Re: Query: Role of Firewalls within a SAN environment itself not just the periphery

[brian dorsey <briandorsey252 () gmail com>]

Hi Brandon and Scott,

Apologies for the late reply, I was out of office.

I've being reading more into the subject of SAN's and have realized that
placing firewalls within the switch fabric itself is not practical (as
Brandon pointed out) and that firewalls are better suited upstream of the
SAN in practice (Scott pointed out).

That said I do see a role for firewalls where end-to-end communication is
required. In the sense that if one considers iSCSI and FC over IP to another
SAN island on a remote network outside the enterprise, it would seem prudent
that the gateway firewall be configured to allow the iSCSI port,  the IPSec
port for FC over IP and restrict the source IP of whom can talk iSCSI and
IPSec etc. That is a firewall should provide access to the relevant SAN
traffic, no more and no less.

Similarly, I see from a management perspective of a switch, one should
provide IP address (inclusive of port and protocol) access controls on
switches capable of this. For example, restrict who can access ssh, SNMP
(GUI interface) and RADIUS services such as those of the Cisco MDS 9000
series for switch management.

Also, if the Administrators IP range is on  a different subnet to the switch
fabric, then the intermediary firewall between the internal enterprise
subnets needs to also permit ssh, SNMP and RADIUS traffic.

In other words, one must consider the security infrastructure as a whole.

What I have also learned over the past day or so, is the idea of RBAC on CLI
interface, VSAN and ZONES where one can define fine-grained access controls
of command execution permissions for switch management and application
server access to virtual isolated environments and specific LUN access.
There is a huge amount of knowledge required as I see it to properly secure
SAN's!!

Note, I am not an IT administrator and do not have access to Cisco switches
or any other commercial systems of that nature. I am just interested in
learning about SANs and Cloud computing even if its from a theoretical
perspective. But I do want to visualize how such a network would be
configured right down to the actual command-line arguments used.

If anyone has any pointers to other kinds of switches used apart from the
Cisco doc's I've been reading, let me know. Similarly, if there are any open
source like OS that are similar to the Cisco MDS or other commercial
products out there, that I could download and try out (even from a iSCSI
point of view since I don't have any FC equipment to play with) I'd be glad
to hear about them. I have come across FreeNAS and Openfiler but these don't
seem to provide the switching capabilities. Perhaps I am wrong.

Thanks for your input guys,
regards,
Brian.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards