| A layered approach to IP SANs…
As the need for information storage and backup continues to rise exponentially, many companies have migrated away from Fibre Channel SANs and NAS and begun investigating and implementing cost-effective IP SANs. IP SANs are storage networks connected over IP networks with information packets being sent within a SCSI command between an iSCSI initiator and iSCSI target. The average company has an IP-based infrastructure already in place and established IT guidelines, making the implementation of an IP SAN easy and affordable. However, because IP SANs may use the Internet, some companies hesitate. “Send my confidential company information via the Internet?” “Is it secure?” “How do I know that the right people will get the right information?” “How do I identify the right people?” These are legitimate questions that some insight into the available Internet, iSCSI and SAN technologies can answer. An IP SAN includes four layers: IP SAN security is not left to any single layer, as an iSCSI command makes its way through each layer. How to protect them is the question. Overview of an IP SAN IP SAN-enabling products – software, hardware or a combination – deliver virtualisation of physical storage into customised, sizable virtual volumes. Virtualisation can increase security in an IP SAN by enabling unique partitioning of physical storage and applying rules for access to each partition. Intelligent IP SAN switches sit in the data path between the storage devices and the IP network switch. The LAN perimeter A firewall usually sits on the perimeter between the internal and external networks. A firewall provides traffic control between these two networks. A firewall can be closed to stop all traffic flow or selectively opened at specific locations to allow specific IP traffic through. The iSCSI initiator login attempt trying to pass through the firewall must be on the firewall’s list of IPs allowed to cross the firewall. If it is, it also must enter through correct port and be of the correct protocol. All firewalls should also have some method for authentication. The switch supports alternate iSCSI communication port configurations. A port other than the standard iSCSI port can be used for iSCSI communications, making unauthorised login attempts harder. Inter-LAN communications When information crosses through the private/public border, it can lose the security it enjoyed in a LAN. One cannot build a wall around information as it travels between networks. However, it is possible to create secure tunnels, and safeguard the information during its journey. A virtual private network (VPN) creates a secure transport tunnel for data in motion between two LANs using high-level encryption. A VPN appliance is placed at the public/private border of each LAN. Encryption keys and groups are then configured for point-to-point encryption decoding to guard against eavesdropping. When the iSCSI initiator login attempt passes through the firewall and travels to another LAN, it is encrypted by the VPN as it leaves its LAN and is decoded by the VPN at the entrance to the second LAN. Intelligent IP SAN switches support VPN tunnelling appliances and methods, allowing information flowing through the switch to be encrypted during ‘public’ travel between LANs. The iSCSI initiator login attempt that made it successfully through the firewall arrives securely to the switch’s LAN. iSCSI initiator authorisation Certain devices support the creation of an access control list (ACL) for a target to establish which iSCSI initiators are allowed or denied access to it. Besides determining which iSCSI initiators can access the device, the type of access can also be set; to read-write or read-only. At the switch layer, ACL configurations are supported on a per-target per-initiator basis. The switch ACL uses the iSCSI initiator’s WWUI (world wide unique identifier) to identify it. More than one initiator can be allowed access to a target and each initiator’s access rights can be independently configured. Access to a target can also be denied to an iSCSI initiator. iSCSI initiator authentication Challenge-handshake authentication protocol (CHAP) is an authentication protocol that can be used to authenticate iSCSI initiators at target login. The iSCSI target server sends an encrypted user name and password challenge to the initiator. The initiator must answer the challenge. Without the correct answer, the iSCSI session login attempt is terminated. The IP SAN switch ACL supports CHAP and SRP authentication for its iSCSI targets. The user name and password are configured and stored on the switch. As an additional safety measure, the switch includes a RADIUS client for supporting a RADIUS server. Instead of storing the user name and password together on the switch, the user password can be stored on the RADIUS server. IP SANs answer the growing need for more cost-effective and secure SAN implementations. Using readily available IP security technologies, data transfer over the IP network is secure without increasing the cost of ownership of an IP SAN. IP SAN switches add initiator authorisation and authentication to your existing security measures. IP Security encryption technologies are due to be incorporated into next-generation intelligent switches to provide for full data encryption within the LAN. Additionally, look to future switches including technologies to protect your data even against theft of the physical storage disks. Zophar Santé is VP market development,
SANRAD, Incorporated
•Date:
31st August 2004 •Region: Worldwide •Type:
Article •Topic: IT
continuity |
