White Papers
BP1028 EqualLogic iSCSI for Fibre Channel Professionals 12
7 Security concept comparison
Security within the concepts of data storage provides benefits including:
• Ensuring that hostile hosts do not gain access to stored sensitive data
• Limiting access to storage devices to only the devices that are designated and allocated to
each host (i.e., LUN masking and mapping)
• Because Ethernet switches are common to both LAN and iSCSI SAN connectivity, it is tempting
to put them all together on the same fabric. However, when SANs are physically isolated from
the LAN or WAN, they are inherently more secure. Of course the other aspect of physical
security simply involves securing the SAN (such as in a data center) where unauthorized
personnel do not have physical access to it and this is no different for FC or iSCSI SANs.
Beyond the basic physical security that is necessary for most every SAN deployment, there are a few
other features that should be considered. Zoning on an FC switch restricts access to a device by
World Wide Name (WWN) or physical port. While zoning is configured on the switch, some hosts and
storage arrays can also use WWN masking to prevent unauthorized or accidental access to a device.
Ethernet devices also contain a unique Media Access Control (MAC) address which is unique to each
device, and usually burned into an EEPROM. A MAC address is the Ethernet equivalent to the FC WWN
and identifies each unique network port on a switch, NIC, or array port. However, a MAC address is
not always part of the Access Control List (ACL) in iSCSI environments and that is true for EqualLogic
PS Series storage as well.
For iSCSI targets and initiators, the iSCSI Qualified Name (IQN) can be assigned as a unique value to
identify initiators and targets. EqualLogic PS Series arrays assign unique IQN names to every volume
and can use these values to limit access to volumes by specific initiators which will also have unique
IQN values assigned. The iSCSI protocol also provides for Common Handshake Authentication
Protocol (CHAP). EqualLogic PS Series arrays support CHAP and it can be used exclusively, or in
conjunction with other ACL methods (such as IQN or IP address filtering) to control access to
volumes.
Ethernet switches are not aware of IQN names or CHAP logins and therefore do not provide any
filtering via the switch hardware like is done with FC zoning. Ethernet does contain a similar feature
however in the Virtual Local Area Network (VLAN). Besides isolating certain types of traffic on the
switch, a VLAN can also be used to prevent access to unauthorized or accidental connections to a
switch.