Great question and one that I get fairly often in my travels.
Most web applications are built using a tiered approach, a web tier, an application logic tier and a backend database server tier. The web servers are the Internet facing tier, and are located outside of the firewall. The application logic servers are usually placed in safety zone between the external firewall and the internal firewall. The database servers are almost always behind the internal firewall so they can be updated consistently.
Most three-tier web applications use internal disk storage for the web servers since they are located outside of the firewall and the storage needs are somewhat smaller than the other tiers. Web server data is mostly static and spread across many servers. If you want to centralize storage for the web servers, then NAS is a better approach than SAN since the web servers need a way to share access to files and not blocks of data.
The backend database servers work best when they are connected to fast SAN storage. The servers are behind the corporate firewall so security is not an issue.
So that leaves us with the application logic servers. This is where most companies have difficulty when trying to figure out where the storage for these servers should come from. They question whether it is prudent to share the same storage array with the database servers since the application servers are located outside the firewall.
The answer is you CAN share the same storage array with the application tier and the database tier. You can also put the web server storage in the same SAN. The solution to the security issue is three-fold.
1) Since SAN is based on fiber optics, it would be VERY difficult for someone to tap into the corporate network from servers connected to the shared storage from outside the firewall. You would need a physical connection to the optical cable.
2) When connecting servers located outside a firewall to shared storage in a SAN, always use PORT zoning in the switches. Use very small zones, consisting of each individual server and storage port it needs access to. Port zoning is more secure than WWN zoning in a SAN and since it's done at the hardware level instead of at the name server level, you can't hack it.
3) Use separate physical ports on the storage array to hook up the different tiers of your web application. The database and application servers should have their own ports and the web servers should also have their own port. Or, just leave the web server storage on the internal drives of the web servers. Using LUN security INSIDE the storage array is a must. Do not use agents on the servers to do LUN security. It must be done at the protocol level and done in firmware inside the array itself.
I hope this answers your question.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our .bphAaR2qhqA^0@/searchstorage>discussion forums.
This was first published in October 2002