What are the relative merits of Fibre Channel and iSCSI?
The main disadvantage of Fibre Channel is that it is not Ethernet. That means a second network technology and a second set of skills are needed within the datacentre. By comparison, while an Ethernet SAN should still be a separate network infrastructure, its components can be much the same as in the LAN.
The cost differential between the two has narrowed though, as Fibre Channel prices have fallen and speeds have risen. Plus, Fibre Channel is more efficient and will perform better in many typical SAN applications. There can also be advantages to using a non-IP-based server and storage interconnect in terms of network security.
The main drawback of iSCSI is that it is processor-intensive, so unless the server has a special host bus adapter (HBA) with built-in iSCSI or TCP/IP acceleration, it may not be a suitable replacement for DAS. It addition, it is not as scalable as Fibre Channel, and the iSCSI standard was only completed a year ago, so it is relatively immature.
As iSCSI matures it could make remote backup and replication easier and cheaper to achieve, for instance allowing a PC with iSCSI software to access a remote tape library. It could also bring storage networking to workgroups and smaller organisations that could not afford to buy in either the technology or the support and implementation skills needed to install and maintain a Fibre Channel SAN.
In addition, iSCSI can be used to bring in servers that are currently outside the core SAN. An example could be a rack-mounted web server that has Ethernet built in, but no slot for a Fibre Channel HBA.
Like Fibre Channel, iSCSI is merely a transport mechanism, and most disk or tape drives are unlikely to be native iSCSI. Indeed, in large sites the back-end storage for an iSCSI SAN will be the same as it would be in a Fibre Channel SAN, and may even be shared between iSCSI and Fibre Channel clients.
Are there any particular security issues with SANs?
When a SAN meant a Fibre Channel network in the datacentre, SAN security was rarely a concern. However, three things have raised risks in recent years: storage over IP, remote storage and storage consolidation.
The advent of IP is perhaps the most obvious. Not only can storage packets be sniffed as they pass over the IP network, but connection to the internet could provide a route in for hackers, and once they get into the SAN they can attempt to gain direct access to stored data.
Remote storage adds to the risk because backup tapes can be stolen. And consolidation means that there is one place where all data is shared, which not only makes the SAN an attractive target for the hacker, but frightens the business manager who wants all the firm's data to be private.
Several companies, such as Decru and Neoscale, are working on SAN security. The challenge is that application-level security, network security and storage-level security must all work together. For example, encryption of SAN block traffic relies on the application to do authentication.
The Storage Network Industry Association (SNIA) is also active here, via its Storage Security Industry Forum (SSIF) and the Storage Management Initiative (SMI). The industry has already voted to adopt the existing Chap authentication protocol for Fibre Channel, and the SSIF is working on a security protocol analogous to IPsec, provisionally titled FCsec.
GLOSSARY
Chap Challenge-Handshake Authentication Protocol is a secure procedure for connecting to networks
FCIP Fibre Channel over IP uses routers and IP tunnelling to create a virtual Fibre Channel connection over an IP network
iFCP IP Fibre Channel protocol uses a combined router/switch device to map Fibre Channel devices to IP addresses.
IPsec Internet Protocol Security is a framework for a set of security protocols operating at the network or packet processing layer of network communication
iSCSI Internet SCSI (Small Computer System Interface) is an IP- based storage networking protocol for linking data storage facilities
NAS Network-attached storage is hard disk storage set up with its own network address
Raid A redundant array of independent (or inexpensive) disks stores the same data in different places on multiple hard disks
SAN A storage area network is a high-speed special-purpose network (or sub-network) that interconnects different kinds of data storage devices
reader comments