How much Oracle DBA is to know of SAN Part 2 Srinivas Maddali Let us try to understand the SAN and

it design for High Availability (HA) solutions and SAN Security. High Availability is improved when 01. At the host through the use of multiple HBAs and software that handles failed HBA and path scenarios. HBA, or Host Bus Adapter, is the interface card which connects a host to a SAN (Storage Area Network). A HBA could be more accurately referred to as a "Host I/O controller". 02. Within the SAN fabric by ensuring that there are two or more paths to the storage subsystem devices (logical disks) through the use of more than one fabric switch between any one host and its storage. An example is having two HBAs in a host; each HBA has its fiber cable connected to a different fiber switch. 03. Within the storage subsystem through the use of several complementary technologies, such as: a. Various RAID configurations to protect against disk failures. The storage subsystem can offer ready spare drives to replace failed drives in the RAID configuration and minimize the potential for data loss from another disk failure. b. Multiple paths to the disk drives within the storage subsystem. c. Redundancy of internal components such as controllers, memory, and power components. RAID combinations are known to almost all Oracle DBA who discuss data striping and other ways and means of distribution and IO and also Oracle SAME technology which means Stripe All Mirror Everything. Hence the discussion is shifted to MULTIPLE PATH. Multi path in network is achieved through Internet Protocol Multi Path (IPMP). To achieve the same in SAN EMC has introduced PowerPath and the same was introduced to the readers in the first part. POWERPATH EMC PowerPath is a server-resident software solution that enhances performance and information availability. PowerPath integrates multiple path I/O capabilities, automatic load balancing, and path failover functions into one comprehensive package for use on open server platforms connected to Symmetrix enterprise storage systems. PowerPath enables you to do more work in a shorter time so you can serve more customers, run more applications, and exploit more business opportunities. Key Benefits: 01. Multiple channels share the I/O workload 02. Intelligent multipath load balancing ensures that channels are utilized in the most efficient manner possible 03. Automatic path failover keeps information flowing in the event of a failure

04. PowerPath helps balance the backup and regular traffic over the disk storage paths, reducing the impact of backups on applications. PowerPath and Fibre Channel Connections PowerPath supports Fibre Channel topologies using either Fibre Channel hubs or switches (such as the EMC Connectrix, Brocade, CISCO, McData, Q-logic, and Emulex and so on so forth). Fibre Channel hubs provide high availability in a storage network by ensuring that all viable nodes are unaffected by hardware failures that may occur in other nodes in the loop. Switches provide similar functionality, but also provide dedicated bandwidth for the duration of a transmission between two nodes. PowerPath works within the arbitrated loop and switched fabric topologies to enhance high availability and improve performance. Here is an example of PowerPath configuration

Source: EMC Networked Topology Guide Host is server. PowerPath is server resident software solution as has been told earlier. Additional Info: For more information on PowerPath installation and configuration requirements, refer to the appropriate host-specific version of the PowerPath Installation and Administration Guide (available on Avatar). For more information on the use of ESN Manager, refer to the ESN Manager Product Guide, 300-999-210, available on Powerlink and Avatar.

Security and Control to Data Access on SAN This is achieved by a combination of the following mechanism. They are: 01. LUN security 02. Zoning and 03. Persistent Binding LUN Security LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts. LUN Masking is implemented primarily at the HBA (Host Bus Adapter) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA. Some storage controllers also support LUN Masking. LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN's. This can render the LUN's unusable by other operating systems and can result in data loss. LUN masking is a method of masking multiple LUNs behind a single fabric connection. You can implement this on the RAID device or the host bus adapter (HBA). This is a single-threaded method of limiting connections to a LUN, which houses a disk slice or network share. The benefit to LUN masking is that you can limit access to disk space on your SAN through a fabric connection between a server and the SAN. This configuration provides tight security, and it scales well in large enterprises with multiple fabric switches and failover switch connections. Zoning SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric. SAN zoning may be utilized to implement compartmentalization of data for security purposes. Each device in a SAN may be placed into multiple zones. Hard and Soft Zoning Zoning comes in two flavors: 01. Hard and 02. Soft. The difference between the two is simple: You configure hard zoning in the hardware, and you configure soft zoning using software. Based on ports, hard zoning limits traffic between. Hard zoning physically blocks access to a zone from any device outside of the zone. Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in

soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address. Port Zoning Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to. With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap. Based on ports, hard zoning limits traffic between a specific attached host adapter and the array attached to the switch port. This method is extremely secure, but it can be administrative-intensive if the network requires reconfiguration. WWN Zoning WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric. A major advantage of WWN zoning is the ability to re-cable the fabric without having to redo the zone information. WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA. Using soft zoning or world wide name (WWN) zoning, each element in the fabric receives a WWN for the purpose of identification. The name server in the switch determines which WWNs it will allow to communicate with each defined zone. Because zones won't change if you reconfigure your network, this provides a more scalable method of zoning. The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter. Persistent Binding The third type of server-level access control is called persistent binding. Persistent binding uses configuration information stored on the server and is implemented through the server's HBA driver. The process binds a server device name to a specific Fibre Channel storage volume or LUN through a specific HBA and storage port WWN. For persistent binding, each server HBA is explicitly bound to a storage volume or LUN and access is explicitly authorized (access is blocked by default). Any LUN that is accessed through a port on the storage subsystem and is visible to an HBA can be mapped for use by that hosts HBA. Many HBAs allow LUNs to be mapped either automatically or manually. This capability is usually a function of the device driver for the HBA. The main concern in using the automatic mapping capability is that there may be a LUN that either intentionally or accidentally is visible to the HBA, when it should not be accessible by that HBA. The term persistent binding comes from the fact that once a LUN is mapped (bound) to an HBA, this binding is retained until manually removed.

This process is compatible with open system interconnection (OSI) standards. Generally, the following are transparently supported: 01. 02. 03. 04. Different operating systems and applications. Different storage volume managers and file systems. Different fabric devices including disk drives, tape drives, and tape libraries. If the server is rebooted, the server-to-storage connection is automatically re-established. 05. The connection is bound to a storage port WWN. If the fiber-optic cable is disconnected from the storage port, the server-to-storage connection is automatically reestablished when the port cable is reconnected. The connection is automatically reestablished even if the storage port is cabled through a different fiber switch port. Access control can also be implemented at the storage device as an addition or enhancement to the RAID controller software. Data access is controlled within the storage device, and server HBA access to each LUN is explicitly limited (access is blocked by default). Sources: 01. 02. 03. 04. SAN Security http://www.storagewiki.com Tech Republic publications Microsoft SAN Design Documentation