Masking and zoning for SAN security
Although zoning and masking are usually thought of in terms of SAN administration, they are also important tools for maintaining SAN security in a Fibre Channel SAN. Since the Fibre Channel architecture allows any server (and by extension any user on that server) to access all the storage on the system, securing a SAN involves limiting what storage the server can reach, or even see.
Once the SAN itself has been appropriately secured by controlling user access, the next step is to limit application servers on the SAN to those parts of the storage array they need to do their jobs. The first step is controlling access to the SAN by users.
Zoning splits the SAN into subnetworks, with each application server assigned to a zone. The servers within a zone have any-to-any connectivity, but anything outside the zone is invisible to them. Zoning can be done either in hardware by linking ports on the Fibre Channel fabric, or in software. Software zoning usually relies on the World Wide Port Name and the World Wide Node Name, using a name server that generally runs inside the fabric switch.
Masking restricts access even further, to specific logical storage units. With LUN masking, application servers are restricted to those logical storage devices assigned to them. Masking offers finer granularity at the expense of somewhat more complex administration. Like zoning, it can be implemented either in
FalconStor discusses Fibre Channel security, with emphasis on its products, in a white paper available at: www.falconstor.com/Whitepapers/FibreChannelSecurity.
Rick Cook has been writing about mass storage since the days when the term meant an 80K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last twenty years he has been a freelance writer specializing in storage and other computer issues.
This was first published in May 2002