home of ATA or SCSI RAID, SAN management, data storage and data routing
FibreFire/DTP: The SAN Firewall based on TMI Data Transport Processor (DTP) technology.

White paper
 Data Transport Processor pages PDF version PDF version

Deploying the FibreFire/DTP SAN Firewall.


1. Introduction

Fibre Channel Storage Area Networks provide significant benefits for storage management, speed of data access, data availability and many other aspects of storage. At the same time, complex switched Fibre Channel SAN installations present access control challenges. When two or several FC SANs are joined, an administrator controlling FC switches on one SAN can suddenly affect the other SAN in a number of ways. This may cause security problems, loss of connectivity, simultaneous access to the same blocks of storage by different machines leading to data loss and other undesirable effects.

The FibreFire/DTP SAN Firewall, based on Data Transport Processor (DTP) technology, is a perfect tool to control inter-SAN connectivity. Not unlike a TCP/IP router, the FibreFire/DTP can route SCSI commands between two or several independent SANs without merging these SANs into one flat network. Like an advanced TCP/IP router, the FibreFire/DTP also has access control mechanisms. Those mechanisms let SAN administrators manage their respective SANs without worrying that some unknown computer from the other SAN will get access to a storage device which it has no business accessing. This document presents an overview of SAN-to-SAN routing via FibreFire/DTP.

2. Simple Fibre Channel SAN Bridging: some storage devices accessible by all servers

Two or more Fibre Channel networks can be bridged via the FibreFire/DTP in order to give all computers on one network selected access to some of the storage devices attached to the other network.


FC Bridging and Firewall. Multiple storage interfaces.
Figure 1. FC Interface configuration of DTP for FC Bridging and Firewall setup.

 

Existing Fibre Channel networks today are predominantly used for transporting SCSI commands and data blocks between servers and storage devices. By the nature of the SCSI protocol, a SCSI device is either an Initiator or a Target. Initiators are usually computers where SCSI commands originate. Targets are SCSI devices which fulfill those commands. Examples of targets are: disks, RAID arrays, tape drives and automatic tape libraries.

A router which routes SCSI commands between Fibre Channel networks in both directions has to act as a Target and as an Initiator on each of those networks. This means that the FibreFire/DTP which routes in both directions between two Fibre Channel networks has to be equipped with four Fibre Channel interfaces: a Target/Initiator pair for each network it is attached to, as shown on Figure 1.

Once the FibreFire/DTP is connected to the Fibre Channel networks, it is ready to be configured for bridging. By default, no devices are being bridged. The FibreFire/DTP Graphical User Interface, Webmin, can be used by the SAN Administrator to make storage devices on one SAN visible to the servers on the other SAN as Logical Units (identified with LUNs) of the FibreFire/DTP. This action of making devices visible is called "mapping". The Webmin mapping interface presents all SAN devices, initiators and targets alike, that are visible to the FibreFire/DTP on one screen, where each one of the targets can be mapped to the other SAN with a button-click. Once mapping is in place, the selected target devices becomes visible and accessible -- as a FibreFire/DTP LUN to all computers on the other SAN.

Simple bridging, which utilizes mapping, is useful for coarse access control between SANs. For example, if we have two SANs, as in Figure 2, we can map RAID A from SAN 1 to a LUN on the FibreFire/DTP. This will make RAID A visible to all computers on SAN 0. At this point, RAID B and C will not be accessible by anyone on SAN 0. And, if a new computer is attached to SAN 0, then it will be able to access RAID A right away, but not, of course, RAIDs B and C.

3. Fine-Grained Access Control with the FibreFire/DTP: some storage devices accessible by only some servers

Along with the simple bridging of a target device on one SAN to all of another SANs initiators, the FibreFire/DTP provides a finer-grained level of access control based on Fibre Channel World Wide Names (WWNs). WWNs are unique Fibre Channel interface identification numbers very much like Ethernet MAC addresses; in fact, they are often represented in a similar format.


FC SAN Access Control Firewall. SAN access right and identification solving via ACL
Figure 2. FC SAN Access Control Firewall.

 

This finer-grained access control is implemented with Access Control Lists, or ACLs. By using ACLs, a FibreFire/DTP administrator can control which particular servers identified by their WWNs-- can access which SCSI devices across the FibreFire/DTP. For example, for the two Fibre Channel networks shown on Figure 2, one can create an ACL which specifies that RAID B can be accessed only by WWN 00:00:00:00:00:00:00:02. Once this is done, no other computer except the Workstation with this WWN will be able to access this RAID B. As a matter of fact, all computers on the SAN 0 except the Workstation with WWN 00:00:00:00:00:00:00:02 will have no means of finding out that RAID B exists. Any computer, except allowed ones, which tries to inquire which luns are accessible on the FibreFire/DTP, will not receive RAID B as a valid LUN, thus RAID B will not be addressable for them.

Finally, the FibreFire/DTP allows the finer-grained access control to be combined with the coarse access control of simple bridging. For example, RAID A can continue to be mapped to, and thus accessible to all servers on, SAN0, while RAID B is accessible, via an ACL, only to Server with WWN 00:00:00:00:00:00:00:02.


clean
Technomages Inc., 2003 Home | Products | Support | Contacts