This article can also be found in the Premium Editorial Download "Storage magazine: Five companies on their storage virtualization projects."
Download it now to read this article plus other related content.
Storage August 2006 Special Supplement
|Security issues: iSCSI vs. FC|
When Fibre Channel (FC) was initially specified in the mid-1990s, security was of little concern. As a result, the FC protocol is inherently insecure, depending on external methods such as zoning and LUN masking to authorize access. While Ethernet switches in iSCSI SANs are used only for transport, FC switches perform both transport and security functions. This means that a security breach on an FC switch is far more severe, as an intruder can access the data. While FC backers argue that iSCSI is risky because it's connected to nonstorage networking components, this is somewhat hypocritical because the great majority of storage administrators use TCP/IP-based methods to manage FC gear.
On the other hand, iSCSI defines authentication, authorization and encryption in its specification. iSCSI supports the Challenge-Handshake Authentication Protocol (CHAP) for authorization. While FC depends on zoning and LUN masking for access, iSCSI authorization is based on CHAP users. Because the iSCSI protocol resides above the transport layer of the OSI protocol stack, IPsec can be used to encrypt iSCSI traffic. Encryption isn't defined in the FC specification and only the rarely used Internet variations of FC-- Fibre Channel over IP (FCIP) and the Internet Fibre Channel Protocol (iFCP)--can take advantage of IPsec.
Storage management is one of the weaker aspects of iSCSI. Storage management vendors are just starting to add iSCSI support to their suites. While FC switches are well supported by all major storage management apps, only some aspects of Ethernet switches--like availability--are addressed by storage management suites. Security is another controversial aspect: Although FC proponents are quick to point out security concerns with iSCSI, in reality, iSCSI is an inherently more secure protocol than Fibre Channel (see "Security issues: iSCSI vs. FC," at right).
With the reliability and feature gap closed, the slower performance of iSCSI is now the primary technical argument FC advocates use for not considering iSCSI for enterprise-level applications. But iSCSI speeds are beginning to catch up with FC, and the two protocols are on a leap-frog path with each one boasting new product releases that bests the other, but not for very long. However, the FC protocol has a slightly lower latency than TCP/IP.
"With all things equal, we have seen a 5% to 15% performance advantage of Fibre Channel for transactional applications like e-mail, databases and file access," says Brian Garrett, technical director at ESG Lab, Milford, MA. "For bandwidth-intense applications such as backup or video editing, Fibre Channel clearly eclipses iSCSI."
Obviously, 10Gb/sec Ethernet iSCSI surpasses FC in performance. But with an average 10GigE port price of $2,000, 10Gb/sec Ethernet isn't ready for widespread use in iSCSI SANs. For 10GigE to be widely used in iSCSI SANs, it will take the final ratification of 10GigE over copper and CAT7 copper cabling, the availability of 10GigE copper ports on switches, iSCSI targets supporting 10GigE and the cost per 10GigE port to drop to near 4Gb/sec FC port pricing. According to James Opfer, research vice president for Gartner's storage research group, 10Gb/sec Ethernet won't start ramping up until 2007.
This was first published in August 2006