Академический Документы
Профессиональный Документы
Культура Документы
GROUP NO. 11
• Switch-to-Switch Domain
The switches should enforce the security policy in secure switch-to-
switch communications. By using digital certificates and ACLs, the
security management function initializes switches. Switches
exchange these credentials during mutual authentication, prior to
establishing any communications. This practice ensures that only
authenticated and authorized switches can join as members of the
SAN fabric or a specific fabric zone. Furthermore, this authentication
process prevents an unauthorized switch from attaching to the fabric
through a port.
SAN SECURITY METHODS
• The common methodologies used to provide
security in SAN are
– Zoning
– LUN masking
– Soft Zoning
– Hard Zoning
• Soft Zoning
Soft zoning uses the WWN (World Wide Name) of the nodes connected to
the fabric. WWN’s are in hexadecimal format. A WWN may look like
12:12:23:34:1a:ab: e3: 27.This WWN uniquely identifies the devices
connected to the SAN. If the WWN of the node is assigned to a particular
zone then all the ports associated with that node are also in the same zone.
• Hard Zoning
Hard zoning uses port number instead of WWN’s as in soft zoning. If a port
number is assigned to a particular zone also the ports associated with that
port would not be in that zone. So we need to configure for each and every
port, which helps in improving the security. Though hard zoning is hard to
configure for the dynamic environments it is the one that can improve the
security.
LUN MASKING
LUN Masking, or address masking, is a method
of assigning LUN to be exclusively accessed by
a particular hosts. By using LUN masking it is
possible to assign a single LUN to single host.
This allocation of a LUN to host is made by
hiding the rest of the LUN’s in the network. LUN
doesn’t use any special connection it just hides
the other devices. It is like an unlisted phone
number, which is very hard to guess. In the
figure below the LUN address 2,5,8 are blocked
(hidden) and only LUN address 11 is visible for
the host I/O controller.
LUN MASKING
LUN MASKING
Binding ports with servers
• www.enterprisestorageforum.com/sans/ features/article.php/1431341
• www.pdf-search-engine.com
• www.snia.org/ssif/home
• www.sans.org
• www.brocade.com/security
• www. sansecurity.com/san-security-faq.shtml