Under the following situation:
Storage device A Web server database
Storage device C centralized log server
Storage device D centralized database
A & B are in the same IP network (DMZ)
C & D are in the same IP network (Internal network)
I would like the SAN to connect my separate IP networks so I can copy data without it going through two IP firewalls or creating more traffic on my IP networks. I would like to create a one way "trust" within the SAN. That is, I want C to see B and copy items from B to C, but I do not want B to have access to C. In the same way, I want D to see and copy from A, but I do not want A to have access to D.
Would I achieve this with LUN masking? What would you recommend?
Well, the way you asked the question I'm not sure if we're talking about SAN or NAS here. Most Web servers are not connected to SAN storage since they usually need central "file" sharing access and not "block based" access to storage resources.
For NAS security, if your running NT on your servers (I assume you do, since you said you want to create a "trust") you would set up a secure user account on your servers under a domain trust relationship that does just as you said. Your user would have local access to C and remote access to B. You can use a one-way NT trust and the same goes for A and D.
That being said, and since I'm the SAN guy, I'll approach the question from a SAN perspective. You can use a single storage array for access from all servers in your Web environment as long as you use "HARD" zoning in your switches and "HARD" LUN security in your storage array. By hard, I mean the security mechanism should NOT depend on an agent running on your servers. You should be able to assign security at the LUN level inside the array by using the WWN of the HBA in your server. You should use separate storage ports for LUN access for your DMZ servers, and your internal secure servers.
You can then use a secure server inside your firewall that has access to all the disks, which is used to copy files between the environments within the storage array (if you have disk-to-disk copy capabilities in the array). This would remove the traffic from your IP network. You would need a storage array that has the capability to create snapshots and be able to resync the snaps using scripting, so you can automate the process.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our .bphAaR2qhqA^0@/searchstorage>discussion forums.
This was first published in January 2003