Large scale SANs are using FC protocol since it provides the required reliability and latency. iSCSI is typically embraced in smaller corporate environments. But which technology will prevail?
Remember the FDDI and Token Ring? Who was their contemporary and also succeeded them? Ethernet, of course.

Now Ethernet is also making its way into SANs in a form of FCoE. At first there will most definitely be implementations combining FC and Ethernet with FCoE being the transport protocol for Ethernet attached servers and FC being a transport protocol for storage systems. And there already are products like Cisco Nexus 5000.

But this is not a done deal and we’re yet to see the outcome of this competition.

A single compromised SAN-attached server could disrupt other SAN-attached devices, access the data without being authorized and bypass existing security devices.

As with any security policy, to be effective an end-to-end approach to SAN security is necessary. One might think that implementing encryption of data at rest is sufficient, forgetting that the SAN remains susceptible to DoS attacks and misconfiguration. SAN security must prevent accidental data loss and corruption as well as protect against intruders.

The following issues have to be addressed:

• SAN fabric and target security.
• SAN fabric protocol security.
• IP storage security.
• SAN management security.

How can we address these areas? By utilizing the following protective measures:

• Segregate traffic for different server farms by dividing a single SAN into virtual fabrics. A virtual SAN (VSAN) restricts communication between devices and improves the stability of the fabric.
• Deploy zoning to restrict communication between devices within the same fabric. Hard zoning or zoning based on logical unit number (LUN) provides better security than soft zoning.
• Confine access to a specific port with port security, thus preventing unauthorized access to the network.
• Utilize Fibre Channel Security Protocol (FC-SP) for host-to-switch and switch-to-switch authentication, to implement fabric and target access security.
• Reject disruptive fabric reconfiguration due to administrative mistakes.
• Use persistent or static FC ID assignment to a port World Wide Name (pWWN).
• Integrate IP Security (IPSec) with FCIP to encrypt the data that traverses the IP network.
• Protect data at rest with storage media encryption (SME), regardless of the storage device type and vendor.
• Authenticate iSCSI initiators with RADIUS or TACACS+ based authentication, using persistent or static initiator WWNs, and confine access with access control lists.
• Control infrastructure configuration with role-based access control (RBAC) integrated with RADIUS/TACACS+ authentication.
• Use a secure mechanism for SAN infrastructure management, such as SSHv2 or SNMPv3.