What is SAN zoning?

SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric. SAN zoning may be utilized to implement compartmentalization of data for security purposes. Each device in a SAN may be placed into multiple zones

What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts. LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA. Some storage controllers also support LUN Masking. LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN's. This can render the LUN's unusable by other operating systems and can result in data loss.

What are hard and soft zoning?

Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software. Hard zoning physically blocks access to a zone from any device outside of the zone. Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address.

What is port zoning?

Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to. With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap. Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.

What is WWN zoning?

WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric. A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.

WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA

What are the classes of attacks against SANs?

Snooping: Mallory reads data Alice sent to Bob in private Allows access to data Spoofing: Mallory fools Alice into thinking that he is Bob Allows access to or destruction of data Denial of Service: Mallory crashes or floods Bob or Alice Reduces availability

Date: 12/04/2001

While zoning a SAN provides a number of advantages in storage administration and security, there are several ways to do it with different benefits and drawbacks. In addition to zoning at the device level or LUN level, there is also hard, soft and persistent zoning. As the name implies, soft zoning is the most permissive. This is also called name server zoning because it is done using a name server databases in the SAN director. Since the database can contain both port numbers and WWN numbers and translates between them, administrators can shift devices among ports without changing the zoning configuration. One problem with soft zoning is that some HBAs (Host Bus Adapters) won't cooperate with soft zoning. Hard zoning uses a routing table, also located in the director, which assigns devices to zones only by WWN. This is more limited since it doesn't take the port number into consideration, which makes it harder to shift devices between ports. Persistent binding is implemented in the HBAs rather than the director. Configuring a logical route across the network fabric in each adapter does it. This ties the HBA to a particular LUN. While the administrator can more easily specify storage resources in a multi-host fabric, persistent binding decreases address space and increases network complexity. Background The last 25 years has seen a dramatic shift in computer network configurations. The highly centralized, mainframe-based computing mode (see Fig.1) has given way to the decentralized client/server design (see Fig. 2) commonly found in today's data centers. Taking a page from both configurations, the relatively new Storage Area Network (SAN) is essentially a hybrid of the two models. Technological advances like symmetric multi-process, fault-tolerant multi-processors with fail-over, and clustering govern and make an effective SAN possible. SANs often consist of several types of servers running different operating systems. This enables users from a wide variety of platforms to access common storage information. But because of the inherent bandwidth considerations, not to mention corruption and security concerns, network performance cannot be maximized until resources are allocated. Zoning is one method of resource allocation.

What is Zoning? Zoning is a logical separation of traffic between host and resources. By breaking up a network into zones, processing activity is distributed evenly across a network so that no single device is overwhelmed. This 'load balancing' is especially important for networks where it's difficult to predict the number of requests that will be issued to a server. Similar to an O/S File System, zoning often employs directories and folders to organize and allot hard drive space. This is what ensures that each user (or group) has his or her own dedicated space reserved on the file server.

Other Reasons to Zone a Network Zoning enables servers to more efficiently run a network, yet there are many other advantages: Data Integrity -- Many SANs contain more than one operating system. If left unchecked, servers with conflicting operating systems would be able to write to each other's native file system, inviting data corruption. Security -- Employee salaries should not be universally accessed, but everyone should have access to a company activities calendar. Securing sensitive data is just smart business.

Shorter boot-up -- By narrowing the device discovery process to a particular zone, bootup time is minimized.

So how does one go about zoning a SAN? Depending on a host of factors, including network size, company need, and a variety of storage devices, zoning can occur either at the target-level, or LUN-level.

What is a SAN? As computer networks expand and their user bases grow, the need for timely access to information grows with it. Information once accessed through a central file server is now being accessed by multiple servers, which are often running a variety of operating systems and applications. This sub-network of shared storage devices comprises a SAN. These servers share access to the storage devices (disks and tapes) where the data ultimately resides. The advantage of a SAN is that shared storage resources can be accessed directly by the server needing the data, thus reducing system response time, freeing up additional bandwidth, and improving overall network efficiency. (See Fig. 3) Target-Level Zoning Target-Level Zoning is an effective high-level resource allocation method. Because configuration information resides in the switch itself, it need not be reconfigured when a host or adapter is changed. New adapter cards can therefore 'see' only the devices within its allotted zone during the device discovery process. A major disadvantage is its zoning limitations. Because TLZ can only allocate network usage at the 'cabinet-level' (e.g. RAID boxes, etc.), spatial considerations arise. For example, if a user needs an additional 100MB of space to save his or her work, access to an additional disk may be the answer. Under TLZ, that user will be assigned an entire disk array...a potential waste of a large resource. LUN-Level Zoning First of all, what is a LUN? LUN stands for Logical Unit Number. A LUN refers to the individual piece in the storage system that is being accessed. Each disk in an array, for example, has a LUN. Disk partitions may also be assigned a LUN. LUN-Level Zoning, which can take place either at the host or target controller (e.g. RAID controller) level, enables system administrators to further narrow the access zones of network users. For example, instead of granting User A access to RAID array A and User B access to

RAID array B, LUN-Level Zoning can further narrow and integrate user access. User A may have access to disks 1-3, with User B being awarded disks 4-6, all within the same RAID box. (See Fig. 4) In addition to the obvious security benefits, the big advantage of LUN-Level Zoning is flexibility. By zoning at the host adapter level, devices on the network are pre-configured during system boot, allowing for the seamless change or addition of network peripherals (hot LUN-sparing, or hot-plugging), while allowing for cross-platform support. The disadvantage of LUN-Level Zoning is that it has typically been implemented at the driver level, enabling a new host to 'see' the entire network, increasing boot-up time and tempting possible data corruption. LUN-Level Zoning is an enhancement to Target-Level Zoning. A complex SAN should use both Target-Level and LUN-Level Zoning. After all, servers are broken up according to operating systems and tasks, and this is typically a target-level function. LUN-Level Zoning simply adds a second, more detailed level to the hierarchy. In smaller networks, LUN-Level Zoning can even take the place of Target-Level Zoning. For instance, if a switch without zoning capability is purchased for a network, LLZ can replace the switch function. The cost in switches alone merits a serious look at LLZ.

Flexible SAN Management through Zoning

Hubs based on private, arbitrated loops were used to build early SANs. Although these early SANs had a theoretical maximum of 126 devices, the realistic maximum was much lower. Additionally, with many devices sharing a loop, performance often varied and troubleshooting was difficult at best. With the introduction of the fully public switch, SAN fabrics can theoretically contain over 7.7 million nodes, and thanks to newer switch features -- particularly zoning -creating and managing these large SANs is now easier than ever before. Best of all, full fabric-based switches allow storage managers to maximize the effectiveness of currently installed private loop devices.

SAN Switch Zoning

In order to allocate appropriate storage where it makes the most sense, switch zoning allows the SAN manager to partition the SAN into various groupings. A typical SAN switch (1Gb switch) normally supports four zone types: Hard zones Name server zones Broadcast zones Segmented loop zones

The preceding zone types give the SAN manager the flexibility to partition the SAN into logical groupings of devices that can share information. The information can be shared whether these devices use private or public fabric addressing schemes, thus maximizing the investment in the installed private loop devices. Defining zones, or adding or changing devices within a zone of a SAN switch, is easily performed via SAN management software. The SAN manager can dynamically reconfigure the current fabric zone configuration to add or reallocate devices to existing or new zones to meet the growth needs of the company. All of this is accomplished by using a SAN Graphical User Interface (GUI). Zoning can also be used to simplify a heterogeneous environment within the same switch fabric. By keeping these devices separated by zones to prevent conflicts between fabric devices, the SAN manager has the freedom to add any type of device to the fabric.

Hard Zones
So named because it is programmed into the hardware, hard zoning is the most secure of any zone type in that it prevents communication from any device not in the same hard zone. Hard zones cannot overlap, and they require at least one dedicated Inter-Switch Link (ISL) for each zone that includes more than one switch. The dedicated ISL guarantees the I/O bandwidth in the hard zone. This gives the SAN

manager the flexibility to balance bandwidth across all hard zones for maximum overall fabric performance. Designing hard zones for maximum performance eliminates the need to reconfigure the SAN zone when adjusting the workload and minimizing I/O bottlenecks. A SAN switch supports a maximum of sixteen hard zones per SAN fabric. Each of these sixteen isolated hard zones can be further sub-divided into other zones via the name server, segmented loop, or broadcast zone features. This allows the SAN manager to create specific sub zones inside the hard zones. The combination of hard zones with other zone types enables the larger fabric to be carved into separate fabrics for specific uses. This maximizes switch port efficiency and reduces the number of switches required.

Name Server Zones

Name server zones are extremely flexible. They allow the SAN manager to create up to 256 named zones, using either switch ports or world wide names (WWN) to assign zones. Name server zones can overlap, and by providing load balancing for maximum data throughput under heavy workloads, all ISLs within a hard zone are available to all the name server zones. So, while there is no performance difference between a port-based name server zone and a WWN server zone, there are several reasons to choose one type over another, as discussed next. Switch Ports Zone The easiest way to physically map out all the devices onto a SAN is to define a name server zone that correlates with switch ports, since all devices are connected to a particular port on a specific switch. There are two instances when zones based on switch ports can create problems. First, switch port zones are relatively coarse -- all devices on the port must be included in the zone. Second, if a device is moved from one port to another, it may end up moving to a different zone. This problem is commonly found in cable or Gigabit Ethernet Interface Card (GBIC) replacements. World Wide Names Zone A more flexible solution is to define zones based on world wide names (WWN). With the world wide name server zone, a device is assigned to a zone according to its unique name. This gives the SAN manager total freedom to host or store the device anywhere within the SAN fabric. Regardless of the physical port that serves as its connection, a device assigned by WWN will stay in its assigned zone. This type of zoning also eases troubleshooting by allowing the SAN manager to move a device at a questionable port location to another port location to verify if the problem is with the port, the GBIC, or the cable, or if it follows the device to the other port without reconfiguring the zone. The ability to troubleshoot down to the device level on a loop is a secondary advantage in using WWN zoning within a public fabric. For example, "just a bunch of disks" (JBODs) are often attached to a single port and are hard to troubleshoot if a single device misbehaves, especially if the loop appears as one device on a SAN. However, troubleshooting is much easier if the WWN registers problems at the device level. Additionally, the WWN naming feature can take advantage of Redundant Array of Inexpensive Disk (RAID) controllers that have the ability to present multiple Fibre Channel devices on a single arbitrated loop. Unfortunately, there are some legacy devices currently installed that do not report a WWN to the name server. Obviously, switch port zoning is the only name server option available in these instances.

Broadcast Zoning
Broadcast zones are assigned to separate network traffic from that of Small Computer System Interface (SCSI), or storage traffic in a SAN environment, or a Transmission Control Protocol/Internet Protocol (TCP/IP). Broadcast zones can be set up to send broadcast messages only to those IP devices that need to receive them. By eliminating unnecessary message processing by host and storage connections that don't process IP traffic, broadcast zones reduce traffic on the fabric. Broadcast zones can be flexibly applied by creating up to 16 overlapping zones. Also, broadcast zones can overlap name server zones. However, they cannot overlap hard zones.

Segmented Loop Zoning

Segmented Loop Zoning (SLZ), on the other hand, enables private devices to be zoned much as if they were part of the public fabric. With the freedom to locate the ports in each zone on any switch in the fabric, the SAN manager can create up to 256 non-overlapping SLZs in a fabric. And with all ISLs shared between switches, these zones can extend across and up to six cascaded or mesh switches in a fabric.

Managing Truly Flexible SAN Fabric Designs

The real power of zoning lies in its ability to be used in a combination of zone types. Hard zones, the most secure of all zoning, allow the fabric to be partitioned into multiple, independent, virtual fabrics. The entire fabric is transparently treated as a single hard zone if no hard zones are defined. Other zones can be overlapped within hard zones, which allows some ports to be dedicated to private legacy devices using SLZs. For efficient SAN utilization and ease of management, all other ports can be zoned using the port and WWN name server zones to allow all devices to be connected. Finally, in order to limit the impact of IP broadcasts on SCSI devices, broadcast zones can be used if IP traffic is present. All zone types can be configured on fabrics of any size, with no limitations as to which ports or devices in a fabric can be placed into a zone for maximum ease in growing large fabrics.

Combination Zoning Examples

A few real-world examples of the benefits of creating sub-zones within a hard zone include: Allowing private loop devices to share the same switch with public devices. Both private and public devices will operate independently using the same switch, thus reducing the number of switches necessary to build the fabric. Dedicating an ISL from one switch to another within a zone. Dedicating known I/O bandwidth within a zone. Overlapping specific port or WWN groups dynamically on the fly for data backup and then reconfiguring the zones to their original configuration.

Limiting IP broadcasts to specific devices in multiple zones within the hard zone, and overlap those broadcast ports with name server zone ports to communicate to other devices in the SAN. Segregating specific company departments.

The New Hierarchy In Zoning

A new hierarchy within a zone set is defined by the latest American National Standards Institute (ANSI) standards.

Zone Sets
The highest level of the zoning hierarchy is a zone set. Assigned zones are contained in the zone set, and assigned members are contained in the zones. Thus, in a single fabric, there can be several zone sets; however, only one zone set can be active at any one time. For example, in order to perform backup when moving a tape library from one server to another, multiple zone sets are especially helpful for dynamic reconfiguration of the SANs. The administrator simply deactivates the old zone set and activates the new in order to change zone sets. While this can be done without bringing down the SAN, when I/O activity is present in the SAN, it should not be performed. Instead, when the SAN is idle, active zone sets should be changed.

Zones
Now called "members," zones are made up of a group of assigned devices (similar to an original SAN switch). Additionally, within the zone set, all device members assigned in the zone can belong to one or multiple zones. With multiple storage devices, this capability helps facilitate the sharing of backup devices.

Members
Within a zone, members are simply devices. With a SAN switch, member devices can be assigned to a zone via the port number, Fibre Channel Address (FCA), or the world wide name (WWN). So, within a SAN, any member can be assigned to multiple zones.

Hard Zones
According to the Fibre Channel third-generation generic services (FC-GS-3) standard, a hard zone is defined as "a zone that is enforced by the fabric, often as a hardware function. The fabric will forward frames among zone members within a hard zone. However, the fabric prohibits frames from being forwarded to members not within a hard zone." Hard zoning is the most secure zoning type (as with a SAN switch). The fabric enforces the hard zones and will only forward frames among other hard zone members, as the hard zone device table is created and stored at the ApplicationSpecific Integrated Circuit (ASIC) level of the switch. In addition, a SAN switch can

also support a maximum of sixty-three (63) hard zones within a fabric. Furthermore, hard zones can overlap and contain both broadcast zones and name servers. All hard zone members are defined by port number/domain.

Soft Zones
According to the FC-GS-3 standard, a soft zone "consists of zone members who are made visible to each other through client service requests. Typically, soft zones contain zone members that are visible to devices via the name server exposure of zone members. The fabric does not enforce a soft zone." As with a SAN switch, name server zones are extremely flexible. Broadcast zones can be overlapped by name server zones. Also, all ISLs within a hard zone are available to the name server zones. Additionally, there's no maximum to the number of name server zones that can be created with a SAN switch. For example, the newest ANSI standards identify three member-address schemes that are used in name server zoning: Fibre Channel Address (FCA) Port World wide name (WWN)

Thus, each address member can coexist in the same zone.

Summary And Conclusions

SAN switch zoning capabilities and naming conventions help storage managers make informed decisions regarding their switch purchases. In order to easily create and manage SANs that include both private and public devices, Fibre Channel switches should be added to Storage Area Networks (SANs) to give storage managers tremendous flexibility. The switch's capability to create zones is the key to these highly flexible, manageable SANs or partitions within the total SAN fabric. It is also important to understand how zoning is accomplished within the fabric as storage managers evaluate switches from various vendors. Fibre Channel switch vendors developed their own naming conventions and features prior to the Fibre Channel Switch Fabric second generation (FC-SW-2) specification. Now that the FCSW-2 specification has been completed and approved, any switch that is fully FCSW-2 compliant will coexist in a SAN fabric, regardless of the vendor.