The road to practical SAN security


This article can also be found in the Premium Editorial Download "Storage magazine: Managing data storage for remote employees."

Download it now to read this article plus other related content.

According to Kamy Kavianian, product manager at Brocade, among their customer's top concerns is "secure management access." These companies often want to turn off features of their switches - for example, SNMP support or Telnet - to prevent access to too many management interfaces. Kavianian says their top customers for their security offerings are primarily in the government sector and government contractors, followed by banks and financial institutions and then by enterprise customers with strict security policies.

Security-conscious users have started demanding network-style security options for their storage network gear to minimize unauthorized use of their hardware. Many vendors are in the process, or are already offering support for secure-shell access to boxes (SSH), Secure Sockets Layer (SSL) communications with Web interfaces, as well as integration with secure user-authorization protocols such as RADIUS and TACACS+.

Some users, mostly government agencies, the health care industry and financial institutions, are worried about protecting stored data. The threat of modification or accessing data on disk is usually addressed by encrypting all data stored on disk or tape. Either through a special file system or backup software, data is usually encrypted at the host and stored in that encrypted form on tape or disk, preventing unauthorized users from reading that data.

Emerging security solutions

Requires Free Membership to View

As users start to seriously think about securing their storage networks, companies are racing to address user concerns. For example, U.K.-based Digital Interactive Solutions provides a hardware-accelerated encryption device for SCSI tape, with plans to add FC capability to their device towards the end of the year. "The reason people go for a dedicated hardware solution boils down to speed, security and interchange ability," says Paul Howard, managing director of digital interactive.

Switch giant Brocade also has its eyes on the security space and completed a beta test of its Secure Fabric OS product in January, with product available now. Brocade's Kavianian says, "Secure Fabric OS is the first instance of our security architecture," and includes "secure management communications, management access controls, fundamental enhancements in interswitch links, port-level access policies and trusted switches." The company's Secure Fabric OS currently runs on all of the company's 1GB hardware as an add-on license, and mostly addresses security of management interfaces and log-in authentication. The company has also added public key-based certificates for authentication of switches, which prevents non-authorized switches from joining a FC network. However, the company currently has no plans for encryption of the data on the network.

Kavianian says, "Good security hygiene says that you encrypt at the source and destination. The server - not the network - should encrypt the data." In addition, he says, "Currently, there is nothing out there that can encrypt at 2GB/s. Encryption must be well thought out, because a SAN was designed to move large blocks of data in an efficient manner and you don't want to put anything in the way [that degrades the SAN's performance]." George Guethlein who manages enterprise storage and backup at USinternetworking, says "Brocade's Secure Fabric OS seems to fit our needs."

Startups are also trying to get into the game. NeoScale Systems, Milpitas, CA, is developing a network security appliance for FC networks, which works as part of the network to encrypt block-level storage data on-the-fly at wire speeds. Mike Alvarado, senior product manager at NeoScale says, "We have developed our own storage security processors, and also incorporate other complementary components, such as encryption processing from Hifn." NeoScale is targeting system integrators for its solution. "We expect to sell our solutions through system integrators because customers expect complete solutions to be delivered," Alvarado says.

On the iSCSI front, a number of companies are developing silicon, which provides hardware acceleration for IPsec, a necessity at gigabit speeds. EMC's Black says, "At the higher speeds that the IP Storage protocols can use [gigabit or a serious fraction of it], hardware acceleration of some form is required to use IPsec effectively." Aberdeen's Tanner concurs, saying "Wire-speed should be the standard. It will probably require storage security silicon."

This was first published in September 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: