HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
from starvation of network bandwidth. From a security perspective, the data streams configured with
Flex 10 are hardware separated, eliminating the possibility of cross channel snooping.
Network
In addition to the management communications and enclosure communications already covered you
can utilize numerous other aspects of networking security to reduce risk in your environment. For
example, though not included as a component in the BladeSystem Matrix product package, HP
ProCurve products can contribute improved security to your BladeSystem Matrix deployments. The HP
ProCurve Network Access Controller (NAC) 800, as an example, validates the integrity of the systems
attached to the network. It also features a built-in firewall and enables both pre-authentication and
post-authentication testing of network-attached endpoints. The HP ProCurve data center management
solutions provide policy based automation for networking and server resources. These solutions
provide compliance information and maintain policy connection states for both physical and virtual
servers.
Storage Area Network
A Storage Area Network (SAN) is a high speed network of shared storage devices (disks). A SAN is
suited to a logical server environment, enabling machines to boot from remote storage devices and
enabling system and user data to be stored on the storage devices. As an example, if a boot image is
on a local disk, it is physically bound to the server. To support virtualization, the data on the local
disk must be copied from the local disk of one server to another to support server mobility. Shared
storage enables this mobility by simply pointing the new server hardware to the old server data (the
boot image and host data residing on the storage device). While a shared storage network provides
a great deal of flexibility, appropriate controls must be in place to ensure the security of the storage
devices and the data that resides on them.
Mechanisms have been defined to prevent one server from seeing other server data on a SAN. Each
device on the SAN (a server, a storage array) has a unique identifier known as a World Wide Name
(WWN) or World Wide Identifier (WWID). Several access control techniques control the sharing of
data, ensuring that only appropriate accesses are allowed. The two most common techniques are
Fibre Channel zoning, where network access control mechanisms are used in a switch to ensure that
servers only see storage for which they are authorized and Selective Storage Presentation (SSP) (also
referred to as LUN Masking) which enforces access control inside the storage array controller.
Enforcement in the storage array controller eliminates the potential of vulnerabilities due to a
compromised server HBA (Host Bus Adapter). SSP only presents volumes to servers that have
specifically been provided access all others are denied access by default. Administrative action is
required to define a list of servers in the storage array that are permitted access. When a command is
received for the volume, this table is consulted to determine if the server is allowed to access the
volume. In the BladeSystem Matrix solution, both of these mechanisms can be used to provide
enforcement of appropriate data access controls.
The configuration and management of access controls for the Fibre Channel and storage fabric is
often handled by the storage administrator. The administrator can use the CommandView EVA
software, described below, to define which hosts have permission to access data on the storage
arrays. The storage administrator will also use a fabric management tool to create and maintain a set
of WWN based zones to further segregate access between a server and a set of one or more target
storage arrays.
Virtual Connect makes use of NPIV (N-Port Id Virtualization) to enable multiple initiators HBA ports to
share the same fabric port (for example, F_Port). More specifically, each Virtual Connect enclosure is
capable of supporting multiple HBA initiator ports accessing data on storage arrays through a shared
uplink between the enclosures VC-FC module and the data center Fibre Channel fabric.
Building upon this basic capability, better resource utilization can be achieved in a virtualized Fibre
Channel environment by assigning unique WWNs to a virtual server that is being hosted on a virtual
22