IP SAN security technologies
IP SAN technologies includes NAS, iSCSI, and FCIP. IP SAN security is achieved through the following:
• CHAP
• IPsec
CHAP
CHAP uses a three-way handshake to ensure validity of remote clients. It is more secure than the PAP.
A summary of the CHAP process follows:
1. Once the server is connected, it sends a challenge message to the peer.
2. The peer responds by sending a value generated by a one-way hash function.
3. The server compares this value to its own generated value.
4. If the values match, the connection is allowed to continue; if they do not match, the connection
is terminated.
5. To ensure the validity of the peer, the server sends challenge messages at random intervals and
changes the CHAP identifiers frequently.
IPsec
IPsec uses an open-standards framework to protect data transmission over IP networks. It uses
cryptographic security services.
IPsec supports:
• Network-level peer authentication
• Data-origin authentication
• Data integrity
• Data encryption
• Replay protection
Microsoft bases its IPsec implementation on the standards developed by the IETF IPsec working group.
Fibre Channel SAN security technologies
Fibre Channel SAN security is achieved through the FC-SP.
FC-SP
FC-SP protects in-transit data—it does not protect data stored on the Fibre Channel network. FC-SP is
a project of the Technical Committee T11, within the International Committee for Information Technology
Standards, which is responsible for developing Fibre Channel interfaces (see http://www.t11.org).
FC-SP uses:
• Authentication of Fibre Channel devices (device-to-device authentication)
• Cryptographically secure key exchange
• Cryptographically secure communication between Fibre Channel devices
Encryption security technologies
Encryption security is achieved through the DES, AES, and key management.
SAN Design Reference Guide 403
To Next Page
Loading...
