Portal:Storage

From Wikibon

Revision as of 00:26, 1 October 2009 by Wikibon (Talk | contribs)
Jump to: navigation, search

The Wikibon Data Storage Portal contains data storage industry research, articles, expert opinion, case studies, and data storage company profiles.

}
>>Join our Group >>Follow @Wikibon >>Become a Fan

Wikitip

Real life example of security threat with poor storage area network implementation

We are all smart IT guys when we stop and think. Unfortunately pressing implementation schedules, disruptive events, day to day load puts us in tough environment. Here is real scenario how SAN can compromise security policies of a good organized IT organization.

We are running out of space. Need new SAN.

  1. We are getting a new SAN. Do we want iSCSI or Fiber? (I can write an essay on what should be selected and in what cases and what are cons and pros. But it will be another article).
  2. OK, bosses want iSCSI. Great. We are going 10Gbps!!!
  3. Our great new SAN uses multiple uplinks from each controller, we can push up to 40Gbps to switches. We are kings of technology!
  4. Let’s move all our production services to our new SAN.
  5. Building RAID groups, cutting LUNs.
  6. Adding great iSCSI NICs with iSCSI offload to the servers, connecting to storage network.
  7. Exposing LUNs to servers, checking performance, moving data.
  8. Tuning iSCSI settings, enabling jumbo frames, flow control etc. (can write another essay).
  9. We are done.


Then one smart guy says: listen, we have 4 security layers, all separated by firewalls, servers from all those networks are connected to the same iSCSI network with IP traffic enabled. So traffic can go around firewalls through great iSCSI NICs. Is it childish? Yes! But it is a reality. Great heads just didn’t map everything up.

What could be a solution? You could vLAN but then we lose our redundant, load balanced uplinks as some physical controller NICs should be dedicated to vLANs. There could be a policy that servers would totally unbind any servies from iSCSI NICs… not really technologically wise solution…

Could be simple… just configure different IP segments for iSCSI network for DMZ/App/Prod segments. Not routable… so they cannot talk each other…

Any criticism of our technological solution? Something besides the disorganization in the beginning of the project?

PS I was reading one article here that someone suggested using IPS in SAN networks? Can someone imagine that?



https://plus.google.com/110129436995403815160/about
http://www.linkedin.com/in/michaelpetrov

View Another Wikitip

Featured Case Study

Virtualization Energizes Cal State University

John Charles is the CIO of California State University, East Bay (CSUEB) and Rich Avila is Director, Server & Network Operations. In late 2007 they were both looking down the barrel of a gun. The total amount of power being used in the data center was 67KVA. The maximum power from the current plant was 75kVA. PG&E had informed them that no more power could be delivered. They would be out of power in less than six months. A new data center was planned, but would not be available for two years.

read more...

Storage Professional Alerts


Featured How-To Note

Storage Virtualization Design and Deployment

A main impediment to storage virtualization is the lack of multiple storage vendor (heterogeneous) support within available virtualization technologies. This inhibits deployment across a data center. The only practical approach is either to implement a single vendor solution across the whole of the data center (practical only for small and some medium size data centers) or to implement virtualization in one or more of the largest storage pools within a data center.

read more...

Retrieved from "http://wikibon.org/vault/Portal:Storage"
Personal tools