SAN security goes IP

WHENEVER A NEW technology starts to gain strength in the enterprise, it raises a new set of security concerns. And SANs (storage area networks) are no different. Even though SANs were not initially developed to traverse the globe in a distributed architecture, that's the direction CTOs are taking the technology. But for SANs to become more widely deployed and for the technology to continue to expand, SAN vendors must address the security issues germane to their solutions.

Security is a key source of anxiety when it comes to SANs. According to the 2002 InfoWorld Networked Storage Survey, 18 percent of the readers polled have not deployed a SAN due to security concerns. And 56 percent of the respondents who have implemented a SAN or are planning to are concerned about its security.

When SAN technology was introduced, security was routinely ignored. This was partly because the largely unknown Fibre Channel protocol used for communication was not a big target for attackers; but moreover because security simply wasn't a priority. Yet, because SANs are starting to reach across the country -- and even the world -- storing and transferring terabytes of sensitive and confidential data, they will quickly draw the attention of attackers.

Compounding the situation, SAN communications are moving to IP-based networks, making them vulnerable to many of the attacks made on corporate networks, such as spoofing and sniffing.

The basic tenets of security also apply to SANs. (Just because the technology is relatively new, the security principles are not.) First, SAN devices should be physically secured. This was relatively simple to accomplish when SANs existed mainly in well-protected datacenters. But as SANs grow more distributed and their devices sit in branch office closets, physical security is tougher to guarantee.

IP is easier to attack but also easier to monitor. One of the major issues introduced by running SANs over IP networks is the opportunity to sniff network traffic. Although it's possible to sniff a Fibre Channel network, it is much more difficult than sniffing an IP-based network. Therefore, IT managers should use existing technologies such as IPSec to encrypt SAN traffic and prevent unauthorized eavesdropping.

Another critical aspect of SAN security is authorization and authentication, controlling who has access to what within the SAN. Currently, the level of authentication and authorization for SANs is not as detailed and granular as it should be. Most security relies on measures implemented at the application level of the program requesting the data, not at the storage device, which leaves the physical device vulnerable.

One popular way to implement authorization on a SAN is zoning, which is similar to network VLANs (virtual LANs), segmenting networks and controlling which storage devices can be accessed by which servers. With zoning, an IP switch can be configured to say, "Server A can only communicate with Storage Device X."

Although this provides one layer of security, it does not give any granular control over data access. Administrators have no way of knowing whether the data request coming from Server A is legitimate.