[fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery



Hi all,

I am wondering what your view point is with respect to firewalls within a
Storage Area Network (SAN) environment.

I am a SAN novice and I am interested in getting to know this area further.

The literature that I have found since yesterday does not seem to have major
role for a firewall within the SAN environment itself. I see that some
documentation places a firewall a the edge of the SAN. But what about
firewalls between switches/routers etc within the SAN?

As I understand it, SAN switches like those from Cisco (just reading
documentation on Cisco 9000 series switches) provide IP/port filtering of
packets and can create VLAN-like SAN's called VSAN's.

The thing is, would it not also be wise to install firewalls either
network-based or locally on end SAN systems to provide defense in depth and
also provide greater filtering granularity if required?

From what I can see, at the switch level only basic filtering can be done.

Has anyone any documentation or diagrams of a typical SAN architecture that
also include (traditional non-switch based) firewalls?

These switches maybe managed over telnet and ssh ports etc. And I presume a
firewall in conjunction with a switch's own access controls would provide
additional security in restricting who (administrator IP address) can
communicate with the switch over such ports.

Similarly, there maybe a requirement for DPI or stateful inspection of some
packets/communications for whatever reason. A firewall such as Linux
iptables (is what I am familiar with) can provide this level of fine-grained
access control on behalf of the switches where the switches don't appear to
have this level of granularity.

I also notice, that the Cisco 9000 series switches only allow a maximum of
250 IP filter rules. I have not read up on other technologies yet, but this
may or may not be the normal limit for filtering at a switch level.

I also notice that the SAN switches seem capable of filtering/firewall at
the layers 3 and 4 of the TCP/IP stack! I always presumed that switches
operated at layer 2 (MAC addresses). So, this is interesting for me to have
learnt.

So basically, I want to discover what your opinions are with respect to the
role of firewalls (be that packet filters, SPI and/or DPI) within the SAN
network itself. [I presume IDS has a role also]

[I know that it is considered best practice that firewalls be placed upfront
in the traditional way: at the gateway/Internet, in between the DMZ and
application servers network and in between the application server tier and
the SAN at the back-end.

many thanks,
Brian.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [fw-wiz] scanning...
    ... >>new company as a network admin. ... Put switches into mirroring mode and sniff for addresses ... Don't forget DNS domain map and DHCP static map configs. ... transit devices that'll give 'em to you: firewalls, routers, switches. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
    ... Yes, both protocols run IP "on top" and both run on fiber but to be able to put a firewall and/or filtering device between hosts, FC switches, or disk you're talking a whole different animal. ... I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment. ... would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required? ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
    ... Yes, both protocols run IP "on top" and both run on fiber but to be able to put a firewall and/or filtering device between hosts, FC switches, or disk you're talking a whole different animal. ... I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment. ... would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required? ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
    ... I would think firewalls within the SAN - positioned between the SAN array and the servers accessing the array - could be a performance bottleneck. ... Have you considered making your SAN network out-of-band? ... SAN switches like those from Cisco provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's. ...
    (Firewall-Wizards)
  • Re: FC3 Security
    ... > That network must be like the wild west, ... private networks, and some equipment like switches are too, but not any ... I've never seen a NAT router anywhere, ... We do use the software firewalls in each computer, ...
    (Fedora)