SECURING FIBRE CHANNEL FABRICS - Brocade

Chapter 10: Other SAN Security TopicsSecurity concerns with iSCSI are similar to those with TCP/IP in general,since it is based on that protocol suite. There are a few storagespecificsecurity features available with iSCSI to authenticate deviceswhen joining a network, for example.There are other storage-specific security features, such as ACLs, whichcan be used with iSCSI. Additionally, device authentication can beaccomplished using the Kerberos, SRP (Secure Remote Password),CHAP (Challenge-Handshake Authentication Protocol), and SPKM-1/2(Simple Public Key Mechanism) protocols (which are less secure thanDH-CHAP with FC). IPSec is also used with iSCSI, particularly withextended fabrics over public WANs, to maintain data confidentiality byencrypting the data stream.FCoE/DCBFibre Channel over Ethernet (FCoE) has gained a considerable amountof attention in the past few years. The promise of converged Ethernet/FC networks has proved interesting to many organizations and hasbeen the subject of great debate in the industry. The key to exchangingstorage data over an Ethernet protocol requires a more robust, losslessversion of Ethernet, as storage devices do not tolerate droppedframes.Since 2009, the currently accepted lossless Ethernet protocol is DataCenter Bridging (DCB), replacing CEE. Although the concept of convergednetworks seems appealing and appears to promise great costsavings resulting from having only one storage and LAN, deployment ofa converged network has failed to reach critical mass. At this point intime, there is no cost benefit; however, that may change in the future.One area that has seen some FCoE adoption is for server connectivity(top of rack) to consolidate server I/O and reduce cabling.170 Securing Fibre Channel Fabrics