Data storage is playing an increasingly visible role in securing application data in the data center. Today virtually all large enterprises and institutions worldwide have implemented networked storage infrastructures to provide high performance input/output (I/O) operations, high availability access, consolidation of storage assets, and data protection and archiving. Storage area networks (SANs) are typically based on Fibre Channel technology and are normally contained within the physical confines of the data center. The security of this physical isolation, however, has proven inadequate to safeguard data from inadvertent or malicious disruption. Both established and emerging Fibre Channel and IP standards are required to secure the storage infrastructure and protect data assets from corruption or misappropriation. This paper provides an overview of storage networking technology and the security mechanisms that have been developed to provide data integrity for data center storage infrastructures.
Security in conventional data communications networks attempts to safeguard data access by implementing both authorization and encryption technologies. Authentication procedures verify that data access between two end points is approved. Encryption ensures that only bona fide senders and receivers will be able to render encrypted data intelligible. Conventional data security techniques are primarily focused on protecting data in flight, as it traverses the network from, for example, a server to a workstation. If the data in flight is intercepted, diverted or copied, the security breach may allow unauthorized access to or corruption of sensitive corporate or personal information.
For storage environments, data transactions between servers and storage arrays or tape devices are also vulnerable to in-flight interception. In addition, however, security for storage area networks must provide means to safeguard data at rest, that is, after the data is written to disk or tape. This added requirement has generated new security solutions that attempt to protect storage data through its entire cycle of data retrieval and repose. This paper examines the unique characteristics of SANs and security techniques required to safeguard storage assets.
Storage area networking is a technology that enables high availability and high performance access between servers and storage devices. First formulated as American National Standards Institute (ANSI) standards in the early 1990s and now widely adopted by all major institutions and enterprises, SANs have displaced earlier storage connections which bound individual storage arrays to individual servers. By placing both servers and storage assets on a dedicated network, it is possible to redirect storage access from one server to another, thus facilitating high availability data access. It also enables administrators to add additional storage capacity without disrupting on-going production.
SAN technology was originally based on the Fibre Channel protocol and transport. Fibre Channel was the first high performance transport to deliver the gigabit speeds required for moving large amounts of storage data. The common analogy differentiating storage networking from conventional LAN and WAN networking is that while LANs and WANs move cars (packets) of data along highway lanes, SANs move freight train loads of data over high performance channels. Today, Fibre Channel SANs can provide 4 Gbps and 10 Gbps performance, while the vast majority of LAN technologies are still implemented at 1 Gbps (Gigabit Ethernet) or 100 Mbps (Fast Ethernet) speeds to workstations, with 10 Gbps links providing the network backbone.
As shown in Figure 1, data center SAN configurations are typically deployed for high availability data access. Each server and storage array is connected to fabric directors or switches for alternate pathing. If an individual link, port or switch fails, servers still have access to their designated storage targets. Fibre Channel directors are designed to provide 99.999 percent availability, or ~ 5.39 minutes of downtime in a given year.
A data center SAN provides alternate pathing for high availability
For moderate performance requirements, new IP-based storage network protocols such as iSCSI provide a means to move blocks of storage data over traditional TCP/IP network infrastructures. Given the notorious vulnerability of TCP/IP networks to disruption and latency, however, iSCSI must address the inherent contradiction between the deterministic performance required by storage applications and the indeterministic nature of IP networks. From a security standpoint, iSCSI is the beneficiary of decades of development of IP Security and other IETF standards that provide auxiliary mechanisms to safeguard IP data transport.
Because all applications and data ultimately reside on some form of spinning media, maintaining the high availability and integrity of storage data is fundamental to all IT operations. SANs have generated a wide spectrum of solutions for assuring continuous storage access, including server clustering, failover, point in time data copies, data backup, and disaster recovery. At the same time, SANs have helped reduce operational costs by facilitating consolidation of storage assets (fewer but larger storage arrays) and streamlining backup processes. The end-user value of SAN technology is so clearly established that every major enterprise world-wide is now running its storage data on the basis of a storage area network.
Key Terms in this Chapter
Fibre Channel: A set of industry standards defining a multi-gigabit block data transport
Binding: Creating an authorized association between two devices or switches
Fabric: A switched network typically based on Fibre Channel protocols
iSCSI: A de facto standard for transporting block data over TCP/IP
Zone: A group of devices or ports authorized to communicate with one another
Block data: Digital data organized as contiguous bits of a designated extent
SCSI: Small Computer Systems Interface. An architecture for block data I/O
Virtual Fabric: Partition of a single physical storage networking into logical networks
Storage array: An enclosure with controller logic and multiple disk drives for mass storage
WWN: Worldwide Name. A unique 64-bit identifier for Fibre Channel devices and entities
LUN masking: Concealing the existence of logical units from unauthorized servers
Storage area network: A dedicated network implemented between servers and storage
IPSec: IP Security. A set of IETF de facto standards for securing data over TCP/IP
LUN: Logical unit number. A predefined capacity of disk storage assigned to a server