Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
The botnet world is booming
What’s driving this university to IPv6? Going green
Google takes direct aim at Microsoft
Microsoft promises to stymie hackers next week with new patches
Chrome OS spotlights rapidly changing mobile Web environment
IT pros continue to lose jobs
How ending exclusivity agreements would change the telecom industry
How to use electrical outlets and cheap lasers to steal data
EMC distances rival NetApp
Crime lab saves energy costs by turning up heat in the data center
IBM security software masks confidential info
Google Native Client provides hints on Chrome OS gambit
Ericsson signs deal to run Sprint wireless, wireline networks
Verizon helping companies assess application vulnerabilities
Internet's biggest issue? IPv6 transition, new ARIN CEO says
/

Vendors to tighten Fibre Channel nets

Related linksToday's breaking news
Send to a friendFeedback

By Deni Connor
Network World, 04/01/02

Users of Fibre Channel networks are becoming increasingly concerned about the security of the data on their storage networks and Internet data centers.

In response, start-ups and established storage companies are launching technologies that add security to Fibre Channel and rely on capabilities such as IP Security (IPSec) and Secure Sockets Layer (SSL) authentication to inspect, authenticate, encrypt, accelerate and compress block-level storage-area network (SAN) data to protect it from internal or external intrusion.

Hifn, Trebia Networks and NetOctave are building storage processors that encrypt and compress storage data moving across networks.

Advertisement:

Two other companies, NeoScale and Sotera Networks, are making security appliances that use storage processors. NeoScale makes an appliance that is tailored to Fibre Channel networks and inspects block-based storage data, encrypts it with Triple-DES, compresses it and shoots it back out at wire speed. Little is known about Sotera other than that the company makes an encryption and authentication appliance.

The processing overhead of security measures of this type might raise concerns about performance degradation, but vendors say they can counter any such effects through packet acceleration.

Several storage giants, including Cisco and EMC, are working on an authentication protocol with key exchange and digital certificates called FCsec that is built especially for switches used to bridge SANs over IP. Switches containing FCsec are expected to ship later this year.

Each of these companies says it hopes to allay customer concerns about the security of SAN data when it is exposed to IP via bridging, when it abuts the LAN or when it is sheltered in a data center.

"The Fibre Channel standard did not define any security itself," says Arun Taneja, an Enterprise Storage Group analyst.

The reality is there will be as much Fibre Channel outside the data center as within, he says. Because Fibre Channel spans a distance up to 6.2 miles, it is practical to bridge Fibre Channel SANs over IP networks.

While most SAN users have not yet relocated their SANs from physically isolated data centers where they are mostly protected from intrusion, users are starting to consider the threats that can arise when they are exposed to IP networks. They also understand that the security methods vendors have built into Fibre Channel are not enough to prevent intrusions.

In Fibre Channel, data is partitioned among servers and storage by techniques called logical unit number (LUN) masking and zoning. In LUN masking, storage partitions are created and assigned to different servers and consequently users via host bus adapters or disk controllers. Zoning can be implemented in hardware or software and involves assigning storage space to the individual ports of a Fibre Channel switch.

Raymond Young, a senior adviser for Bristol-Myers Squibb in Princeton, N.J., oversees a data center SAN that partitions data in this way. He says that the LUN masking the EMC Symmetrix hardware he uses is sufficient protection because so few people have the ability to change it. But, he says precautions may be required to isolate data from possible internal intrusions.

"Security is a high priority in our data center mainly because we work in a very competitive industry and there are always consultants coming and going to and from our competitors," Young says. In certain circumstances, data needs to be protected from other departments, he says, because "some of [it] is highly proprietary."

Young says that were he to implement site-to-site replication between SANs, encryption would be necessary.

While LUN masking and zoning contribute to the security of SAN data, they have drawbacks, says Tom Clark, technical marketing manager at Nishan Systems. Hardware-based zoning can easily be misconfigured, allowing access to storage; and software-based zoning can be spoofed or sniffed with a protocol analyzer in much the same way as IP can, Clark says.

Fibre Channel giant Brocade Communications has created Secure Fabric OS to refine zoning security that runs only on Brocade switches.

LUN masking and zoning also don't ensure thorough authentication methods that allow only the correct user access, nor do they encrypt or speed the transfer of data to keep it out of the hands of malicious users.

NeoScale is announcing a 2U-high (3.5-inch) appliance called the CryptoStor, which will provide wire-speed authentication, encryption and access to SAN data. It will use policies set by the administrator to enact rules based on the block of information and the person or group for which it is intended. In a data center, data intended for human resources might need to be isolated from the data of other departments so that employees can't manipulate the data or change the system configuration. NeoScale's CryptoStor is expected to ship later this year.

NetOctave will market IPSec-enabled and SSL Gigabit Ethernet, and OC-48 silicon and VPN gear that can be remanufactured into other vendors' switches.

Hifn and Trebia, a maker of single-chip silicon, will jointly provide silicon-enabled IPSec, Triple-DES encryption and Internet Key Exchange, a form of public/private key exchange.

RELATED LINKS

Contact Senior Editor Deni Connor

Other recent articles by Connor


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.