Protect your SAN from attack, part 2


This article can also be found in the Premium Editorial Download "Storage magazine: Is it time for SAN/NAS convergence?."

Download it now to read this article plus other related content.

What's port binding?

Requires Free Membership to View

Because vendors are aware that world-wide names (WWNs) are spoofable, they wanted to offer a way to use WWN-based zoning, but have some level of security. Their solution: port binding. This means you can bind a WWN to a port so that hardware enforcement will only allow traffic to and from that WWN if it's connected to the right switch port. I suppose you could consider this in-depth defense. This method defeats both the WWN spoofer and the person who physically switched ports. But I think it goes a bit too far. Port-based hard zoning offers the best solution to date.

Convenience over security
Considering the increase security implications, why do people use soft zoning? Simply put, most SAN implementations to date have prioritized convenience over security. The following quote from the "Brocade Zoning Implementation Strategies" document says it all. According to the Brocade Zoning User Guide (Version 2.2 for the SilkWork 2800), port-based zoning, "provides good security in the fabric but requires reliable processes to prevent incorrect devices from being attached to the wrong ports. You should normally avoid this form of zoning unless you have rigidly enforced processes for port and device allocation in the fabric."

In other words, port-based zoning increases your security, but it makes moves, adds and changes more difficult. With WWN-based zoning, you can move a server to any port on any switch, and not worry about a thing. With port-based zoning, you would need to add the new port to the zone and subtract the old port from the zone. Yes, it's more work. It's always more work to have decent security, and it's also easier not to back up your data.

Remember, if you care about security, forget everything you've been taught about how to create zones. Yes, I know that many SAN instructors tell you to use WWN-based zoning because it's a lot easier to use than port-based zoning. But if you want security in your SAN, don't use WWNs to specify the members of your zones, and don't use soft zoning. The former is spoofable, and the latter is laughable.

This was first published in September 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: