Tip

SAN approaches to LUN security

 

SAN approaches to LUN security
Rick Cook

In a well-managed SAN, users should be aware only of those files to which they have access. This is usually done in part by masking off the Logical Units (or LUNs) that aren't legitimately available to the user. Masking and maintaining the masks is often referred to as the "LUN Security Problem" and it can be handled in a number of different ways, and all of them are used today to a greater or lesser extent.

The first approach was to handle masking on the host via middleware that grants access to the requesting system. Host management software can provide security beyond the LUN level to the block level as well as centrally managing security. However it adds another layer of software between the requestor and the requested files and it may be subject to a single point of failure.

Another approach is to handle LUN masking at the Host Bus Adapter (HBA) through utilities that use the World-Wide Name (WWN) supplied with each HBA. HBA makers such as

    Requires Free Membership to View

Emulex and JNI offer this feature with their HBAs. The HBA drivers contain a masking utility that the SAN manager can run from a console, which allows editing the WWNs visible to a host down to the set authorized for that host. This works well for small SANS, but requires coordination for networks with a large number of hosts and a lot of LUNs.

For example changing out a faulty HBA means resetting the permissions for the LUNs controlled by that HBA.

A more sophisticated approach is to zone servers and LUNs through a Fibre Channel switch, which allows only certain servers to access certain storage elements. This is popular because it is inherently expandable, can control a large number of servers, and it can provide port-level masking for all the nodes known to the switch. Switch manufacturers like Brocade and Vixel offer this feature.

Yet another approach is storage-controller mapping. Here the controller handling a storage subsystem maps access privileges from the requester to the appropriate LUNs, typically using the WWN of each HBA. Among the vendors offering storage controller mapping is Hitachi Data Systems, which discusses the various approaches to LUN security in a white paper titled "LUN Security Considerations For Storage Area Networks" available at its web site.

Of course LUN security is only part of securing a SAN. By their nature, approaches aimed at securing access to LUNs cannot protect data at a lower level. Thus, LUN security is usually used in conjunction with storage management software that can secure data down to the file or block level.

Another discussion of SAN security, including information on the role of software is at Atto Technology's Web site.


Rick Cook has been writing about mass storage since the days when the term meant an 80K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last twenty years he has been a freelance writer specializing in storage and other computer issues.


This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.