SECURING FIBRE CHANNEL FABRICS - Brocade

Deploying SAN-AttachedDevices in a DMZ7A DMZ (demilitarized zone) is a part of the network that sits betweenthe internal private network and the external network or Internet. TheDMZ also acts as a buffer between the inside and outside networkswhere applications such as e-mail, FTP, and Web servers exchangeinformation between both networks. This buffer is critical for preventingpotential attackers from the outside network, or Internet, tocommunicate with any of the internal systems directly.A SAN is a separate network from the LAN, which is used to exchangeinformation between servers and storage devices such as disk arraysand tape devices. SANs are currently implemented in the data centerusing three protocols: Fibre Channel, iSCSI, and the recent FCoE andDCB protocols. This chapter focuses on the FC protocol since it is by farthe most widely deployed. From a security perspective, there areclearly concerns with connecting servers located in a DMZ, which areaccessible from the Internet and whose storage is connected via aSAN. The greatest fear is that a SAN-attached server in a DMZ will becompromised and somehow used as a stepping stone to gain accessto the SAN itself. The next question becomes whether securing SANattacheddevices in the DMZ can be done safely or not.Certainly, there are risks involved in having a SAN in a DMZ, but withproper design and configuration it can be implemented with a highdegree of safety. Note that vulnerable SAN components must be properlysecured before attempting this. It has been explained previouslythat security is not always for preventing criminal activities originatingfrom outside the boundaries of the data center. Security measuresmust be put into place to prevent unauthorized internal breaches andprevent the propagation of human error beyond a fixed scope.Securing Fibre Channel Fabrics 121