Today's businesses have grown and embraced new technology at top speed as they implement e-business and Internet commerce strategies. But the last 12 months have seen a sharp rise in the recognition of the impact that viruses, hackers and terrorism can have on a company's IT systems. Many companies around the world have had to face the reality that their IT systems are only as secure as the weakest link in the network.
To protect a company's data - including the massive amount of data that e-business and e-commerce applications create - it is essential to develop and deploy security frameworks that guarantee safe, reliable data processing throughout the entire network. Businesses are finding that a storage area network (SAN) is an ideal way to effectively manage the data, while maintaining the same IT budget and head count. Ensuring that this separate network is subject to the same security conditions and monitoring as the rest of the network is imperative.
Generally, a secure and cost-effective SAN framework should be able to manage fibre channel fabric devices in both new and existing SANs, adhere to open industry standards and be highly scalable, fully manageable and extremely resilient. This type of integrated solution eliminates a variety of potential SAN security risks, including unauthorised and/or unauthenticated SAN access, insecure management access, World Wide Name (WWN) spoofing and management controls allowed from different access points.
How do you build a secure SAN?
First, define security requirements by establishing a set of security domains, which define areas that must be protected by the fabric security architecture. There are four main security domains:
- host-to-switch - between host servers and their host bus adapters and the connected switches- administrator-to-security management - between administrators and management applications- security management-to-fabric - between management applications and switch fabric- switch-to-switch - between interconnected switches.
Second, identify and implement an effective security framework. The key components are fabric configuration servers, management access controls, secure management communications, and switch and device connection controls.
Fabric configuration servers enable sensitive administrative operations to be performed only from specified, trusted switches. These designated switches are responsible for managing the configuration and security parameters of all other switches in the fabric.
Fibre channel switches allow some management communications, such as passwords, to be encrypted.
Management access controls provide additional control by restricting access to trusted access points within the network. These restrictions are automatically installed in new switches that join the SAN to help prevent unauthorised users from manually changing fabric settings.
Basically, the network is only as secure as its weakest link. Therefore we see SAN security as a key issue that needs to be addressed. But, be warned: there are no shortcuts. All switches in the LAN and SAN must support an organisation's security framework to achieve the highest level of security.
James LaLonde is vice-president Asia-Pacific sales for Brocade Communications Systems.