12.07.2015 Views

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SHOW MORE
SHOW LESS
  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

FC-Specific SecurityTo prevent this from happening, default zones were created to ensurethat all devices in a fabric cannot see each other during a configurationchange. The default zone can be set to NOACCESS mode toprevent devices from seeing each other using the defzone - - noaccesscommand.Virtual Fabrics and Administrative DomainsOrganizations can also employ <strong>Brocade</strong> Administrative Domains (AD),introduced in FOS 5.2.0, so administrators have access only to thegroups of SAN ports, WWNs, and switches required by their job function.Organizations can use ADs and RBACs together to limit anadministrator to only the areas of the SAN and the amount of controlrequired to perform their duties. Providing full administrative authorityand a complete view of the SAN for administrators who do not needthat level of access exposes the organization to accidental or maliciousattacks, which can result in downtime or data loss. <strong>Brocade</strong> switchessupport up to 256 ADs.The Virtual Fabrics (VF) feature was introduced in FOS 6.2. VF providestwo capabilities: Logical Switches and Logical Fabrics. A physicalswitch can be partitioned into multiple Logical Switches that are managedand behave like a physical switch. Each Logical Switch isassociated with a Logical Fabric. A Logical Fabric is a fabric that containsat least one Logical Switch. Logical Fabrics can include physicalswitches, support single fabric and shared multiple fabric ISL connections,and IFL connections for FC-FC routing to edge fabrics. VFprovides full data, control and management isolation.Traffic Isolation ZonesTraffic isolation zones were introduced in FOS 6.0.0 to address theproblem of shared bandwidth between devices over the same ISL. Thisproblem was particularly apparent when different I/O-intensive applicationscompeted for available bandwidth over a dark fiber connectionbetween sites. For example, data replication between two sites couldbe competing with a backup application for bandwidth over a pair ofdark fibers between the primary site and the DR site. The data replicationapplication can be configured in synchronous mode and is directlyrelated to the performance of the production environment. The backupenvironment is less critical, since it does not have a direct effect onthe production environment.In this case, it would be preferable to give the data replication trafficpriority over the backup traffic, or at least isolate these two applicationsfrom each other and assign all of the backup traffic to one ISLand the data replication traffic to a different ISL. This was not possible,Securing Fibre Channel Fabrics 147

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!