firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Query: Role of Firewalls within a SAN environment itself
not just the periphery (Fetch, Brandon)
2. Re: Query: Role of Firewalls within a SAN environment itself
not just the periphery (Scott Stursa)
----------------------------------------------------------------------
Message: 1
Date: Wed, 13 Apr 2011 12:43:21 -0500
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] Query: Role of Firewalls within a SAN
environment itself not just the periphery
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<A22AB7AA11C57342918639C100566F244E8F13E17F@TXMAIL.texpac.com>
Content-Type: text/plain; charset="us-ascii"
Brian,
I think you may be missing a single key bit of information in your discussion - fiber channel (FC) layer 2 (L2) is immensely different form Ethernet L2.
Yes, both protocols run IP "on top" (at layer 3) and both run on fiber but to be able to put a firewall and/or filtering device between hosts, FC switches, or disk you're talking a whole different animal.
Not to leave specifics out of a reply to your question but the details would involve a rather lengthy post.
Suffice it to say that involving any sort of filtering on a fiber channel (FC) switch would seriously degrade disk performance and by extension not be usable in a production environment.
Though I'm not familiar with the specific documentation you were reviewing, I'd bet money the filtering they reference is more for the management interface rather than the VSAN interfaces or physical ports themselves: limiting what hosts/networks are allowed to connect/reach the device for management and via which protocols.
The term VSAN is something of a misnomer (used mainly to provide an easily understood parallel to Ethernet) in that it's more of an L2 descriptor. It's used to segment & identify the disk frames as they traverse the switch and to verify whether a specific world-wide-name (WWN - think of it like an Ethernet MAC address) is allowed to speak on a particular VSAN. I'm not sure if anyone's ever reported someone successfully impersonating another's WWN while on a FC switch and successfully reading or writing to disks on the assigned VSAN.
Essentially where an Ethernet hosts (and switches) can "automagically" build their forwarding tables using ARP and rARP requests or broadcasts, an FC switch will have to have these tables built statically by the operator.
This goes more to having absolute confirmation a block was received & written by a device (FC) rather than a system being able to wait for timeouts or errors and possibly re-request the same information (Ethernet).
I hope that helps explain why you can't "firewall" a SAN.
Regards,
Brandon
________________________________
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of brian dorsey
Sent: Tuesday, April 12, 2011 6:12 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
Hi all,
I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment.
I am a SAN novice and I am interested in getting to know this area further.
The literature that I have found since yesterday does not seem to have major role for a firewall within the SAN environment itself. I see that some documentation places a firewall a the edge of the SAN. But what about firewalls between switches/routers etc within the SAN?
As I understand it, SAN switches like those from Cisco (just reading documentation on Cisco 9000 series switches) provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's.
The thing is, would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required?
>From what I can see, at the switch level only basic filtering can be done.
Has anyone any documentation or diagrams of a typical SAN architecture that also include (traditional non-switch based) firewalls?
These switches maybe managed over telnet and ssh ports etc. And I presume a firewall in conjunction with a switch's own access controls would provide additional security in restricting who (administrator IP address) can communicate with the switch over such ports.
Similarly, there maybe a requirement for DPI or stateful inspection of some packets/communications for whatever reason. A firewall such as Linux iptables (is what I am familiar with) can provide this level of fine-grained access control on behalf of the switches where the switches don't appear to have this level of granularity.
I also notice, that the Cisco 9000 series switches only allow a maximum of 250 IP filter rules. I have not read up on other technologies yet, but this may or may not be the normal limit for filtering at a switch level.
I also notice that the SAN switches seem capable of filtering/firewall at the layers 3 and 4 of the TCP/IP stack! I always presumed that switches operated at layer 2 (MAC addresses). So, this is interesting for me to have learnt.
So basically, I want to discover what your opinions are with respect to the role of firewalls (be that packet filters, SPI and/or DPI) within the SAN network itself. [I presume IDS has a role also]
[I know that it is considered best practice that firewalls be placed upfront in the traditional way: at the gateway/Internet, in between the DMZ and application servers network and in between the application server tier and the SAN at the back-end.
many thanks,
Brian.
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110413/3b2f4782/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 14 Apr 2011 14:18:47 -0700
From: Scott Stursa <scott.stursa@imsrecovery.com>
Subject: Re: [fw-wiz] Query: Role of Firewalls within a SAN
environment itself not just the periphery
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<4D18DB6E2001B145B723AAA029914146010444FF2443@ims-e2k7.ad.cusolution.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Brian -
I would think firewalls within the SAN - positioned between the SAN array and the servers accessing the array - could be a performance bottleneck.
Have you considered making your SAN network out-of-band? That's what I did with ours.
Scott L. Stursa??? CISSP, CCNP, MCSA
Network and Security Coordinator
Information Management Solutions
scott.stursa@imsrecovery.com
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of brian dorsey
Sent: Tuesday, April 12, 2011 3:12 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
Hi all,
I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment.
I am a SAN novice and I am interested in getting to know this area further.
The literature that I have found since yesterday does not seem to have major role for a firewall within the SAN environment itself. I see that some documentation places a firewall a the edge of the SAN. But what about firewalls between switches/routers etc within the SAN?
As I understand it, SAN switches like those from Cisco (just reading documentation on Cisco 9000 series switches) provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's.
The thing is, would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required?
>From what I can see, at the switch level only basic filtering can be done.
Has anyone any documentation or diagrams of a typical SAN architecture that also include (traditional non-switch based) firewalls?
These switches maybe managed over telnet and ssh ports etc. And I presume a firewall in conjunction with a switch's own access controls would provide additional security in restricting who (administrator IP address) can communicate with the switch over such ports.
Similarly, there maybe a requirement for DPI or stateful inspection of some packets/communications for whatever reason. A firewall such as Linux iptables (is what I am familiar with) can provide this level of fine-grained access control on behalf of the switches where the switches don't appear to have this level of granularity.
I also notice, that the Cisco 9000 series switches only allow a maximum of 250 IP filter rules. I have not read up on other technologies yet, but this may or may not be the normal limit for filtering at a switch level.
I also notice that the SAN switches seem capable of filtering/firewall at the layers 3 and 4 of the TCP/IP stack! I always presumed that switches operated at layer 2 (MAC addresses). So, this is interesting for me to have learnt.
So basically, I want to discover what your opinions are with respect to the role of firewalls (be that packet filters, SPI and/or DPI) within the SAN network itself. [I presume IDS has a role also]
[I know that it is considered best practice that firewalls be placed upfront in the traditional way: at the gateway/Internet, in between the DMZ and application servers network and in between the application server tier and the SAN at the back-end.
many thanks,
Brian.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 57, Issue 2
***********************************************
No comments:
Post a Comment