firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Query: Role of Firewalls within a SAN environment itself not
just the periphery (brian dorsey)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Apr 2011 11:11:56 +0100
From: brian dorsey <briandorsey252@gmail.com>
Subject: [fw-wiz] Query: Role of Firewalls within a SAN environment
itself not just the periphery
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <BANLkTi=_2dUyTs49_U7n58JR2V68BxVdog@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I am wondering what your view point is with respect to firewalls within a
Storage Area Network (SAN) environment.
I am a SAN novice and I am interested in getting to know this area further.
The literature that I have found since yesterday does not seem to have major
role for a firewall within the SAN environment itself. I see that some
documentation places a firewall a the edge of the SAN. But what about
firewalls between switches/routers etc within the SAN?
As I understand it, SAN switches like those from Cisco (just reading
documentation on Cisco 9000 series switches) provide IP/port filtering of
packets and can create VLAN-like SAN's called VSAN's.
The thing is, would it not also be wise to install firewalls either
network-based or locally on end SAN systems to provide defense in depth and
also provide greater filtering granularity if required?
>From what I can see, at the switch level only basic filtering can be done.
Has anyone any documentation or diagrams of a typical SAN architecture that
also include (traditional non-switch based) firewalls?
These switches maybe managed over telnet and ssh ports etc. And I presume a
firewall in conjunction with a switch's own access controls would provide
additional security in restricting who (administrator IP address) can
communicate with the switch over such ports.
Similarly, there maybe a requirement for DPI or stateful inspection of some
packets/communications for whatever reason. A firewall such as Linux
iptables (is what I am familiar with) can provide this level of fine-grained
access control on behalf of the switches where the switches don't appear to
have this level of granularity.
I also notice, that the Cisco 9000 series switches only allow a maximum of
250 IP filter rules. I have not read up on other technologies yet, but this
may or may not be the normal limit for filtering at a switch level.
I also notice that the SAN switches seem capable of filtering/firewall at
the layers 3 and 4 of the TCP/IP stack! I always presumed that switches
operated at layer 2 (MAC addresses). So, this is interesting for me to have
learnt.
So basically, I want to discover what your opinions are with respect to the
role of firewalls (be that packet filters, SPI and/or DPI) within the SAN
network itself. [I presume IDS has a role also]
[I know that it is considered best practice that firewalls be placed upfront
in the traditional way: at the gateway/Internet, in between the DMZ and
application servers network and in between the application server tier and
the SAN at the back-end.
many thanks,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110412/02a5afd6/attachment-0001.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 57, Issue 1
***********************************************
No comments:
Post a Comment