We are all smart IT guys when we stop and think. Unfortunately pressing implementation schedules, disruptive events, day to day load puts us in tough environment. Here is real scenario how SAN can compromise security policies of a good organized IT organization.
We are running out of space. Need new SAN.
- We are getting a new SAN. Do we want iSCSI or Fiber? (I can write an essay on what should be selected and in what cases and what are cons and pros. But it will be another article).
- OK, bosses want iSCSI. Great. We are going 10Gbps!!!
- Our great new SAN uses multiple uplinks from each controller, we can push up to 40Gbps to switches. We are kings of technology!
- Let’s move all our production services to our new SAN.
- Building RAID groups, cutting LUNs.
- Adding great iSCSI NICs with iSCSI offload to the servers, connecting to storage network.
- Exposing LUNs to servers, checking performance, moving data.
- Tuning iSCSI settings, enabling jumbo frames, flow control etc. (can write another essay).
- We are done.
Then one smart guy says: listen, we have 4 security layers, all separated by firewalls, servers from all those networks are connected to the same iSCSI network with IP traffic enabled. So traffic can go around firewalls through great iSCSI NICs.
Is it childish? Yes! But it is a reality. Great heads just didn’t map everything up.
What could be a solution? You could vLAN but then we lose our redundant, load balanced uplinks as some physical controller NICs should be dedicated to vLANs. There could be a policy that servers would totally unbind any servies from iSCSI NICs… not really technologically wise solution…
Could be simple… just configure different IP segments for iSCSI network for DMZ/App/Prod segments. Not routable… so they cannot talk each other…
Any criticism of our technological solution? Something besides the disorganization in the beginning of the project?
PS
I was reading one article here that someone suggested using IPS in SAN networks? Can someone imagine that?
https://plus.google.com/110129436995403815160/about
http://www.linkedin.com/in/michaelpetrov