Firewall Wizards mailing list archives
Re: Query: Role of Firewalls within a SAN environment itself not just the periphery
From: brian dorsey <briandorsey252 () gmail com>
Date: Tue, 19 Apr 2011 12:34:55 +0100
Hi Brandon and Scott, Apologies for the late reply, I was out of office. I've being reading more into the subject of SAN's and have realized that placing firewalls within the switch fabric itself is not practical (as Brandon pointed out) and that firewalls are better suited upstream of the SAN in practice (Scott pointed out). That said I do see a role for firewalls where end-to-end communication is required. In the sense that if one considers iSCSI and FC over IP to another SAN island on a remote network outside the enterprise, it would seem prudent that the gateway firewall be configured to allow the iSCSI port, the IPSec port for FC over IP and restrict the source IP of whom can talk iSCSI and IPSec etc. That is a firewall should provide access to the relevant SAN traffic, no more and no less. Similarly, I see from a management perspective of a switch, one should provide IP address (inclusive of port and protocol) access controls on switches capable of this. For example, restrict who can access ssh, SNMP (GUI interface) and RADIUS services such as those of the Cisco MDS 9000 series for switch management. Also, if the Administrators IP range is on a different subnet to the switch fabric, then the intermediary firewall between the internal enterprise subnets needs to also permit ssh, SNMP and RADIUS traffic. In other words, one must consider the security infrastructure as a whole. What I have also learned over the past day or so, is the idea of RBAC on CLI interface, VSAN and ZONES where one can define fine-grained access controls of command execution permissions for switch management and application server access to virtual isolated environments and specific LUN access. There is a huge amount of knowledge required as I see it to properly secure SAN's!! Note, I am not an IT administrator and do not have access to Cisco switches or any other commercial systems of that nature. I am just interested in learning about SANs and Cloud computing even if its from a theoretical perspective. But I do want to visualize how such a network would be configured right down to the actual command-line arguments used. If anyone has any pointers to other kinds of switches used apart from the Cisco doc's I've been reading, let me know. Similarly, if there are any open source like OS that are similar to the Cisco MDS or other commercial products out there, that I could download and try out (even from a iSCSI point of view since I don't have any FC equipment to play with) I'd be glad to hear about them. I have come across FreeNAS and Openfiler but these don't seem to provide the switching capabilities. Perhaps I am wrong. Thanks for your input guys, regards, Brian.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Query: Role of Firewalls within a SAN environment itself not just the periphery brian dorsey (Apr 12)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery Fetch, Brandon (Apr 15)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery Scott Stursa (Apr 15)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery brian dorsey (Apr 23)
- Re: Query: Role of Firewalls within a SAN environment itself not just the periphery L.M.J (Apr 20)