Specifications
© IBM Copyright, 2012 Version: January 26, 2012
www.ibm.com/support/techdocs 45
Summary of Best Practices for Storage Area Networks
connectivity. The last thing that we want to do with security is to create SAN islands,
as that would destroy the essence of the SAN. True cross-platform data sharing
solutions, as opposed to data partitioning solutions, are also a requirement. Security
and access control also need to be improved to guarantee data integrity.
Encryption is the translation of data into a secret code and is the most effective way
to achieve data security. To read an encrypted file you must have access to a secret
key, or password or passphrase that enables you to decrypt it. Unencrypted data is
called plain text; encrypted data is referred to as cipher text. There are two main
types of encryption: symmetric encryption (uses a single common key) and
asymmetric encryption (also called private-public-key encryption).
However, there is still an issue when talking about public-key crypto-systems: when
you initially receive someone's public key for the first time, how do you know that this
individual is really who he or she claims to be? If “spoofing” someone's identity is so
easy, how do you knowingly exchange public keys? The answer is to use a digital
certificate. A digital certificate is a digital document issue by a trusted institution that
vouches for the identity and key ownership of an individual—it guarantees
authenticity and integrity.
On the LAN side of a SAN environment, IP security can be problematic. To address
this concern, a number of protocols have been developed. First, the Simple Network
Management Protocol (SNMP) was extended for security functions to SNMPv3. The
SNMPv3 specifications were approved by the Internet Engineering Steering Group
(IESG) as a full Internet standard in March 2002.
IP security (IPSec) uses cryptographic techniques obtaining management data that
can flow through an encrypted tunnel. Encryption makes sure that only the intended
recipient can make use of it (RFC 2401). IPSec is widely used to implement Virtual
Private Networks (VPN).
Other cryptographic protocols for network management are Secure Shell (SSH) and
Transport Layer Security (TLS, RFC 2246). TLS was formerly known as Secure
Sockets Layer (SSL). They help ensure secure remote login and other network
services over insecure networks.
A common method to build trusted areas in IP networks is the use of firewalls. A
firewall is an agent that screens network traffic and blocks traffic it believes to be
inappropriate or dangerous. You will use a firewall to filter out addresses and
protocols you do not want to pass into your LAN. A firewall will protect the switches