Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SAN Security : brocade 48000 director

Status
Not open for further replies.
konairon

konairon

Technical User
Jun 23, 2005
4
0
0
CH
Hello,
I'm relatively newbie with SAN "technology"
As I work for the Security Team I have to give some securities advices for our Storage team.
I known that this thema can be very large.
But I first would like to concentrate on the switch (Brocade 48000)
My storage team tell me that using "zoning" to isolate our customers is enough.
If it was really the case in term of security why suppliers offer solution like VSAN, LSAN, NPIV, Secure Fabric OS, ...
all with the same slogan : each improve security
So if native "zoning" were so secure, why all these add-on ?

Have someone background on hardening switch (better on brocade) ?

Thank's in advance for all tips, advices.
 
Sort by date Sort by votes
VSAN,NPIV, this is not realy security related, this is virtualisation for having more flexibility.Hardware or software zoning is more then sufficient ( software zoning is a slighter higher security risk, as this is mac address , or in case of FICON WWPN based, so this can be spoofed.)The extra security features come in handy once you are sending highly sensitive data over the cable, or if you have a rather large san , that is spread over different sites.Secure Fab OS, you wouldn't want people hacking your director and having their way with it now would you :)

rgds,

R.
 
Upvote 0 Downvote
Hi,
Hardware or software zoning is more then sufficient ...
Did you read the book of Himanshu Dwivedi (Securing Storage - A Practical Guide to SAN and NAS Security) ?

Before I read it, I could'nt imagine what can be possible ?
(I do not say feasible easy, but just that it exist)
It was like "security by obscurity" (well known)

It is always the same in term of security :
What happens when the attack occur ?
And we says :
how it was possible to do it ?
And manufacturer send patch, then a new patch, ... (as microsoft)

Today FC protocol and SAN are perhaps not very spread and not very concerned by the hacker but tomorrow ?

So outside of the "marketing" speech of the manufacturer it is difficult to find good analyse in term of security aspect/design in SAN technology. Or perhaps could you connect me ?

Regards
 
Upvote 0 Downvote
Well no system is 100% secure but zoning should be sufficient for pretty much everyone's requirements relating to SAN host access control. There's probably ways to get around hardware zoning if you can hack the HBA's and mess about with WWNs or something but even then you'd need the port info on the fabric to change.

As long as the fabric management consoles are password protected and you limit admin access to the SAN connected hosts as well as having proper physical security you're mitigating pretty much every conceivable way to hack a SAN via a host.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shradhaptare
  • Locked
  • Question
Configure Brocade silkworm 3200 switch
Replies
0
Views
40
shradhaptare
shradhaptare
joblack23
  • Locked
  • Question
DFS to san
Replies
1
Views
50
itsp1965
itsp1965
Jacktivated
  • Locked
  • Question
HP StorageWorks P4300 SAN (Need software recommendations)
Replies
0
Views
35
Jacktivated
Jacktivated
dannyyo
  • Locked
  • Question
When iSCSI SAN box 2 is added to the network
Replies
1
Views
47
iggsterman
iggsterman
Chris969404
  • Locked
  • Question
QUANTUM i6000 running 640Q fw with HP LTO5 direct attached to AIX server through Brocade
Replies
0
Views
30
Chris969404
Chris969404

Part and Inventory Search

Sponsor

Back
Top