Manage Learn to apply best practices and optimize your operations.

IPSec best practices to secure IP-based storage systems

Learn the security challenges associated with IP-based storage systems and uncover IPSec best practices to help ensure system safety without sacrificing performance.

IP-based storage compounds the flexibility, scalability -- and, to some extent, the risk -- of distributed SANs. High-speed Ethernet (10 Gbps is now available, albeit very expensive) is widely deployed to meet the high bandwidth requirements of IP storage traffic. Thanks to a spate of new protocols, enterprises can create IP SANs in all-Ethernet or mixed Ethernet/Fiber Channel environments.

However, IP storage traffic is vulnerable to the same security risks as traditional IP networks -- data theft/modification, peer modification, denial of service, etc. Although it's not mandated in the iSCSI standard, IPSec should be implemented to secure IP storage traffic.

Encryption degrades performance. While this may be acceptable for a VPN supporting less-demanding IP traffic, it won't meet the performance requirements of IP storage.

But encryption degrades performance. While this may be acceptable for a VPN supporting less-demanding IP traffic, it won't meet the performance requirements of IP storage. This is being addressed by high-end processors embedded in the new class of iSCSI-compliant products. QLogic, for example, is marketing a series of chips for iSCSI/IPSec acceleration, as well as iSCSI HBAs powered by powerful processors. NetOctave markets IPSec accelerator boards it says will meet the demands of IP storage traffic.

The broad-based iSCSI protocol embeds SCSI commands into TCP, so it's protocol-agnostic as far as the incoming packet stream is concerned. A number of vendors -- including Cisco Systems, IBM and Nishan Systems -- have introduced iSCSI products.

The alternative FCIP and iFCP protocols are designed to connect FC storage networks over IP by encapsulating FC in IP packets. FCIP creates a tunnel that simply links FC SANs. iFCP, which is primarily designed to facilitate FC storage over the Internet, maps the FC packets to native IP.

There are some challenges to address -- in addition to bandwidth -- if you're considering IP storage. Key management can become an even greater headache over a widely distributed, heterogeneous storage network. IPSec authentication and access control must be integrated into your existing authentication infrastructure.

Moreover, mixing protocols is a messy business. From a security perspective, using IP in conjunction with FC introduces new complexities -- and risks.

"Transfer over IP opens Pandora's box," says Yankee Group analyst Jamie Gruener. "I think it's a huge problem that a lot of vendors have not adequately prepared for. Customers have to be very cautious until they are assured that the use of IP for storage is safe."

This was last published in July 2003

Dig Deeper on Disk and file encryption tools

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Most SANs are still local to the data center. And if you can't secure the connection between your database servers and the SAN, you have issues.