12.07.2015 Views

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SHOW MORE
SHOW LESS
  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Chapter 6: FC Security Best PracticesAnother method, discussed in greater detail in “Protecting ManagementInterfaces” on page 107, is to restrict the privileges granted to auser via a role-based access control (RBAC) by assigning specific rolesto a user account. A role could be read-only and allow a user to onlyview information but not modify or delete it. At the other end of thespectrum is a role that grants full admin privileges; other roles aresomewhere in between. Typically these roles are customized for specifictypes of functions such as an operator or a security administrator.Physical isolation and routing. Separation of duties can also beaccomplished through isolation of systems, each managed by a differentindividual. This method is used frequently in the data center wherea separate SAN is built for each different group or project within anorganization. It is often used by outsourcing firms with shared multitenantenvironments. Many of their customers prefer not to becomepart of the collective but rather being physically isolated from anyother customer. A separate SAN can be constructed for each customerrequiring physical isolation and a restricted group of administratorscan be assigned to manage each environment.While it's true that creating physically isolated SANs provides the ultimateform of isolation, it is also true that use of storage resources isnot as optimized as in a shared environment. A compromise betweena fully shared SAN and a fully isolated SAN is a logical SAN (LSAN),which places an FC router between the two SANs. For example, oneenvironment may require its own hosts, applications, disk storage, andFC infrastructure to be managed independently from the shared environment.However, to avoid the additional cost of a tape backupsystem, an administrator can create an LSAN to enable sharing of thetape backup resources with the isolated SAN. This implementationprovides physical isolation but has the advantage of sharing someresources according to strict pre-defined rules.Note that FC routing can also be implemented to create LSANs usingthe Integrated Routing (IR) feature on <strong>Brocade</strong> 8 Gbps switches, availablesince FOS 6.1.1.Zoning. When FC SANs first emerged more than a decade ago, therewas no real access control mechanism to protect storage used by onehost from being accessed by another host. This was not a significantissue at the time, since the original SANs were relatively small. Overtime, however, as SANs became larger, more complex, and missioncriticalto most data centers, this became a risk. To help secure particulardevices and data, <strong>Brocade</strong> invented the concept of “zoning,” or98 Securing Fibre Channel Fabrics

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!