IPSec for IP storage

If putting storage-area networks on IP is logical, which most agree it is, then it only makes sense to use IP Security to protect those SANs, or so says the Internet Engineering Task Force, to the ire of some storage vendors and the consternation of some users.

The IETF's Internet Engineering Steering Group (IESG) is mandating IPSec be used in three IP storage protocols: iSCSI, Fibre Channel over IP and Internet Fibre Channel Protocol. "The vulnerability is one of eavesdropping, and that's why the IESG insisted on the ability to encrypt," says Scott Bradner, a transport area director of the IETF's IP Storage Working Group and a Network World columnist.

Vendors that support the IESG decision include Broadcom, IBM, Microsoft, Nishan Systems, Nortel and Rhapsody Networks. They have created a proposed standard for securing IP block storage protocols. The draft, submitted in February, outlines the requirements for using IPSec with each storage protocol.

Advertisement:

But relying on IPSec to solve the IP storage security problem misses the point, says Phil Grasso, founder of Sotera Networks, a start-up developing an IP storage security appliance. While IPSec would secure storage data in transport across an IP network, much as it does for data carried on an IP VPN, it would do nothing to protect data on storage devices. Encryption ciphers such as Triple-DES and Advanced Encryption Standard (AES) are needed for that, he says.

Triple-DES is the best way to secure IP storage because it encrypts data in transit and on storage devices and subsystems, Grasso and executives at fellow storage start-up NeoScale Systems contend. Triple-DES also encrypts today's Fibre Channel data, and it works with IPSec, they note.

But some storage vendors may be resistant to building IPSec into their products when they have no guarantee that it will be used, says John Webster, founder of Data Mobility Group, a storage market research and analysis firm. Per the draft standard, enterprise storage managers get the option of disabling the security mechanism.

Given the contention surrounding IPSec for IP storage, users might end up having to trade interoperability - or at least standards-compliance - for security.

Users might also face higher prices. Vendors have said that IPSec could triple or quadruple the cost of an iSCSI network interface card or TCP off-load engine, Webster says.

Tripling the cost would kill the IP storage opportunity for many users, says a technical services director for a national pension fund in Alexandria, Va. "Implementing a SAN is an expensive venture as it stands now," he says.

Vendors and users also fear that embedding IPSec in storage chips could significantly drop performance levels. "Some 1-GHz and 2-GHz processors finally have enough [million instructions per second] to keep up with software-based IPSec on 100M bit/sec media," says Jesse Walker, a network security architect at Intel and contributor to the proposed IETF IP storage security standard. "The emerging 1G bit/sec media overwhelm existing microprocessors, and higher-rate media will [also]."

But David Black, co-chair of the IETF IP Storage working group, points out that IPSec's impact will depend on the computational resources available in an IP storage network. The results depend on speed (100M vs. 1G), encryption algorithm (Triple-DES vs. AES), and the hardware platform (PowerPC vs. Pentium).

"There's no easy, simple answer," he says.

Vendor Alacritech   Product 1000x1 Server and Storage Accelerator   IPSec-enabled Yes   Other security   mechanism? No   Function Can be used as a NIC, iSCSI adapter or dual-function card.   Availability/Pricing General availability in April for $1000. Vendor NeoScale Systems   Product "Stateful storage processing"   IPSec-enabled No, but will becompatible with it.   Other security   mechanism? Triple-DES   Function Will encrypt data in transit and on storage media.   Availability/Pricing Fibre Channel product, CryptoStor FC, due out by year-end. IP product to follow. Price unavailable. Vendor NetOctave   Product NSP4200 Security Processor   IPSec-enabled Yes   Other security   mechanism? No   Function Will do IPSec processing for storage devices.   Availability/Pricing Scheduled to be available in the fourth quearter. Price unavailable. Vendor Sotera Networks   Product Storage appliance   IPSec-enabled No, but will be compatible with it.   Other security   mechanism? Triple-DES   Function Will encrypt data in transit and on storage media.   Availability/Pricing Shipping data and price unavailable.

Caisse is a freelance writer in Massachusetts. She can be reached at kbcaisse@worldnet.att.net.

Debate flares over IP storage security
Several industry giants are looking to standardize and strengthen the security of IP storage networks with a proposal whose implementation, experts say, may ultimately be expensive and unnecessary.
Network World, 01/21/02.

Technology Insider: Storage virtualization
Virtualization is the buzzword in storage these days, but what does it really mean and how do you achieve it? In this report, we nail down what virtualization is and describe how the major vendors hope to get you there.
Network World, 03/11/02.

Storage breaking news page
Stay on top of the latest products, technologies and developments.

Storage newsletter
Get the latest news, information and analysis on storage and application management so you can make the best decisions.

SAN audio primer
In this 5-minute primer, you'll learn how a SAN works and its benefits over traditional storage systems.