SECURING FIBRE CHANNEL FABRICS SECOND EDITION SAN Protection for Storage and Security Professionals
ROGER BOUCHARD
SECURING FIBRE CHANNEL FABRICS SECOND EDITION SAN Protection for Storage and Security Professionals
ROGER BOUCHARD
SECURING FIBRE CHANNEL FABRICS SECOND EDITION SAN Protection for Storage and Security Professionals
ROGER BOUCHARD
This book is dedicated to Nicole, my wife, whose support and understanding throughout the years would not have made this book possible. I would also like to offer a special dedication to Peter Carucci, a wonderful person, a father, father, and a husband, husband, who left us all much too soon. Peter was an avid supporter of the Brocade encryption solution and SAN security assessment engagement and was instrumental to their success. He is dearly missed by all.
© 2012 Brocade Communications Systems, Inc. All Rights Reserved. 05/12 Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. Brocade Bookshelf Series designed by Josh Judd Securing Fibre Channel SANs Written by Roger Bouchard Edited by Victoria Thomas Design and Production by Victoria Thomas Illustrated by Jim Heuser, David Lehmann, and Victoria Thomas Contributors: Josh Judd (SAN basics), Marcus Thordal (Brocade Encryption Switch), Scott Kipp (key management), Jim Davis (zoning), and Thomas Scheld and Martin Sjoelin (lab experiments for myths) Reviewers: Greg Farris, Tom Clark, Josh Judd, Marcus Thordal, Scott Kipp, Jim Davis, and Mark Dietrick
First Edition, April 2009 First Edition, Rev. A, September 2009 Second Edition, May 2012
iv
Securing Fibre Channel Fabrics
Use of this book constitutes consent to the following conditions. This book is supplied “ ” for informational purposes only, without warranty of any kind, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this book at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this book may require an export license from the United States government. Brocade Corporate Headquarters San Jose, CA USA T: (408) 333 8000
[email protected] Brocade European Headquarters Geneva, Switzerland T: +41 22 799 56 40
[email protected] Brocade Asia Pacific Headquarters Singapore T: +65 6538 4700
[email protected]
DISCLAIMER The author is not an attorney and this book in no way represents any legal advice or legal opinion. For legal advice or opinion on data protection measures, consult an attorney.
Very special thanks go to Martin Skagen, my friend and Brocade mentor, for his generosity in sharing his extensive technical knowledge with me and his support of my advancement in SAN security. Special thanks to Victoria Thomas, the copyeditor for the first edition, and Patty Barkley, whose support and creativity made the second edition of this book possible. Special thanks to Greg Farris who was the primary proofreader for the second edition and committed many hours to ensure the quality of this edition. This book would not have been possible without the help of several other contributors and reviewers that shared their knowledge and expertise. For this, I would like to thank the following contributors for the first edition of this book: Tom Clark, Josh Judd, Marcus Thordal, Scott Kipp, Jitendra Singh, Jim Davis, Thomas Scheld, Martin Sjoelin, and Mark Dietrick. Finally, thanks to Ron Totah who provided me with the opportunity to dedicate the time and created the environment essential to complete this project. Securing Fibre Channel Fabrics
v
vi
Securing Fibre Channel Fabrics
has been in the computer industry since 1978 with a wide range of experience in programming, analysis, consulting, education and management. He has taught IT security courses since 1994 and has been focused exclusively on the storage industry since 1996. Since Mr. Bouchard joined Brocade in 2000, he has obtained his BCFP, BCSD, and BCSM certifications as well as the CISSP certification in 2005 and an M. Sc. in Information Assurance (MSIA) from Norwich University. His role evolved within the company from a Sales Engineer (SE) Subject Matter Expert (SME) on Security to founding and leading the Security Practice in the Services organization. There he developed processes for SAN Security Assessments and SAN Hardening engagements delivered across North America. He is currently a Global Solutions Architect, and in this role has written several white papers on SAN security and is a frequent speaker at storage/SAN conferences.
Securing Fibre Channel Fabrics
vii
viii
Securing Fibre Channel Fabrics
