Security and Data Access Control with
InfoSlice Storage Arrays.
Whitepaper InfoSlice pages |
 PDF version. |
One of the major concerns of many organizations installing any type of data storage equipment is the security of the data residing on this equipment. With advent of iSCSI and TCP/IP based device configuration, array management and monitoring (for example SNMP), this concern becomes more and more important. InfoSlice RAID array was designed from the very beginning with data security in mind. As for any data storage array with TCP/IP connections available, there are two types of security, which have to be looked at. First type is security of the administrative access to the array, and the second type is control of client access to the data stored in the array.
Administrative Access Security.
InfoSlice administrator accesses the configuration interface of the array either via TCP/IP connection or via a serial port. Administrative access is controlled by the password which should be kept secret by the administrator. Unlike many storage devices available today, InfoSlice ensures that the password used by the Administrator cannot be sniffed on a TCP/IP network. The only two ways to access the configuration interface of the InfoSlice over the TCP/IP network is either through encrypted HTTPS protocol using 128 bit encryption or over encrypted SSH login using equally strong encryption methods. Both methods are well known to be safe methods to transport passwords over public networks.
The operating system of the InfoSlice has been thoroughly tested and hardened against possible hostile attacks. There are no unnecessary TCP/IP ports opened. InfoSlice is not using any notoriously vulnerable software components like sendmail.
The bottom line is that the only real threat to the administrative access security of the InfoSlice is a misplacement of the administrator's password.
Data Access Security.
InfoSlice provides versatile mechanism to control permissions to access data stored in the array.
In order to provide capacity sharing of the InfoSlice by several computers or applications, it should be divided into separate parts each accessed using a separate Logical Unit Number (LUN). In the other TMI document, called "Versatility of InfoSlice RAID configurations" it is explained how the InfoSlice can be configured as a set of RAIDs, independent disks, and/or partitions, which we refer to simply as LUNs here. Once the InfoSlice is split into LUNs, access control can be configured for these LUNs or a single LUN if the InfoSlice is not divided into parts.
The access control can be configured individually for each computer using the array. Means of identifying and/or authenticating computers varies depending on which attachment type: Fibre Channel, SCSI or iSCSI is used by the computer to access InfoSlice data. For each computer permitted to access the data in the InfoSlice, there is a list of LUNs which this computer can access.
After the data access control is configured, the procedure of accessing the data is as following. When a computer is connecting to the InfoSlice, it is identified by various means discussed later. Then, if there is a list of LUNs configured for that computer, those LUNs are made available to it, and access to the Devices corresponding to those LUNs is granted. If there is no list of LUNs for connected computer, none of device LUNs is shown to it and no data access is granted.
Below, we discuss the access control to the InfoSlice data for different types of computer attachments: SCSI, FibreChannel, and iSCSI.
Data Access Control for SCSI-Connected Servers
Historically, SCSI-connected Storage Arrays are thought to be secure for data access, because typical setup involves storage devices directly connected to a single computer by a short SCSI bus. However, physically up to 15 Devices can be connected to the SCSI bus, and more then one of them may be a computer. One example of such a setup is a failover cluster of two or more computers, all attached to the same storage array via SCSI bus. Several computers might be attached to one SCSI bus to share capacity of a large storage array. Once there is more then one server on a bus accessing the Storage Array, nothing would prevent servers on that bus to read to and write from the same block of data on that Storage Array. To ensure the non-conflicting sharing of Array Storage Volume, there should be means to control data access to it.
When a SCSI Bus has more then one computer attached, InfoSlice can identify each computer by its SCSI ID number, as shown on Figure 1.
When access control is configured, for each server SCSI ID, for which access to the InfoSlice is desired, the list of accessible LUNs is set in the InfoSlice.
Figure 1. Access Control Configuration for the SCSI environment
Data Access Control for FC-Connected Servers
By itself, FibreChannel has the same security built into it as TCP/IP: none. Without implementing some security measures within FC SAN, computers attached to FC network are able to access any and all devices on the SAN and can inadvertently write to the same physical location on disk causing data corruption and other undesirable effects.
Securing a SAN involves limiting what storage can be accessed by a computer, or even detected. The two most common methods of providing security on a FibreChannel are zoning and LUN masking.
Zoning is a function provided by fabric switches that allows segregation of a node by port, name, or address. The zones are similar to VLANs in data networking in the way they establish a "virtual SAN" within a SAN. Zone members have any-to-any connectivity within the zone and non-members have none. Zones are established by linking either ports on FC fabric (hard zoning) or World Wide Name of FC device (soft zoning).
LUN Masking restricts access even further, to specific logical storage units. For each application server connected to the SAN, LUN masking effectively masks off the LUNs that are not assigned to the application server, allowing only the assigned LUNs to appear to the application server's operating system. The hardware connections to other LUNs still exist, but the LUN masking makes those LUNs invisible.
In case your FC SAN has switches or/and SAN Management tools, which can do zoning and/or LUN masking, those methods can be employed for controlling data access to the InfoSlice LUNs. However, InfoSlice itself provides you with powerful method to control access to the data stored in it.
When connected to FC SAN, the InfoSlice identifies each computer on a SAN by its World Wide Name, or WWN, as shown on Figure 2.
For each WWN, you can configure a list of LUNs this WWN has permission to use.
Figure 2. Access Control Configuration for the FC SAN environment
Data Access Control for IP-Connected Servers
When InfoSlice is connected to an IP network through iSCSI, there are two ways to identify computers. One way is to configure the IP addresses or hostnames of servers permitted to access particular LUNs, as shown on Figure 3.
Another way is to configure a list of authenticated user/password pairs. The user authentication mechanism is provided by iSCSI protocol. To use iSCSI authentication, you have to make sure that the server, for whose users the access to the InfoSlice is desired, has an iSCSI driver that supports iSCSI authentication. When control access is configured for a specific user/password, the user can access its corresponding Devices from one or several hosts.
Figure 3. Access Control Configuration for the iSCSI environment.
The fact that iSCSI is based on TCP/IP protocol stack, makes possible to use TCP/IP based encryption protocols such as SSL or SSH for transferring iSCSI packets. The InfoSlice can be easily configured using such encrypted channels.
The encryption of data is usually needed when the link between server and storage goes through publicly accessed network, such as the Internet, or if an organization has special requirements for data transfer encryption even inside of that organization's LAN.
 |
|
| Technomages Inc., 2003 | Home | Products | Support | Contacts |