Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
When networks fail, hams to the rescue
Alliance to promote Windows-managed Macs in enterprise
Lockheed Martin gets $89 million to converge DoD distribution networks
Clothes don't make this man: Sweatshirt helps nail Citibank card scammer
Microsoft readies new try for Yahoo
Gartner: Seven cloud-computing security risks
Autonomy, Endeca rate among top enterprise search vendors
Barracuda countersues Trend Micro in patent case
Mozilla's Firefox 3 sets geeky world record
Microsoft SharePoint popularity comes with issues
IBM mainframe acquisition raises antitrust concerns
Diary of a deliberately spammed housewife
Report: Tech giants forming 'patent troll' alliance
Trojan lurks, waiting to steal admin passwords
California enacts cell-phone driving ban
/

Vendors to tighten Fibre Channel nets

Related linksToday's breaking news
Send to a friendFeedback

By Deni Connor
Network World, 04/01/02

Users of Fibre Channel networks are becoming increasingly concerned about the security of the data on their storage networks and Internet data centers.

In response, start-ups and established storage companies are launching technologies that add security to Fibre Channel and rely on capabilities such as IP Security (IPSec) and Secure Sockets Layer (SSL) authentication to inspect, authenticate, encrypt, accelerate and compress block-level storage-area network (SAN) data to protect it from internal or external intrusion.

Hifn, Trebia Networks and NetOctave are building storage processors that encrypt and compress storage data moving across networks.

Advertisement:

Two other companies, NeoScale and Sotera Networks, are making security appliances that use storage processors. NeoScale makes an appliance that is tailored to Fibre Channel networks and inspects block-based storage data, encrypts it with Triple-DES, compresses it and shoots it back out at wire speed. Little is known about Sotera other than that the company makes an encryption and authentication appliance.

The processing overhead of security measures of this type might raise concerns about performance degradation, but vendors say they can counter any such effects through packet acceleration.

Several storage giants, including Cisco and EMC, are working on an authentication protocol with key exchange and digital certificates called FCsec that is built especially for switches used to bridge SANs over IP. Switches containing FCsec are expected to ship later this year.

Each of these companies says it hopes to allay customer concerns about the security of SAN data when it is exposed to IP via bridging, when it abuts the LAN or when it is sheltered in a data center.

"The Fibre Channel standard did not define any security itself," says Arun Taneja, an Enterprise Storage Group analyst.

The reality is there will be as much Fibre Channel outside the data center as within, he says. Because Fibre Channel spans a distance up to 6.2 miles, it is practical to bridge Fibre Channel SANs over IP networks.

While most SAN users have not yet relocated their SANs from physically isolated data centers where they are mostly protected from intrusion, users are starting to consider the threats that can arise when they are exposed to IP networks. They also understand that the security methods vendors have built into Fibre Channel are not enough to prevent intrusions.

In Fibre Channel, data is partitioned among servers and storage by techniques called logical unit number (LUN) masking and zoning. In LUN masking, storage partitions are created and assigned to different servers and consequently users via host bus adapters or disk controllers. Zoning can be implemented in hardware or software and involves assigning storage space to the individual ports of a Fibre Channel switch.

Raymond Young, a senior adviser for Bristol-Myers Squibb in Princeton, N.J., oversees a data center SAN that partitions data in this way. He says that the LUN masking the EMC Symmetrix hardware he uses is sufficient protection because so few people have the ability to change it. But, he says precautions may be required to isolate data from possible internal intrusions.

"Security is a high priority in our data center mainly because we work in a very competitive industry and there are always consultants coming and going to and from our competitors," Young says. In certain circumstances, data needs to be protected from other departments, he says, because "some of [it] is highly proprietary."

Young says that were he to implement site-to-site replication between SANs, encryption would be necessary.

While LUN masking and zoning contribute to the security of SAN data, they have drawbacks, says Tom Clark, technical marketing manager at Nishan Systems. Hardware-based zoning can easily be misconfigured, allowing access to storage; and software-based zoning can be spoofed or sniffed with a protocol analyzer in much the same way as IP can, Clark says.

Fibre Channel giant Brocade Communications has created Secure Fabric OS to refine zoning security that runs only on Brocade switches.

LUN masking and zoning also don't ensure thorough authentication methods that allow only the correct user access, nor do they encrypt or speed the transfer of data to keep it out of the hands of malicious users.

NeoScale is announcing a 2U-high (3.5-inch) appliance called the CryptoStor, which will provide wire-speed authentication, encryption and access to SAN data. It will use policies set by the administrator to enact rules based on the block of information and the person or group for which it is intended. In a data center, data intended for human resources might need to be isolated from the data of other departments so that employees can't manipulate the data or change the system configuration. NeoScale's CryptoStor is expected to ship later this year.

NetOctave will market IPSec-enabled and SSL Gigabit Ethernet, and OC-48 silicon and VPN gear that can be remanufactured into other vendors' switches.

Hifn and Trebia, a maker of single-chip silicon, will jointly provide silicon-enabled IPSec, Triple-DES encryption and Internet Key Exchange, a form of public/private key exchange.

RELATED LINKS

Contact Senior Editor Deni Connor

Other recent articles by Connor


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.