Re: Query: Role of Firewalls within a SAN environment itself not just the periphery

[Scott Stursa <scott.stursa () imsrecovery com>]

Hello Brian -

I would think firewalls within the SAN - positioned between the SAN array and the servers accessing the array - could 
be a performance bottleneck.

Have you considered making your SAN network out-of-band? That's what I did with ours.

Scott L. Stursa    CISSP, CCNP, MCSA
Network and Security Coordinator
Information Management Solutions
scott.stursa () imsrecovery com

From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of brian dorsey
Sent: Tuesday, April 12, 2011 3:12 AM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery

Hi all,

I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment.

I am a SAN novice and I am interested in getting to know this area further.

The literature that I have found since yesterday does not seem to have major role for a firewall within the SAN 
environment itself. I see that some documentation places a firewall a the edge of the SAN. But what about firewalls 
between switches/routers etc within the SAN?

As I understand it, SAN switches like those from Cisco (just reading documentation on Cisco 9000 series switches) 
provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's. 

The thing is, would it not also be wise to install firewalls either network-based or locally on end SAN systems to 
provide defense in depth and also provide greater filtering granularity if required?

> From what I can see, at the switch level only basic filtering can be done. 

Has anyone any documentation or diagrams of a typical SAN architecture that also include (traditional non-switch based) 
firewalls?

These switches maybe managed over telnet and ssh ports etc. And I presume a firewall in conjunction with a switch's own 
access controls would provide additional security in restricting who (administrator IP address) can communicate with 
the switch over such ports.

Similarly, there maybe a requirement for DPI or stateful inspection of some packets/communications for whatever reason. 
A firewall such as Linux iptables (is what I am familiar with) can provide this level of fine-grained access control on 
behalf of the switches where the switches don't appear to have this level of granularity.

I also notice, that the Cisco 9000 series switches only allow a maximum of 250 IP filter rules. I have not read up on 
other technologies yet, but this may or may not be the normal limit for filtering at a switch level. 

I also notice that the SAN switches seem capable of filtering/firewall at the layers 3 and 4 of the TCP/IP stack! I 
always presumed that switches operated at layer 2 (MAC addresses). So, this is interesting for me to have learnt.

So basically, I want to discover what your opinions are with respect to the role of firewalls (be that packet filters, 
SPI and/or DPI) within the SAN network itself. [I presume IDS has a role also]

[I know that it is considered best practice that firewalls be placed upfront in the traditional way: at the 
gateway/Internet, in between the DMZ and application servers network and in between the application server tier and the 
SAN at the back-end.

many thanks,
Brian.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards