Storage and network administrators are the Hatfields and McCoys of IT, waging a feud that started with LAN-based backup and that will probably only end with an inevitable marriage. With the advent of IP storage, network administrators are witnessing storage administrators sneaking Ethernet switches into the datacenter with the deceptive label of "SAN switches." The thought of storage administrators on the network invokes images of spaghetti wiring, security holes, saturated bandwidth, network brownouts and other nightmares. The time is right for the networking department to get up to speed on IP storage. Let's begin with an overview of the technologies.
What is IP storage, anyway?
IP storage refers to block storage over the Internet Protocol (IP). Block-level storage is the communication of block data between disks and servers. When block-level storage is extended across a network using SCSI commands, we call it a storage area network (SAN). Traditionally, the infrastructure used to make up SAN fabrics has been Fibre Channel. IP storage uses IP network components, predominantly but not exclusively Ethernet networking.
IP storage consists of three basic protocols: Internet Small Computer System Interface (iSCSI,) Internet Fibre Channel Protocol (iFCP,) and Fibre Channel over IP (FCIP). iSCSI is a means of transporting SCSI packets over TCP/IP, providing for Ethernet-based SAN storage solutions. iFCP and FCIP enable the encapsulation of frames among Fibre Channel SANs through gateways that are interconnected with TCP/IP networks.
iSCSI solutions consist of iSCSI initiators in the server, connected to iSCSI targets (native iSCSI storage systems) by means of standard Gigabit Ethernet infrastructure (switches and cables). iSCSI is particularly interesting for storage consolidation solutions for server applications in environments where simplicity, flexibility, and price/performance are critical IT decision factors, as well as for cost-effective and efficient backup and disaster recovery solutions. iSCSI initiators can also be connected to Fibre Channel SANs by means of IP storage switches or routers.
iFCP is a TCP/IP-based protocol for interconnecting Fibre Channel storage devices or Fibre Channel SANs using an IP infrastructure. iFCP solutions consist of Fibre Channel end-points (SANs or devices) connected to a shared or dedicated IP network by means of iFCP gateways and enabling networked connections between SANs. It is particularly well-suited to providing the reliable transport of storage data between SAN domains via TCP/IP LAN, MANs or WANs.
FCIP is a TCP/IP-based tunneling protocol designed to transparently provide point-to-point connections between geographically distributed Fibre Channel SANs using FCIP gateways to connect to an IP network. It is well-suited to providing connectivity to remote SANs for backup and restore or remote data replication applications.
The benefits shared by these solutions derive from the cost, flexibility, manageability, distance, and familiarity advantages associated with Ethernet networking technology. More to the point, IP brings a wealth of solutions to storage that can be leveraged by networking and storage administrators alike.
Let's talk security
Chief concern among networking administrators is security. The designers of the IP storage protocols addressed security on day one, rather than as an afterthought. Instead of reinventing the wheel, the IP storage protocols simply leverage the existing solutions within IP networking. First, let's look at the datacenter and the SAN itself.
Best practices dictate dedicating switches and hardware to the SAN and isolating the storage traffic from your LAN traffic. This can easily be accomplished by simply deploying new Gigabit Ethernet switches dedicated to the SAN or by using VLAN technology to virtually accomplish the same goal. By blocking the iSCSI TCP port 3260, administrators can effectively lock their iSCSI traffic into the SAN with a firewall. This also allows for "lock on the door" security by isolating traffic with the storage itself.
Access to storage on an iSCSI SAN can be strictly controlled with multiple layers of access controls, including mutual CHAP/RADIUS authentication, where servers actually log in to volumes with secured usernames and passwords. Standard port sniffing and security tools can be employed to scan devices within the iSCSI SAN, as with any other networking device.
When bridging SANs using iSCSI, iFCP or FCIP over distances, administrators can draw up additional security features of IP storage. Linking storage sites across the building, the campus, the city, or hundreds of miles away obviously requires more security. VPN and IPsec options provide the end-to-end authentication and encryption desired.
Network administrators will be relieved to find other advanced IP techniques available, such as quality of service to manage network traffic, and even some simple tools such as ping and trace routing. Mostly, network administrators will find themselves on familiar ground using familiar tools to solve a new problem.
Will networking administrators now oversee storage? I'm not too sure. There's still RAID and tape provisioning to worry about, not to mention backup. However, the lines are blurring. The good news for network administrators is that storage networks over IP are more "network" than "storage."
For more information, please visit http://www.snia.org/ipstorage.
About the author:
Peter Hunter
Vice Chair, SNIA IP Storage Forum
Product Marketing Manager, EqualLogic
Peter is currently the Vice Chair of the Storage Networking Industry Association's (SNIA) IP Storage Forum Board of Directors. Peter is also responsible for product management and strategic marketing at EqualLogic. Peter joined EqualLogic in 2001 as a principal storage engineer, leading the company's RAID and Dual Controller development. Previously he was a senior software engineer at IronStream, Inc., where he conducted embedded systems programming, and senior software engineer at QuickBuy Inc., where he managed development and marketing of Unix and Windows server software. Peter has also served as a technology analyst for Alex Brown Investment Management and Darby Overseas Investments.
