In a SAN ( Storage Area Network ), if all the hosts are allowed to access all the drives in the SAN, it may lead to many issues like device contention and mainly data corruption. In addition some Operating Systems (eg. Windows ) writes header information to disks which will lead to data loss (We will discuss it later in this article). To avoid this zoning and LUN masking is used. By doing Zoning and LUN masking storage units are isolated or made invisible to some or all of the hosts in the SAN. Lets look into zoning and LUN masking in detail.
LUN masking is similar to zoning in the sense that both are used to provide a way of access control. But LUN masking is entirely different from zoning. Mainly LUN masking is implemented at HBA level. Some storage controllers also support LUN masking.
The main purpose of LUN masking is preventing access to LUNs from some specific hosts, a way of protection against data loss. For example when a host running Windows operating system is connected to SAN, Windows may try to assign volume labels to the LUNs by writing header information. This may corrupt the data written by other operating system on a filesystem alien to Windows.
Due to possible compromises at HBA level, LUN masking implemented at HBA level is more prone to attacks . But when LUN masking is done at storage controller level, controller itself enforces all the grouping relations, its more secure and more or less as strong as zoning security.
Zoning is used to specify which host can see which storage array. Zoning is done at the switch level. This is explained in the figure given below.
Host 1 can see the Array Port SP0 from HBA0 and SP1 from HBA1, while Host 2 can see SP2 from HBA2 and SP3 from HBA3.
In short, zoning is the process of configuring which all initiators can see which all targets, which devices are visible to each other.
There are mainly two types of zoning - soft zoning which is done on WWN name basis and hard zoning which is done on port basis.
In hard zoning, members of the zone group are specified using actual port id ( physical port id ). So hard zoning physically blocks access to a device from a device which is outside of the zone.
To understand zoning first we should know what is WWN (World Wide Name).
WWN - World Wide Name
WWN is a 64 bit unique identifier assigned to each device or port in the SAN. If one device has more than one port, it each port will be having unique WWN. WWN is equivalent to MAC address of your NIC (Network adapters) in Ethernet.
In soft zoning, the zone configuration is specified using WWN of the ports. Soft zoning is implemented at software level. It internally uses a name server to identify which all WWN belongs to particular zone, and does a look up in the name server to validate membership.
Advantages | Disadvantages |
---|---|
Easier to create and manage since the its using direct port addressing instead of long WWN |
Moving a device from one switch port to another switch port requires re configuration of the zoning |
Since the switch hardware does not allow any traffic between unauthorized nodes, its more secure. |
Advantages | Disadvantages |
---|---|
Devices can be moved to different switch port without reconfiguring the zoning. |
Since the membership validation is not done at hardware level, its possible for HBAs to bypass the name server and communicate with the node which is not in the configured zone. |
Easy to maintain the zones and is flexible. |
It is possible to spoof the WWN number, and access the device in different zone. |