Several industry giants are looking to standardize and strengthen the security of IP storage networks with a proposal whose implementation, experts say, may ultimately be expensive and unnecessary.
EMC, IBM, Cisco, Microsoft and others last month submitted a draft to the Internet Engineering Task Force (IETF) defining how they think IP Security (IPSec) should be implemented in storage devices - as single-chip ASICs, in software, or by deploying a VPN device in front of storage facilities.
The issue has become paramount now that IP - with the advent of Internet SCSI (iSCSI) and other IP storage technologies - is being used more often to transport storage information.
The group's action was spurred by a decree from the IETF's Internet Engineering Steering Group (IESG) last fall that requires storage devices to have IPSec authentication and encryption capability to be considered standards-compliant. Similar requirements cover other network gear.
"The IESG requires that security be part of any protocol implementation that wants to claim conformance to newly approved [requests for comment]," says David Black, senior technologist at EMC and chair of the IETF's IP Storage Working Group.
Vendors interpreted that ruling to mean they must implement IPSec "in any IP storage device, gateway, host bus adapter or software driver, but it's up to the customer to turn it on if needed," says Cisco's Mark Bakke, who is a co-author of the group's draft specification. In fact most vendors indicate they implement IPSec as an optional feature in their equipment.
IPSec is a secure technology for implementing VPNs that authenticates and encrypts IP packets. Now that storage is using IP transport via iSCSI, Fibre Channel over IP and Internet Fibre Channel Protocol (iFCP), the IETF says the same security mechanism that protects IP networks should also protect IP storage. ISCSI defines universal access to storage devices and storage-area networks (SAN) over Ethernet-based TCP/IP networks. Fibre Channel over IP bridges two physically separated Fibre Channel-based SANs over IP, and iFCP is used to link Fibre Channel SANs with iSCSI networks or bridge Fibre Channel networks over the WAN or metropolitan-area network.
"Security has never been a big deal in storage before because hackers intrude on IP networks, not Fibre Channel," says Nate Rushfin, CTO of Bladeworks, a start-up network gear vendor. "All of a sudden an area that was previously unhackable is now vulnerable, and expensive business-critical data is at risk."
Fibre Channel networks are not as open to attacks because of the fiber-optic media they use and their isolation from the outside network. As each IP storage technology is deployed, the potential for attacks increases. Gartner estimates that attacks on IP networks will increase by a factor of 100 or more by 2004.
Implementing authentication on storage devices is relatively easy, as it is already part of the existing iSCSI specification, says Tom Clark, director of technical marketing for Nishan Systems. However, enabling IPSec encryption is harder, Clark says. Inspecting each packet and decrypting and re-encrypting them slows data transfer on the net work and imposes an overhead for users who may not need security or already have their data protected with encrypted VPNs.
Rushfin, a former IT director for a municipal government, suggests that rather than implementing IPSec in hardware or software, he would prefer to deploy it in a more traditional way. "I'd use a PIX firewall or any Cisco switch, where the packet-switching architecture provides the isolation of customer from customer data," he says. PIX is Cisco's firewall and intrusion-detection software.
"Everyone agrees standardizing on how iSCSI uses IPSec is a good thing, but vendors need to choose for themselves whether adding the cost of IPSec is justified in any given product or installation," says Doug Ingraham, a Cisco marketing manager.
Bob Wheeler, an analyst for the Linley Group, says 1G-bit/sec IPSec ASICs will add as much as $600 to each Gigabit Ethernet or Fibre Channel adapter. Gigabit Ethernet adapters top out at about $200, while Fibre Channel adapters cost as much as $1,000.
Because adding the cost of IPSec ASICs to storage devices may not be realistic, vendors are likely to choose another implementation.
RELATED LINKS
