[fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery

Hi all,

I am wondering what your view point is with respect to firewalls within a
Storage Area Network (SAN) environment.

I am a SAN novice and I am interested in getting to know this area further.

The literature that I have found since yesterday does not seem to have major
role for a firewall within the SAN environment itself. I see that some
documentation places a firewall a the edge of the SAN. But what about
firewalls between switches/routers etc within the SAN?

As I understand it, SAN switches like those from Cisco (just reading
documentation on Cisco 9000 series switches) provide IP/port filtering of
packets and can create VLAN-like SAN's called VSAN's.

The thing is, would it not also be wise to install firewalls either
network-based or locally on end SAN systems to provide defense in depth and
also provide greater filtering granularity if required?

From what I can see, at the switch level only basic filtering can be done.

Has anyone any documentation or diagrams of a typical SAN architecture that
also include (traditional non-switch based) firewalls?

These switches maybe managed over telnet and ssh ports etc. And I presume a
firewall in conjunction with a switch's own access controls would provide
additional security in restricting who (administrator IP address) can
communicate with the switch over such ports.

Similarly, there maybe a requirement for DPI or stateful inspection of some
packets/communications for whatever reason. A firewall such as Linux
iptables (is what I am familiar with) can provide this level of fine-grained
access control on behalf of the switches where the switches don't appear to
have this level of granularity.

I also notice, that the Cisco 9000 series switches only allow a maximum of
250 IP filter rules. I have not read up on other technologies yet, but this
may or may not be the normal limit for filtering at a switch level.

I also notice that the SAN switches seem capable of filtering/firewall at
the layers 3 and 4 of the TCP/IP stack! I always presumed that switches
operated at layer 2 (MAC addresses). So, this is interesting for me to have

So basically, I want to discover what your opinions are with respect to the
role of firewalls (be that packet filters, SPI and/or DPI) within the SAN
network itself. [I presume IDS has a role also]

[I know that it is considered best practice that firewalls be placed upfront
in the traditional way: at the gateway/Internet, in between the DMZ and
application servers network and in between the application server tier and
the SAN at the back-end.

many thanks,
firewall-wizards mailing list