This article can also be found in the Premium Editorial Download "Storage magazine: Is it time for SAN/NAS convergence?."
Download it now to read this article plus other related content.
|Isn't hard zoning the same as port-based zoning?|
This second part of my series on SAN security will explain the real differences between hard and soft zoning, as well as the differences between soft zoning and WWN-based zoning because the two are often confused with each other. Let's start with a quick review of my previous article, "Protect your SAN from attack," in the August issue of Storage.
There are five aspects of security: authentication, authorization, encryption, integrity and auditing. Authentication makes sure that a server requesting a block of data really is the server that it says it is. Authorization verifies that this server is allowed to view that block of data. Encryption ensures that if authentication or authorization are somehow defeated, the data won't be used by the wrong party. Integrity ensures that when the server gets the block of data it requested, that block actually contains valid data. Lastly, auditing allows for the verification of all of the other aspects, looking for possible security breaches.
This article is mainly concerned with authentication, because without it, there's no way to verify integrity, not much point in encrypting the data and almost no point in giving different servers different authorization. If any server can masquerade as any other server, what's the point?
In the old days of direct-attached storage (DAS), there was no reason to secure the storage. You couldn't get to the storage unless you went through the server. Authorization was built into SCSI, but it was only done to ensure that requests for data were sent to the correct device. No efforts were made to verify that the entity sending or requesting the data was allowed to do so. SCSI assumed that the request was coming from a valid server because someone would have to physically disconnect the SCSI cable from Apollo and plug it into Elvis' SCSI card in order to be able to access Elvis' storage. However, in storage networks, if you don't configure things correctly, it's possible for any server connected to the SAN to see any other server's storage.
This was first published in September 2003