By Heidi Biggar
With the promise of IP storage comes a new set of security concerns. In an effort to stay one step ahead of the IP adoption curve, storage vendors have already begun taking steps to provide end users with the necessary tools and education to build secure IP storage networks.
Trebia Networks, for example, recently announced it has teamed up with Hifn, a provider of compression, encryption, and secure flow processing (SFP) products for IP networking, to help OEM customers design and implement standards-compliant IP storage networks.
"The challenges in building secure, multi-gigabit Ethernet IP SANs [storage area networks] are enormous," says Bob Conrad, president and CEO of Trebia. Unlike Fibre Channel SANs, whose segregation from user and public networks protects data from outside penetration, IP SANs expose storage traffic to all the risks of IP networking, including hacking.
Gateways allow users to isolate SAN islands.
The good news is that many of the tools that have been developed to secure IP networks can now be applied to IP storage networks. "The promise of IP storage networking includes the ability to leverage off-the-shelf technology [e.g., firewall products and authentication and encryption technologies] for enhancing data security for SANs," writes Tom Clark in IP SANs: A Guide to iSCSI, iFCP, and FCIP Protocols for Storage Area Networks.
The challenge is making sure that IP networking and storage products interoperate, comply with evolving standards for IP SAN security, and run at Fibre Channel gigabit rates, explains Brendon Howe, Trebia's vice president of marketing. By partnering with Hifn, Trebia believes it can help end users overcome these obstacles.
As a first step, the two companies will collaborate on developing reference designs for securing IP SANs with "gateways" (see figure). These gateways act as a security cop between, but not within, SAN islands.
This type of architecture, which leverages existing storage infrastructures and topologies, allows users to isolate SAN islands, while keeping management simple and enabling you to evolve to more dynamic implementations down the road. A dynamic approach allows individual endpoints (e.g., systems, switches, and devices) within the SAN to participate in security, explains Brian Sparks, public relations specialist at Hifn.
Sparks says that the security requirements for IP block storage do not dictate any one approach over another. Support for the various security tools (e.g., confidentiality, data origin authentication, integrity, and peer authentication) can be implemented in a chip, module, system, or network domain (via an external gateway).
The figure illustrates one way of combining existing Trebia storage networking processors and Hifn security processors to create a secure IP SAN.