网络存储安全技术研究
|
摘要
网络存储时代被称为第三次IT浪潮。网络存储在近10年的时间内发展迅速,日益应用到各个行业;随着网络存储的日益普及,网络存储中的安全问题也日益受到人们的关注。网络存储安全既包括存储网络组件的安全也包括其上数据的安全。
本文在分析网络存储安全隐患的基础上,针对目前流行的网络存储技术,网络附加存储、存储区域网络和IP存储,提供了相应的安全防护措施;对海量存储的保护可从几个方面考虑,不论物理方式还是电子方式,对每一个级别的存储,我认为需要采取"深度防御”的安全战略。这种方法并不依赖单一的程序或技术来保护存储,而是将多种保护措施垂直立体密布在涵盖主机设备、网络设备、存储设备的整个水平结构存储网络中,如:
(1)SAN的存储访问保护功能:逻辑单元数(LUN)、掩码(masking)和分区是通常使用的技术,用来确保只有得到授权的服务器,才能访问指定的存储阵列;
(2)利用系统根盘镜像、双机集群、RAID级别、冗余路径和远程灾备的多种数据保护手段,与灵活的备份方案相配合,利用一种“零停机时间备份”,对不能停机的关键业务数据备份效果很好。
(3)最后,我建议采用适当的存储网络评估表格,对指定存储环境的技术和设备进行评估,以确定薄弱环节加以增强。
由于这个课题属于IT业新兴技术热点之一,难度较大,各种类型存储技术本身具有较高的技术研究与实现难度,又涉及存储、网络、主机安全多方面大量技术内容,故本文旨在对存储安全技术进行某些角度的有效务实、力所能及的分析研究。通过对现有各种网络存储架构及安全问题大量资料的研究,参考该技术领域未来的发展趋势与方向,分析总结各种危及数据安全活动的对策,发现能够有效增强现有存储体系数据保护性能的安全规划方法及评估策略。
Network storage time is called the third IT tide. The network storage technology has developed rapidly in the nearly 10 years, and has been applied to each profession. With the popular of the network storage, the security of network storage has been attended day by day. The security of the network storage includes the security of storage network and the data on the storage network.
In this paper, after analyzing the risks and threats of the network storage, we provide the protect measures for the common network storage technology such as Network Attached Storage, Storage Area Network and the IP Storage. For the great capacity storage’s protection, either physical side or electrical side, I think it needs“Deep Defence”secure stratagem for the every level storage. This way doesn’t depend on simplex program or safeguard densely covering the whole storage network including host and network device and storage device, such as :
(1) SAN storage protect function: Logical Unit Number, Masking and Zone are the common secure technology in order to authenticate the hosts that have authorization to access special storage disk array.
(2) Data safeguard method: I design it with system root disk mirror, HA cluster, RAID level, redundancy path and remote mischance backup. It should cooperate with agile backup policy. I discover a backup way without business down time. It’s effective for the never stop business.
(3) At last, I suggest often evaluate SAN security with certain evaluation way such as two my creating SAN security evaluation matrix table. Then we can promote the related point security level according to the evaluation result.
(4) The thesis subject, storage security, in one of the intedning IT hospots. It is very challenge to research and delivery, because it relates to storage and network and server security technology. Refer to myself limited experience and energy, the paper just focus on the actual field in my power. Through study plenty of storage security reference and developmental trend, I analyse all kinds of data security problem’s countermeasure and evaluation methods.
本文在分析网络存储安全隐患的基础上,针对目前流行的网络存储技术,网络附加存储、存储区域网络和IP存储,提供了相应的安全防护措施;对海量存储的保护可从几个方面考虑,不论物理方式还是电子方式,对每一个级别的存储,我认为需要采取"深度防御”的安全战略。这种方法并不依赖单一的程序或技术来保护存储,而是将多种保护措施垂直立体密布在涵盖主机设备、网络设备、存储设备的整个水平结构存储网络中,如:
(1)SAN的存储访问保护功能:逻辑单元数(LUN)、掩码(masking)和分区是通常使用的技术,用来确保只有得到授权的服务器,才能访问指定的存储阵列;
(2)利用系统根盘镜像、双机集群、RAID级别、冗余路径和远程灾备的多种数据保护手段,与灵活的备份方案相配合,利用一种“零停机时间备份”,对不能停机的关键业务数据备份效果很好。
(3)最后,我建议采用适当的存储网络评估表格,对指定存储环境的技术和设备进行评估,以确定薄弱环节加以增强。
由于这个课题属于IT业新兴技术热点之一,难度较大,各种类型存储技术本身具有较高的技术研究与实现难度,又涉及存储、网络、主机安全多方面大量技术内容,故本文旨在对存储安全技术进行某些角度的有效务实、力所能及的分析研究。通过对现有各种网络存储架构及安全问题大量资料的研究,参考该技术领域未来的发展趋势与方向,分析总结各种危及数据安全活动的对策,发现能够有效增强现有存储体系数据保护性能的安全规划方法及评估策略。
Network storage time is called the third IT tide. The network storage technology has developed rapidly in the nearly 10 years, and has been applied to each profession. With the popular of the network storage, the security of network storage has been attended day by day. The security of the network storage includes the security of storage network and the data on the storage network.
In this paper, after analyzing the risks and threats of the network storage, we provide the protect measures for the common network storage technology such as Network Attached Storage, Storage Area Network and the IP Storage. For the great capacity storage’s protection, either physical side or electrical side, I think it needs“Deep Defence”secure stratagem for the every level storage. This way doesn’t depend on simplex program or safeguard densely covering the whole storage network including host and network device and storage device, such as :
(1) SAN storage protect function: Logical Unit Number, Masking and Zone are the common secure technology in order to authenticate the hosts that have authorization to access special storage disk array.
(2) Data safeguard method: I design it with system root disk mirror, HA cluster, RAID level, redundancy path and remote mischance backup. It should cooperate with agile backup policy. I discover a backup way without business down time. It’s effective for the never stop business.
(3) At last, I suggest often evaluate SAN security with certain evaluation way such as two my creating SAN security evaluation matrix table. Then we can promote the related point security level according to the evaluation result.
(4) The thesis subject, storage security, in one of the intedning IT hospots. It is very challenge to research and delivery, because it relates to storage and network and server security technology. Refer to myself limited experience and energy, the paper just focus on the actual field in my power. Through study plenty of storage security reference and developmental trend, I analyse all kinds of data security problem’s countermeasure and evaluation methods.
引文
【1】 Scott Drummond, SAN Introduction, Share Session , Mar 2002。
【2】 Heng Liao,Storage Area Network Architectures,PMC-Sierra,2003。
【3】 Ravi Kumar Khattar、Mark S. Murphy、Giulio John Tarella、Kjell E. Nystrom,Introduction to Storage Area Network,IBM,1999。
【4】 Network Attached Storage , Scalable Platform with Advanced RAID SubsystemDavid Dale, John Hufferd, Clearing the Confusion: A Primer on Internet Protocol Storage Networks, SNIA, 2002。
【5】 David. F.N., Gregory. R.G., etc, "Network Support for Network-Attached Storage", In Proceedings of Hot Interconnects, 1999。
【6】 Julian Satran, Kalman Meth, Costa Sapuntzakis, iSCSI. draft-ietf-ips-iscsi-19-92. January 2003。
【7】 White Paper,Internet Fibre Channel Protocol (iFCP) — A Technical Overview,SNIA IP Storage Forum。
【8】 iFCP - A Protocol for Internet Fibre Channel Networking,IP Storage Working Group,2002。。
【9】 Peter J. Hunter,Introduction to IP Storage,SNIA - IP STORAGE FORUM,2004。
【10】 Stephen Aiken、Dirk Grunwald、Andrew R. Pleszkun,A Performance Analysis of the iSCSI Protocol,Colorado Center for Information Storage University of Colorado。
【11】 White Paper,Storage over IP (SoIP) Framework — An Introduction,Nishan Systems,2001。
【12】 P. Sarkar、K. Voruganti、K. Meth、O. Biran、J. Satran,Internet Protocol storage area networks,IBM SYSTEMS JOURNAL VOL 42 NO 2,2003。
【13】 赵文辉,徐俊,周加林,李晨,网络存储技术,清华大学出版社,2005。
【14】 Richard Barker、Paul Massiglia 著,舒继武等译,存储区域网络精华——深入理解 SAN,电子工业出版社,2004。
【15】 Marc Farley 著,孙功星、蒋文保、范勇等译,SAN 存储区域网络,机械工业出版社,2001。
【16】 Tom Clark 著,罗金平、汪东、方兴等译,IP SAN 权威指南:存储区域网络中的 iSCSI、iFCP、FCIP 协议,中国电力出版社,2003。
【17】 Bruce Schneier 著,吴世忠、祝世雄、张文政等译,应用密码学——协议、算法与 C 源程序,机械工业出版社,2002。
【18】 Douglas R.Stinson 著,冯登国译,密码学原理与实践,电子工业出版社,2003。
【19】 William Stallings 著,刘玉珍、王丽娜、傅建明等译,密码编码学与网络安全——原理玉实践,电子公钥出版社,2004。
【20】 曹珍富,公钥密码学,黑龙江教育出版社,1993。
【21】 李辉,浅议 DAS,NAS,SAN 三种模式,通信产业报,2004。
【22】 朱颖,SAN 面临安全隐患
【23】 BENJAMIN KUO, The road to practical-SAN-security, 2002。
【24】 Adrian Baldwin、Simon Shiu、Hewlett Packard Laboratories、Bristo,Encryption and Key management in a SAN,IEEE,2003。
【25】 White Paper,How to Do a Storage Security Audit,SNIA Storage Security Industry Forum,2003。
【26】 Himanshu Dwivedi,Insecure IP Storage Networks,2004。
【27】 Technology Guide,SAN Security,SNIA EUROPE。
【28】 Andy Salo,Securing Storage Networks,Decru confidential,2002。
【29】 Etienne De Burgh,SAN Security – beyond segmentation,GSEC Practical Version 1.4b,2003。
【30】 Hugo Fruehauf,Cryptography in Storage Networks,Storage Networking Industry Association,2002。
【31】 Rich Ramos,LUN Masking: The First Line of Defense,Storage Networking Industry Association,2002。
【32】 White Paper,Storage Area Network Security: Data Access & Fabric Management,Product Management,2002。
【33】 Brocade,Building and Scaling Brocade SAN Fabrics
【34】 Brocade,存储网络体系结构的基本构件
【35】 Brocade,加强 SAN 安全性
【36】 如何提高 SAN 安全,中国计算机报
【2】 Heng Liao,Storage Area Network Architectures,PMC-Sierra,2003。
【3】 Ravi Kumar Khattar、Mark S. Murphy、Giulio John Tarella、Kjell E. Nystrom,Introduction to Storage Area Network,IBM,1999。
【4】 Network Attached Storage , Scalable Platform with Advanced RAID SubsystemDavid Dale, John Hufferd, Clearing the Confusion: A Primer on Internet Protocol Storage Networks, SNIA, 2002。
【5】 David. F.N., Gregory. R.G., etc, "Network Support for Network-Attached Storage", In Proceedings of Hot Interconnects, 1999。
【6】 Julian Satran, Kalman Meth, Costa Sapuntzakis, iSCSI. draft-ietf-ips-iscsi-19-92. January 2003。
【7】 White Paper,Internet Fibre Channel Protocol (iFCP) — A Technical Overview,SNIA IP Storage Forum。
【8】 iFCP - A Protocol for Internet Fibre Channel Networking,IP Storage Working Group,2002。。
【9】 Peter J. Hunter,Introduction to IP Storage,SNIA - IP STORAGE FORUM,2004。
【10】 Stephen Aiken、Dirk Grunwald、Andrew R. Pleszkun,A Performance Analysis of the iSCSI Protocol,Colorado Center for Information Storage University of Colorado。
【11】 White Paper,Storage over IP (SoIP) Framework — An Introduction,Nishan Systems,2001。
【12】 P. Sarkar、K. Voruganti、K. Meth、O. Biran、J. Satran,Internet Protocol storage area networks,IBM SYSTEMS JOURNAL VOL 42 NO 2,2003。
【13】 赵文辉,徐俊,周加林,李晨,网络存储技术,清华大学出版社,2005。
【14】 Richard Barker、Paul Massiglia 著,舒继武等译,存储区域网络精华——深入理解 SAN,电子工业出版社,2004。
【15】 Marc Farley 著,孙功星、蒋文保、范勇等译,SAN 存储区域网络,机械工业出版社,2001。
【16】 Tom Clark 著,罗金平、汪东、方兴等译,IP SAN 权威指南:存储区域网络中的 iSCSI、iFCP、FCIP 协议,中国电力出版社,2003。
【17】 Bruce Schneier 著,吴世忠、祝世雄、张文政等译,应用密码学——协议、算法与 C 源程序,机械工业出版社,2002。
【18】 Douglas R.Stinson 著,冯登国译,密码学原理与实践,电子工业出版社,2003。
【19】 William Stallings 著,刘玉珍、王丽娜、傅建明等译,密码编码学与网络安全——原理玉实践,电子公钥出版社,2004。
【20】 曹珍富,公钥密码学,黑龙江教育出版社,1993。
【21】 李辉,浅议 DAS,NAS,SAN 三种模式,通信产业报,2004。
【22】 朱颖,SAN 面临安全隐患
【23】 BENJAMIN KUO, The road to practical-SAN-security, 2002。
【24】 Adrian Baldwin、Simon Shiu、Hewlett Packard Laboratories、Bristo,Encryption and Key management in a SAN,IEEE,2003。
【25】 White Paper,How to Do a Storage Security Audit,SNIA Storage Security Industry Forum,2003。
【26】 Himanshu Dwivedi,Insecure IP Storage Networks,2004。
【27】 Technology Guide,SAN Security,SNIA EUROPE。
【28】 Andy Salo,Securing Storage Networks,Decru confidential,2002。
【29】 Etienne De Burgh,SAN Security – beyond segmentation,GSEC Practical Version 1.4b,2003。
【30】 Hugo Fruehauf,Cryptography in Storage Networks,Storage Networking Industry Association,2002。
【31】 Rich Ramos,LUN Masking: The First Line of Defense,Storage Networking Industry Association,2002。
【32】 White Paper,Storage Area Network Security: Data Access & Fabric Management,Product Management,2002。
【33】 Brocade,Building and Scaling Brocade SAN Fabrics
【34】 Brocade,存储网络体系结构的基本构件
【35】 Brocade,加强 SAN 安全性
【36】 如何提高 SAN 安全,中国计算机报
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |