Keep your SAN secure through zoning


This article can also be found in the Premium Editorial Download "Storage magazine: What are the real benefits of data storage management software?."

Download it now to read this article plus other related content.

In an effort to put storage area network (SAN) zoning in a common light, I've extracted a definition of zoning from the city planning offices of New York City. Because of its population densities, NYC zoning offices offers sophisticated methods for managing space on its land mass. And in principle, the concept of zoning land is much the same as zoning in a SAN, according to the following definition: "Through zoning, a city regulates building size, population density and the way the land is used and accessed. Zoning recognizes the changing demographic and economic conditions of the city and is a key tool for carrying out its planning policies."

Although similar in principle and in practice, zoning in the SAN is different from city planning. SAN zoning is the act of partitioning Fibre Channel (FC) devices into management realms for the purpose of secured communication between an initiator and a target on a public SAN. Through zoning, each FC device becomes part of a community of devices that only respond to each other and the management interfaces of the fabric.

Why zoning?
Zoning keeps initiators in your SAN honest by allowing access only to authorized targets. Although Windows-based servers are likely to put their stamp on every target they see, you still wouldn't want to implement a homogenous SAN populated with Unix-based servers without zoning. Clustering requires other considerations because multiple initiators (hosts)

Requires Free Membership to View

need access to the same targets--or LUNs--in case of failover.

LUN masking is a form of zoning usually implemented in an enterprise storage array, but can also be implemented at the host level or a third-party virtualization product. Your storage array will likely have more than one disk drive sitting behind one or more storage ports. As a result, you can provision disk drives or LUNs to more than one host through a single storage port on an array with multiLUN support. Therefore, controls must be in place to control access to the LUNs from multiple host sources. LUN masking provides this control by hiding LUNs from the host connections not meant to access the specified LUN. Depending on the capabilities of your storage array--more specifically if the disk drives are native FC devices and thus have WWNs--you may be able to simply use the software zoning features in your switch to provide this service.

With software zoning, zone member WWNs are usually aliased to an easily referenced name. This way, the SAN admin only needs to recall this name when referencing the zone member, instead of having to recall the member's 64-bit WWN. Also ensure your naming convention is adaptable across applications and operating systems. This helps trainees move between SAN applications and processes with a greater understanding of host-to-device relations.

In addition to keeping sanity in your SAN, partitioning servers (initiators) with their related storage targets enhance the discovery process during the bootstrap process by limiting protocol communication to only the devices in the zone, instead of all of the devices in the SAN. Security is another benefit of zoning, as will be detailed later. Establishing a defensive perimeter around communicating entities enhances data integrity, thereby providing your applications with a higher service level.

Zone types
There are two types of zoning available in your SAN--software and hardware. Software zoning is the practice of grouping and identifying end nodes in the nameserver by entering their WWNs in its database. Only these nodes will be permitted to gain access to the group or zone and initiate communication with other zone members. This gives the admin greater flexibility in the movement of end nodes between ports and/or switches in the fabric because the nameserver database is synchronized and distributed across the fabric to each switch. Therefore, no matter what port a host bus adapter (HBA) is plugged into in the fabric, it will can query the nameserver to inquire about the devices in its community.

But, using this method, someone could ascertain the WWN of a legitimate host in the nameserver database and masquerade as that host from a port other than the one the compromised HBA is connected, gaining access to the legitimate host's community as well as in other communities if a particular device is shared across zones.

This was first published in April 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: