Firewall Wizards mailing list archives
Query: Role of Firewalls within a SAN environment itself not just the periphery
From: brian dorsey <briandorsey252 () gmail com>
Date: Tue, 12 Apr 2011 11:11:56 +0100
Hi all, I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment. I am a SAN novice and I am interested in getting to know this area further. The literature that I have found since yesterday does not seem to have major role for a firewall within the SAN environment itself. I see that some documentation places a firewall a the edge of the SAN. But what about firewalls between switches/routers etc within the SAN? As I understand it, SAN switches like those from Cisco (just reading documentation on Cisco 9000 series switches) provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's. The thing is, would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required?
From what I can see, at the switch level only basic filtering can be done.
Has anyone any documentation or diagrams of a typical SAN architecture that also include (traditional non-switch based) firewalls? These switches maybe managed over telnet and ssh ports etc. And I presume a firewall in conjunction with a switch's own access controls would provide additional security in restricting who (administrator IP address) can communicate with the switch over such ports. Similarly, there maybe a requirement for DPI or stateful inspection of some packets/communications for whatever reason. A firewall such as Linux iptables (is what I am familiar with) can provide this level of fine-grained access control on behalf of the switches where the switches don't appear to have this level of granularity. I also notice, that the Cisco 9000 series switches only allow a maximum of 250 IP filter rules. I have not read up on other technologies yet, but this may or may not be the normal limit for filtering at a switch level. I also notice that the SAN switches seem capable of filtering/firewall at the layers 3 and 4 of the TCP/IP stack! I always presumed that switches operated at layer 2 (MAC addresses). So, this is interesting for me to have learnt. So basically, I want to discover what your opinions are with respect to the role of firewalls (be that packet filters, SPI and/or DPI) within the SAN network itself. [I presume IDS has a role also] [I know that it is considered best practice that firewalls be placed upfront in the traditional way: at the gateway/Internet, in between the DMZ and application servers network and in between the application server tier and the SAN at the back-end. many thanks, Brian.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Query: Role of Firewalls within a SAN environment itself not just the periphery brian dorsey (Apr 12)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery Fetch, Brandon (Apr 15)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery Scott Stursa (Apr 15)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery L.M.J (Apr 20)