Hosted by
Minimizing the Impact of Storage on Your Network
W. Curtis PrestonPresidentThe Storage Group
Hosted by
Networked Storage vs. Network Administrators
Increased Traffic
• Network-based backups
• NFS & CIFS shares from NAS filers
Management difficulties
• Proprietary networks being managed by non-network personnel
• Proprietary networks being managed by network personnel
Server
BackupServer
NASFiler
Server Server
NASFiler
Hosted by
Networked Storage vs. Network Administrators
Security implications
• One server’s data can
be accessed via other
servers
• New connections can
be made remotely
• Bad information and
little security training
Server
SANArray
Server Server
NASFiler
LAN SAN
SANArray
Server
NASFiler
Hacker’sSystem
Hosted by
Storage for Network Admins
Fibre Channel = Serial implementation of SCSI
that can be networked via FC equipment
iSCSI = Serial implementation of SCSI that can
be networked via IP/Ethernet equipment
SAN = Storage connected via Fibre Channel or
iSCSI network (blocks)
NAS = Storage connected via IP and NFS or
CIFS (file sharing)
Hosted by
Storage for Network Admins
HBA =~ NIC
WWN =~ MAC Address
Zoning =~ VLANS
Soft zoning =~ Server w/o firewall
Hard zoning =~ Server behind firewall
WWN-based zoning = Zone members specified by WWN
Port-based zoning = Zone members specified by port
Hosted by
Good news: LAN-free, Client-free and Server-free backup
Router
Library
Data General
BackupServer
IBM
Server
IBM
Server
Com3
Switch/HUB
Com3
Switch/HUB
Router
Library
Disk Array
LAN-free backups (blue)
• Shared tape library
• Backup traffic off the LAN
Client-free backups (red)
• Shared disk array
• Backs up one client’s data
through another
Server-free backups (green)
• Direct disk-to-tape data
transfer
Hosted by
Good news: Disk-to-Disk Backups
Really inexpensive disk arrays based on
ATA/IDE
Addressable via Fibre Channel, SCSI, NFS, or
CIFS
JBOD and RAID configurations (Use their RAID
controller or a software volume manager)
As low as $3,000/TB for off-shelf units!
Hosted by
What to do with them?
Connect array to backup servers via Fibre Channel & SANs, or GbE & NFS/CIFS
Back up to disk first using backup or replication software
If backups, Duplicate disk backups to tapeIf replication, make second backup to tapeExcept in disaster, restores come from
disk
BackupClient
BackupServer
ATA DiskArray
Tape
Copy or secondbackup
NFS/CIFS/SAN
Hosted by
Why would you do that?
Increase ease and integrity of backups, especially incremental backups
Can reduce backup traffic by reducing frequency of full backups
Can reduce backup traffic even more using synthetic full backups
Can also be used as target for HSM, again reducing network traffic
BackupClient
BackupServer
ATA DiskArray
Tape
Copy or secondbackup
NFS/CIFS/SAN
Hosted by
Mixed News: What about iSCSI What is iSCSI?
• Ethernet NIC with iSCSI
drivers (Hopefully TOE)
• Standard Ethernet switch
• SCSI over IP
iSCSI is here.
• A number of disk vendors
releasing products
• There’s a lot of interest for
middle-tier storage apps
Server
SANArray
iSCSILAN/SAN
Server
SANArray
SANArray
Server Server
FCSAN
SANArray
Hosted by
Mixed News: What about iSCSI?Server
SANArray
iSCSILAN/SAN
Server
SANArray
SANArray
Server Server
FCSAN
SANArray
Storage devices
everywhere and
anywhere?!?!
Should implement via
dedicated LANs, just as
with NAS
Must consider security
implications of plain text
blocks
Consider encryption
Hosted by
Scary News: Storage Security
Server
SANArray
Server Server
NASFiler
LAN SAN
SANArray
Server
NASFiler
Hacker’sSystem
SCSI/FC not built for
security
Little authentication
Storage people often
not security conscious
or security trained
Soft/hard zoning
misunderstood
Hosted by
Scary News: Storage Security
Server
SANArray
Server Server
NASFiler
LAN SAN
SANArray
Server
NASFiler
Hacker’sSystem
WWN used for auth., but
WWN can be changed
Soft zoning allows non-
members to communicate
Management interfaces
open to backbone and
use plain text protocols
NAS filers on backbone
Hosted by
Security Questions for your Storage Administrator
Are we using port-based zoning?
Are we using hard zoning?
Are our NAS or iSCSI systems on a separate, firewalled, non-routable LAN?
Can I reach the storage device management interfaces from my desktop without going through a firewall?
Hosted by
Summary
LAN/Client/Server-free backups can reduce traffic
Disk-to-disk backups can reduce traffic
iSCSI is coming, but should be on a separate LAN
Learn all you can about storage security and use it
Hosted by
Resources
Hosted by
Resources
A free directory of all things Storage
Storage Mountainhttp://www.storagemountain.com
Hosted by
Resources
The Storage Group specializes in
assessing, designing and implementing
storage systems.
http://www.thestoragegroup.com
Send questions to:
Hosted by
Thank you!
W. Curtis Preston