Network management Toolkit

Lock down your SAN

Tags:
Security,
SAN

Michael Mullins Tech Republic

Published: 23 Jun 2005 13:40 BST

Implementing a storage area network (SAN) is a productive and cost-effective method for off-loading disk space from your servers and centralising your network file resources. However, securing a SAN is no simple task.

If all of your organisation's user data and databases resides on one host, then you must ensure maximum protection for that device. The key to securing your SAN is a mixture of SAN-specific and common security measures.

SAN-specific security methods
Most SANs offer two methods for securing your storage devices: zoning and logical unit number (LUN) masking.

Zoning
Zoning comes in two flavours -- hard and soft. The difference between the two is simple: You configure hard zoning in the hardware, and you configure soft zoning using software.

Based on ports, hard zoning limits traffic between a specific attached host adapter and the array attached to the switch port. This method is extremely secure, but it can be administrative-intensive if the network requires reconfiguration.

Using soft zoning or world wide name (WWN) zoning, each element in the fabric receives a WWN for the purpose of identification. The name server in the switch determines which WWNs it will allow to communicate with each defined zone.

Because zones won't change if you reconfigure your network, this provides a more scalable method of zoning. However, WWNs are subject to spoofing, so this shouldn't be your only choice for security.

LUN masking
LUN masking is a method of masking multiple LUNs behind a single fabric connection. You can implement this on the RAID device or the host bus adapter (HBA).

This is a single-threaded method of limiting connections to a LUN, which houses a disk slice or network share. The benefit to LUN masking is that you can limit access to disk space on your SAN through a fabric connection between a server and the SAN.

This configuration provides tight security, and it scales well in large enterprises with multiple fabric switches and failover switch connections.

Common security methods
If your organisation's SAN hosts data for its Web server, you should enable the Web sharing protocol for that portion of the SAN and implement an access control list to restrict traffic to that portion of the SAN and the Web server. Then, if someone compromises your organisation's Web server, only the documents and files that are accessible via the Web protocol will be vulnerable.

Follow normal access control procedures on all SAN shares, and allow only the SAN administrators remote access to the SAN operating system. Remember that SANs are common storage points, and they should never initiate a connection beyond the borders of your network.

Final thoughts
Organisations must address SAN security at every level across the enterprise. Keep in mind that the methods I've discussed vary in their implementation according to which SAN vendor your organisation uses.

If you're not a storage guru, ask your vendor to explain SAN security in-depth for its products. Then, implement a SAN security solution as soosn as possible.