DOCSLIB.ORG

Storage Area Network (SAN) Security and Performance

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Storage Area Network (SAN) Security and Performance MASTER THESIS Evaluation of Storage Area Network (SAN) Security and Performance Master Thesis in Computer Network Engineering November 2013 Author: Siavash Hajirostam Supervisor: Tony Larsson Examiner: Tony Larsson __________________________________ School of Information Science, Computer and Electrical Engineering Halmstad University PO Box 823, SE-301 18 HALMSTAD Sweden Evaluation of Storage Area Network (SAN) Security and Performance Siavash Hajirostam © Copyright Siavash Hajirostam, 2013. All rights reserved. Master thesis report IDE 1325 School of Information Science, Computer and Electrical Engineering Halmstad University Preface I would like to express my appreciation to my supervisor, Professor Tony Larsson, for the many useful discussions, comments and suggestions on this thesis and also my thanks go to the staff of Halmstad University for giving me the opportunity to study in the computer network engineering program. Finally, my special thanks to my family for their encouragement and support during my stud ies. Siavash Hajirostam Halmstad, November 2013 i Abstract Due to growing the number of Information Technology (IT) users all around the world, consequently the amount of data that needs to be stored is increasing day by day. Single attached disks and old storage technologies cannot manage the storing these amounts of data. Storage Area Network (SAN) is a distributed storage technology to manage the data from several nodes in centralize place and secure. This thesis investigates how SAN works, the file system and protocols that are used in implementation of SAN. The thesis also investigate about other storages technologies such as Network Attached Storage (NAS) and Direct Attached Storage (DAS) to figure out the advantages and disadvantages of SAN , The main focus of the thesis project is on identifying the security vulnerabilities in SAN such as possible attacks in different SAN protocols. The thesis finally identifies the performance factors in SAN to figure out how to improve the performance with respect to security solutions aimed to enhance the security level in SAN. iii Contents Preface ..................................................................................................................................... i Abstract ................................................................................................................................ iii 1 Introduction .................................................................................................................... 1 1.1 Societal and Ethical Aspects of SAN Technology ...................................................... 1 1.2 Problem ................................................................................................................................. 1 1.3 Thesis Goals .......................................................................................................................... 2 1.4 Thesis Questions ................................................................................................................. 2 1.5 Thesis Methodology ........................................................................................................... 2 1.6 Thesis Structure .................................................................................................................. 2 2 Background ..................................................................................................................... 3 2.1 Storage Area Network (SAN) ........................................................................................... 3 2.1.1 Storage Area Network objectives ........................................................................................ 3 2.1.2 SAN File System .......................................................................................................................... 5 2.2 Storage Area Network protocols ................................................................................... 6 2.2.1 Fibre Channel protocol (FC) .................................................................................................. 6 2.2.2 Fibre Channel Layers ................................................................................................................ 7 2.2.3 Naming Mechanism in FC ....................................................................................................... 9 2.2.4 Internet Small Computer System Interface (iSCSI) ..................................................... 9 2.3 Internet protocol over fibre channel SAN ................................................................11 2.3.1 Fibre Channel over IP (FCIP) ............................................................................................. 12 2.3.2 Internet Fibre Channel Protocol (iFCP) ......................................................................... 12 2.3.3 Internet Storage Name Services (iSNS) ......................................................................... 13 2.4 ATA over Ethernet (AOE) ...............................................................................................13 2.5 Fibre Optic Cables .............................................................................................................13 2.5.1 Host Bus Adapter (HBA) ...................................................................................................... 13 2.6 Network Attached Storages (NAS) ..............................................................................14 2.7 Direct Attached Storage (DAS) .....................................................................................14 3 Storage Area Network security issues ................................................................ 15 3.1 Storage Area Network access control ........................................................................15 3.2 Fibre Channel Storage Area Network attacks .........................................................16 3.2.1 Session hijacking attack ....................................................................................................... 17 3.2.2 Address Weakness attack .................................................................................................... 17 3.2.3 Man-In-The-Middle attack .................................................................................................. 17 3.2.4 Name Server Pollution attack ............................................................................................ 18 3.3 Internet Small Computer System Interface attacks ..............................................18 3.3.1 Man-in-the-middle Attack ................................................................................................... 18 3.3.2 Internet Simple Name Server Domain Hopping ......................................................... 19 3.3.3 Authentication Attack ........................................................................................................... 19 3.4 Fibre Channel security solutions .................................................................................19 3.4.1 Fibre Channel Zoning ............................................................................................................ 20 3.4.2 Logical Unit Number masking ........................................................................................... 21 v 3.4.3 Port Binding .............................................................................................................................. 21 3.5 Internet Small Computer System Interface SAN security solutions ...............21 3.5.1 Challenge Hand Shake protocol ........................................................................................ 22 3.5.2 Remote Authentication Dial In User Services server ............................................... 22 3.5.3 Kerberos V5 protocol ............................................................................................................ 22 3.6 Results comparison ..........................................................................................................23 4 Storage area network performance .................................................................... 24 4.1 Storage Area Network performance aspects ..........................................................24 4.1.1 Storage performance metrics ............................................................................................ 24 4.1.2 Redundant Array of Independent Disks ........................................................................ 25 4.2 Internet Small Computer System Interface SAN performance .........................25 4.2.1 TCP Offload Engine (TOE) ................................................................................................... 26 4.2.2 Back up task performance in iSCSI SAN ........................................................................ 26 4.2.3 Caching in Storage Area Network .................................................................................... 26 4.3 Fibre channel performance .............................................................................................27 4.3.1 Performance comparison of SSL and IP Sec................................................................. 28 4.4 Results comparison ............................................................................................................29 5 Conclusion .................................................................................................................... 31 6 References ...................................................................................................................
Load more

Recommended publications
  • Clustered Data ONTAP® 8.3 SAN Configuration Guide
    Updated for 8.3.1 Clustered Data ONTAP® 8.3 SAN Configuration Guide NetApp, Inc. Telephone: +1 (408) 822-6000 Part number: 215-10114_A0 495 East Java Drive Fax: +1 (408) 822-4501 June 2015 Sunnyvale, CA 94089 Support telephone: +1 (888) 463-8277 U.S. Web: www.netapp.com Feedback: [email protected] Table of Contents | 3 Contents Considerations for iSCSI configurations .................................................... 5 Ways to configure iSCSI SAN hosts with single nodes .............................................. 5 Ways to configure iSCSI SAN hosts with HA pairs ................................................... 7 Benefits of using VLANs in iSCSI configurations ..................................................... 8 Static VLANs .................................................................................................. 8 Dynamic VLANs ............................................................................................. 9 Considerations for FC configurations ...................................................... 10 Ways to configure FC SAN hosts with single nodes ................................................. 10 Ways to configure FC with HA pairs ........................................................................ 12 FC switch configuration best practices ..................................................................... 13 Supported number of FC hop counts ......................................................................... 13 Supported FC ports ...................................................................................................
    [Show full text]
  • What Is the Difference Between San and Nas and How Can I Use Them in My Qlikview Environment?
    WHAT IS THE DIFFERENCE BETWEEN SAN AND NAS AND HOW CAN I USE THEM IN MY QLIKVIEW ENVIRONMENT? QlikView Technical Brief February 2012 qlikview.com This document will highlight some of the conceptual differences between the terms SAN and NAS and describe how they fit into a QlikView Server environment by suggesting some recommended implementations. It will also describe the definition of DAS (Direct-Attached Storage) and how it applies in SAN configurations. Using SAN and NAS in the QlikView Environment | Page 2 Table of Contents Definitions 4 SAN - Storage Area Network 4 Host adapters 4 Typical architecture 5 NAS - Network Attached Storage 7 Typical architecture 7 DAS - Direct-Attached Storage 8 Using SAN/NAS and QlikView Server 8 QlikView Server and Distribution Service cluster inter-communication 8 QlikView Server file storage conformity 9 QlikView file types explained 9 A note on the usage of .shared files 10 Considerations 10 Conclusions 11 Some suggestions 12 QlikView Server Configurations 12 QlikView Server cluster utilizing a virtual Windows based NAS using a SAN 12 QlikView Server cluster utilizing a physical NAS using a SAN 13 Single QlikView Server using a SAN as local storage 14 QlikView Server using a pure Windows based NAS as local storage 14 Using SAN and NAS in the QlikView Environment | Page 3 Definitions It is important to differentiate between the two terms SAN and NAS. Also, the term DAS will be involved to nuance the usage of a SAN. SAN - STORAGE AREA NETWORK A typical definition of a SAN could be; “SANs primarily are used to make storage devices (such as disk arrays, tape libraries, and optical jukeboxes) accessible to servers so that the devices appear as locally attached to the operating system.” (Wikipedia.org) SANs are often used in larger virtualization scenarios or where larger areas of high-speed access storage space is required.
    [Show full text]
  • Fibre Channel Interface
    Fibre Channel Interface Fibre Channel Interface ©2006, Seagate Technology LLC All rights reserved Publication number: 100293070, Rev. A March 2006 Seagate and Seagate Technology are registered trademarks of Seagate Technology LLC. SeaTools, SeaFONE, SeaBOARD, SeaTDD, and the Wave logo are either registered trade- marks or trademarks of Seagate Technology LLC. Other product names are registered trade- marks or trademarks of their owners. Seagate reserves the right to change, without notice, product offerings or specifications. No part of this publication may be reproduced in any form without written permission of Seagate Technol- ogy LLC. Revision status summary sheet Revision Date Writer/Engineer Sheets Affected A 03/08/06 C. Chalupa/J. Coomes All iv Fibre Channel Interface Manual, Rev. A Contents 1.0 Contents . i 2.0 Publication overview . 1 2.1 Acknowledgements . 1 2.2 How to use this manual . 1 2.3 General interface description. 2 3.0 Introduction to Fibre Channel . 3 3.1 General information . 3 3.2 Channels vs. networks . 4 3.3 The advantages of Fibre Channel . 4 4.0 Fibre Channel standards . 5 4.1 General information . 6 4.1.1 Description of Fibre Channel levels . 6 4.1.1.1 FC-0 . .6 4.1.1.2 FC-1 . .6 4.1.1.3 FC-1.5 . .6 4.1.1.4 FC-2 . .6 4.1.1.5 FC-3 . .6 4.1.1.6 FC-4 . .7 4.1.2 Relationship between the levels. 7 4.1.3 Topology standards . 7 4.1.4 FC Implementation Guide (FC-IG) . 7 4.1.5 Applicable Documents .
    [Show full text]
  • FICON Native Implementation and Reference Guide
    Front cover FICON Native Implementation and Reference Guide Architecture, terminology, and topology concepts Planning, implemention, and migration guidance Realistic examples and scenarios Bill White JongHak Kim Manfred Lindenau Ken Trowell ibm.com/redbooks International Technical Support Organization FICON Native Implementation and Reference Guide October 2002 SG24-6266-01 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. Second Edition (October 2002) This edition applies to FICON channel adaptors installed and running in FICON native (FC) mode in the IBM zSeries procressors (at hardware driver level 3G) and the IBM 9672 Generation 5 and Generation 6 processors (at hardware driver level 26). © Copyright International Business Machines Corporation 2001, 2002. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this redbook. ix Become a published author . .x Comments welcome. .x Chapter 1. Overview . 1 1.1 How to use this redbook . 2 1.2 Introduction to FICON . 2 1.3 zSeries and S/390 9672 G5/G6 I/O connectivity. 3 1.4 zSeries and S/390 FICON channel benefits . 5 Chapter 2. FICON topology and terminology . 9 2.1 Basic Fibre Channel terminology . 10 2.2 FICON channel topology. 12 2.2.1 Point-to-point configuration . 14 2.2.2 Switched point-to-point configuration . 15 2.2.3 Cascaded FICON Directors configuration. 16 2.3 Access control. 18 2.4 Fibre Channel and FICON terminology.
    [Show full text]
  • Design and Implementation Considerations for Storage Area Networks
    Designing and Implementing a SAN 1 Running head: DESIGNING AND IMPLEMENTING A SAN Considerations for the Design and Implementation of a Storage Area Network (SAN) Al Spraker 15 July 2006 Designing and Implementing a SAN 2 Abstract With the ever-increasing need for businesses and organizations to maintain and manage large amounts of data, storage issues have become a concern and an investment priority. Organizations and business must have a good understanding of the features and characteristics of network storage in order to design and implement a network storage system that addresses their present and future needs. This paper will define and compare the storage area networks (SAN) with network-attached storage (NAS) as well as a historical perspective of directly-attached storage (DAS). Some of the benefits associated with establishing a network storage system will also be identified. This paper will identify some of the general characteristics of SAN architecture and protocols, such as Fibre Channel and iSCSI. Another area addressed will be management software issues and its critical role as part of successful SAN deployment. Not only must data be reliable and available at all times, data must also be kept confidential and protected. While the data is being transmitted over the network, security is also a concern that must be addressed. Designing and Implementing a SAN 3 Considerations for the Design and Implementation of a Storage Area Network (SAN) Today’s enterprises are using more complex, sophisticated, and resource-intensive software that generates massive amounts of data. The demand for businesses to maintain and manage large amounts of data has elevated storage issues to a level of significant priority.
    [Show full text]
  • HP Storageworks Disk Array XP Operating System Configuration Guide
    HP-UX HP StorageWorks Disk Array XP operating system configuration guide XP48 XP128 XP512 XP1024 XP12000 fifth edition (August 2004) part number: A5951-96014 This guide describes the requirements and procedures for connecting the XP family of disk arrays to an HP-UX system and configuring the new disk array for operation with HP-UX. Copyright © 2003-2004, Hewlett-Packard Development Company, L.P. All rights reserved. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information contained in this document is subject to change without notice. HP-UX is a registered trademark of Hewlett-Packard Company. All other product names mentioned herein may be trademarks of their respective companies. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information is provided “as is” without warranty of any kind and is subject to change without notice. The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. Printed in the U.S.A.
    [Show full text]
  • Fibre Channel and Iscsi Configuration Guide for the Data ONTAP® 8.0 Release Family
    Fibre Channel and iSCSI Configuration Guide for the Data ONTAP® 8.0 Release Family NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 463-8277 Web: www.netapp.com Feedback: [email protected] Part number: 215-08164_A0 August 2013 Table of Contents | 3 Contents iSCSI configurations .................................................................................... 6 Single-network HA pair in an iSCSI SAN .................................................................. 6 Multi-network HA pair in an iSCSI SAN ................................................................... 7 Direct-attached single-controller configurations in an iSCSI SAN ............................ 8 VLANs for iSCSI configurations ................................................................................ 9 Static VLANs ................................................................................................ 10 Dynamic VLANs ........................................................................................... 10 Fibre Channel configurations .................................................................... 11 FC onboard and expansion port combinations .......................................................... 11 Fibre Channel supported hop count .......................................................................... 12 Fibre Channel supported speeds ................................................................................ 13 Fibre Channel switch
    [Show full text]
  • Connecting the Storage System to the Solaris Host
    Configuration Guide for Solaris™ Host Attachment Hitachi Virtual Storage Platform Hitachi Universal Storage Platform V/VM FASTFIND LINKS Document Organization Product Version Getting Help Contents MK-96RD632-05 Copyright © 2010 Hitachi, Ltd., all rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or stored in a database or retrieval system for any purpose without the express written permission of Hitachi, Ltd. (hereinafter referred to as “Hitachi”) and Hitachi Data Systems Corporation (hereinafter referred to as “Hitachi Data Systems”). Hitachi Data Systems reserves the right to make changes to this document at any time without notice and assumes no responsibility for its use. This document contains the most current information available at the time of publication. When new and/or revised information becomes available, this entire document will be updated and distributed to all registered users. All of the features described in this document may not be currently available. Refer to the most recent product announcement or contact your local Hitachi Data Systems sales office for information about feature and product availability. Notice: Hitachi Data Systems products and services can be ordered only under the terms and conditions of the applicable Hitachi Data Systems agreement(s). The use of Hitachi Data Systems products is governed by the terms of your agreement(s) with Hitachi Data Systems. Hitachi is a registered trademark of Hitachi, Ltd. in the United States and other countries. Hitachi Data Systems is a registered trademark and service mark of Hitachi, Ltd.
    [Show full text]
  • Flexarray Virtualization Implementation Guide for Third-Party Storage
    Updated for 8.2.1 FlexArray Virtualization Implementation Guide for Third-Party Storage NetApp, Inc. Telephone: +1 (408) 822-6000 Part number: 215-08542_C0 495 East Java Drive Fax: +1 (408) 822-4501 December 2014 Sunnyvale, CA 94089 Support telephone: +1 (888) 463-8277 U.S. Web: www.netapp.com Feedback: [email protected] Table of Contents | 3 Contents How this guide fits into your implementation planning ........................... 6 Where to find interoperability and limits information for configurations with storage arrays ........................................................ 8 Interoperability information about support for storage arrays .................................... 8 Limits information for configurations with storage arrays ......................................... 9 Use of storage array advanced features ................................................... 10 Data ONTAP systems that can use array LUNs on storage arrays ....... 11 General configuration guidelines for all storage arrays ......................... 12 Requirement for 8-Gb array port initialization ......................................................... 12 EMC CLARiiON and VNX storage arrays ............................................. 13 Required parameters for EMC CLARiiON and VNX storage arrays with Data ONTAP systems .................................................................................................. 13 General configuration guidelines .............................................................................. 13 How EMC CLARiiON
    [Show full text]
  • Product Manual: Ultrastar DC HC620 (Hs14) SAS OEM
    Hard disk drive specifications Ultrastar® DC HC620 (previously known as Ultrastar Hs14 14TB/15TB) 3.5 inch Serial Attached SCSI hard disk drive Model: HSH721414AL52M0/4 HSH721414AL42M0/4 HSH721415AL52M0/4 HSH721415AL42M0/4 Revision 1.6 31 January 2020 1 Hard Disk Drive Specification Publication Disclaimer Information One MB is equal to one million bytes, one GB is equal to one billion bytes and one TB equals 1,000GB (one trillion bytes) when referring to storage capacity. Accessible capacity will vary from the stated capacity due to formatting and partitioning of the drive, the computer’s operating system, and other factors. The following paragraph does not apply to any jurisdiction where such provisions are inconsistent with local law: THIS PUBLICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. There may be improvements or changes in any products or programs described in this publication at any time. It is possible that this publication may contain reference to, or information about, Western Digital products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that Western Digital Corporation intends to announce such Western Digital products, programming, or services in your country. Technical information about this product is available by contacting your local Western Digital product representative or on the Internet at: [email protected].
    [Show full text]
  • Linux Journal | System Administration Special Issue | 2009
    Cfengine VNC Billix Zenoss Thin Clients MySQL Heartbeat ™ SPECIAL SYSTEM ADMINISTRATION ISSUE Since 1994: The Original Magazine of the Linux Community 2009 | Supplement Issue | www.linuxjournal.com MAY THE SOURCE BE WITH YOU Billix: the Sysadmin Toolkit for Your Pocket Authentication with Fedora Directory Server Remote Desktop Administration with OpenSSH or VNC Manage Configuration Files with Cfengine Setting Up a PXE Boot Server Network Monitoring with Zenoss SPECIAL SYSTEM CONTENTS ADMINISTRATION ISSUE 5 SPECIAL_ISSUE.TAR.GZ 26 PXE MAGIC: FLEXIBLE System Administration: Instant NETWORK BOOTING WITH Gratification Edition MENUS Shawn Powers What if you never had to carry around an install or rescue CD 6 CFENGINE FOR again? Set up a PXE boot server ENTERPRISE with menus and put them all on CONFIGURATION the network. MANAGEMENT Kyle Rankin How to use cfengine to manage configuration files across large 30 CREATING VPNS WITH 17 ZENOSS numbers of machines. IPSEC AND SSL/TLS Scott Lackey The two most common and current techniques for creating VPNs. 10 SECURED REMOTE Rami Rosen Linux Journal DESKTOP/APPLICATION SESSIONS 34 MYSQL 5 STORED 2009 Lineup Different ways to control a Linux PROCEDURES: RELIC OR system over a network. REVOLUTION? JANUARY Mick Bauer Do MySQL 5 Stored Procedures Security produce tiers of joy or sorrow? FEBRUARY Guy Harrison Web Development 38 GETTING STARTED WITH MARCH Desktop HEARTBEAT Availability in a heartbeat. APRIL Daniel Bartholomew System Administration 14 BILLIX: A SYSADMIN’S MAY SWISS ARMY KNIFE 42 FEDORA DIRECTORY Cool Projects SERVER: THE EVOLUTION Build a toolbox in your pocket by JUNE installing Billix on that spare USB key.
    [Show full text]
  • What Is a Storage Area Network?
    8646_Barker_01_d.qxd 9/20/01 10:21 AM Page 3 CHAPTER1 What Storage Networking Is and What It Can Mean to You n this chapter we’ll learn more about: II What a storage area network is I What properties a storage area network must have, should have, and may have I The importance of software to storage area networks I Why information services professionals should be interested in storage networking I Information processing capabilities enabled by storage area networks I Some quirks in the vocabulary of storage networking What Is a Storage Area Network? According to the Storage Networking Industry Association (and who should know better?): A storage area network (SAN) is any high-performance network whose primary pur- pose is to enable storage devices to communicate with computer systems and with each other. We think that the most interesting things about this definition are what it doesn’t say: I It doesn’t say that a SAN’s only purpose is communication between computers and storage. Many organizations operate perfectly viable SANs that carry occa- sional administrative and other application traffic. I It doesn’t say that a SAN uses Fibre Channel or Ethernet or any other specific interconnect technology. A growing number of network technologies have archi- tectural and physical properties that make them suitable for use in SANs. 3 8646_Barker_01_d.qxd 9/20/01 10:21 AM Page 4 4 STORAGE AREA NETWORK ESSENTIALS I It doesn’t say what kind of storage devices are interconnected. Disk and tape drives, RAID subsystems, robotic libraries, and file servers are all being used pro- ductively in SAN environments today.
    [Show full text]