Storage Area Networks
Storage area networks (SANs) are one of the faster-growing segments of data communications. SANs and similar storage systems provide a way to meet the Internet’s nearly insatiable need for data storage. Besides the need for mass storage of data for websites and e-mail, there is a growing demand for storage at large companies; also the government needs storage for backup storage, disaster recovery, and retention of files for government regulations such as Sarbanes-Oxley. Add to that the growing use of databases for every conceivable need, and the result is a need clearly beyond even the very large disk drives in the servers. Special storage systems have been created to hold these massive data resources, and special networks and communications systems have been developed to ensure rapid access to this data.
Early storage systems were made up of external disk drives that were not inside the PCs or servers. These external drives were connected to the PC or server by way of a fast parallel transmission bus referred to as the Small Computer Storage Interface (SCSI), nicknamed the “skuzzy” interface. A formalized set of binary commands allowed the computer to control the disk drives to store or access data. Over the years, the parallel bus became faster and faster, but the distance over which data can be transmitted in parallel format declined to several feet with the increased speed. This form of mass storage was referred to as direct-attached storage (DAS). While DAS is still used today, larger, more flexible systems using fast serial data transfer are available.
One of these new systems is called network-attached storage (NAS). These systems are made up of a redundant array of independent disks (RAID) or just a bunch of disks (JBOD). These large boxes of disk drives are typically connected to a PC or server by way of the installed Ethernet LAN. They are assigned an IP address so that data can be accessed in a file format. Anyone connected to the LAN can access the data on the disks if authorization is provided.
Very large storage needs are met by storage-area networks. These use the RAIDs and JBODs that are connected via the SAN to the various network servers, database servers, or other computers designed to provide access to the data. Fig. 15-14 shows a typical arrangement. All the various user PCs or workstations are connected to a central LAN using 100-MHz or 1-GHz Ethernet over twisted-pair cable to which all the specialized servers (mail, data, application-specific, etc.) are attached. The servers are also connected to the SAN, which in turn is attached to each disk storage unit. Fiber-optic connections are typically used in connecting the SAN to the servers, but in some cases, a 1-GHz twisted-pair Ethernet connection may be used. With this arrangement, any individual PC or workstation may access the data in any disk system or establish backup files via the LAN and the SAN. That access may actually be via the Internet. SANs use block transfers of data instead of file transfers, where fixed-size blocks of data are transferred rather than complete files.
The connection between the servers and the SAN is made usually by a fiber-optic network known as Fibre Channel (FC). A newer connection system called iSCSI or Internet SCSI (“I skuzzy”) uses the installed Ethernet LAN plus Ethernet switches.
Fibre Channel is an optical fiber transmission standard established by the American National Standards Institute in the late 1980s. The standard defines a protocol and a fiber-optic physical layer (PHY) that can be used to connect computers and storage systems in a loop or ring, point-to-point, or through switches. Early FC systems transmitted at a rate of only a few hundred megabits per second, but today systems transmit at 1, 2, 4, or 10 Gbps. A very high data rate is essential in a SAN if any large block of data is going to be accessed by a user in a reasonable time. The FC PHY defines the use of a pair of fiber-optic cables, one for transmit and one for receive. Most systems use 50- or 62.5-μm-diameter multimode fiber.
for relatively short connection distances up to several hundred meters. Single-mode fiber can also be used for longer-range connections from 10 to 40 km. The short-range systems use 850-μm infrared (IR) laser transmitters, while the longer-range systems use either 1310- or 1550-μm IR laser transmitters.
The protocol defines a 2148-byte packet or frame that is transmitted with 8B/10B coding. A 4-byte (32-bit) CRC is used for error detection. The actual transmission speeds are 1.0625, 2.125, 4.25, 8.5, 10.5, 2, and 14.025 Gbps. Future rates are 28.05 and 4 x 28.05 Gbps. The connection to the fiber-optic cable is made through an interface card known as a host bus adapter (HBA). Each HBA plugs into the bus of the server or the storage control unit of the RAID or JBOD. The connections may be a direct, point-to-point link or a ring. Today, most connections are made through a very high-speed electronic cross-point switching arrangement known as a switch fabric. The switch fabric is packaged into a box with the fiber-optic cable connectors, and the entire unit is called an FC switch. It appears inside the SAN “cloud” shown in Fig. 15-14. This arrangement essentially lets any server or disk drive node on the network connection to any other. Most FC switches permit up to 224 devices to be connected.
One of the primary advantages of the FC SAN is that it is inherently secure. Because it is not connected to the LAN or the Internet, it is essentially immune to outside hacking, virus, spam, or other attacks normally associated with the Internet. The FC SAN is completely separate from any other network connections.
FC systems can also communicate over longer distances via the Internet by using a new protocol called Fibre Channel over Internet Protocol (FCIP) developed by the Internet Engineering Task Force (IETF). This protocol encapsulates the FC frames into packets and transmits them via TCP/IP. With this arrangement, multiple FC SANs can be interconnected and managed over an IP network. Another arrangement called Internet Fibre Channel Protocol (iFCP) allows FC SANs to be linked by using TCP/IP with standard Ethernet switches or routers. The switch or router becomes a gateway that takes the place of an FC switch.
While FC is used in more than 90 percent of all SANs because of its speed, flexibility, and reliability, its main downside is high cost. Recently, a lower-cost SAN connection system called Internet SCSI (iSCSI) has been developed. It uses standard off-the-shelf Ethernet components and TCP/IP software is so widely available. This system is also an IETF standard. It uses the same command and control protocol developed for parallel bus SCSI DAS systems except it uses serial data transfers over Ethernet.
Fig. 15-15 shows the data flow in a data access operation in an iSCSI SAN. The PC requesting the data notifies the server, and the server operating system then produces an appropriate SCSI command. The iSCSI protocol that is implemented in the Ethernet network interface card (NIC) encapsulates the SCSI command into TCP, then into IP packets that are transmitted by using Ethernet on available LAN connections. In Fig. 15-14, the SAN “cloud” is usually just the installed LAN wiring with Ethernet routers and switches. The connection may also be through a MAN or WAN using the Internet. On the receiving end, which is the target RAID or JBOD, the process is reversed, as Fig. 15-15 shows.
The NICs used in the servers and the RAID/JBOD systems are standard Ethernet interfaces but are iSCSI-enabled. They may even incorporate what is called a TCP/IP off-load engine. This is a special processor designed to handle the TCP/IP operations in hardware rather than in software on the server as usual. This greatly speeds up all operations.
The primary benefit of an iSCSI SAN is its lower cost and use of existing LAN wiring or the Internet. The main disadvantage is that such systems are at risk of hacking, viruses, and other such security problems. This can be taken care of by using security software and data encryption methods, but these increase the cost and greatly slow down all data transmission operations.
One of the most important aspects of the Internet is the security of the data being transmitted. Security refers to protecting the data from interception and protecting the sending and receiving parties from unwanted threats such as viruses and spam. And it means protecting the equipment and software used in the networks. The Internet or any network-connected computer is subject to threats by hackers, individuals who deliberately try to steal data or damage computer systems and software just for the challenge. Prior to the Internet, computer security was primarily limited to sensitive government and military data transmissions.
Some large companies also used security measures to transmit critical data. Today the Internet has forced all users and organizations to employ security measures to protect their computers and data. The Internet greatly expanded development in security measures. Wireless systems are also very vulnerable to hacker attacks simply because radio waves are easily picked up and used by anyone with an appropriate receiver. Over the past years, security for wireless systems has been developed and widely deployed.
Most security measures are implemented in software. Some security techniques can also be implemented in hardware such as data encryption chips.
Types of Security Threats
The most common form of threat is the ability of a hacker to link to an existing network and literally read the data being transmitted. Some types of connections permit disk files to be accessed, e-mail files to be read, data to be modified, and new unwanted data to be added. There are a huge number of specific ways in which data can be read, stolen, compromised, or corrupted. The other common forms of security threats are explained below.
A virus is a small program designed to implement some nefarious action in a computer. A virus typically rides along with some other piece of information or program so that it can be surreptitiously inserted into the computer’s hard drive or RAM.
The virus program is then executed by the processor to do its damage. Any number of viruses have been created over the years and transmitted by e-mails to unsuspecting computers. Sometimes viruses arrive by way of a Trojan horse, a seemingly useful and innocent program that hides the virus. Viruses typically interfere with the operating system, causing it to do unwanted things or not to perform certain functions. Viruses can affect the executable programs on the computer, the file directory, the data files themselves, and the boot programs. Besides making the computer unusable, a virus can erase or corrupt files, cause unknown e-mails to be transmitted, or take other malicious actions.
Like a real virus, computer viruses are designed to spread themselves within the computer or to be retransmitted to others in e-mails. These viruses are called worms as they automatically duplicate and transmit themselves from network to network and computer to computer.
A more recent threat, while not actually damaging, is unwanted ads and solicitations via e-mail called spam. Spam clogs up the e-mail system with huge quantities of unwanted data and uses transmission time and bandwidth that could be used in a more productive way. Spam is not illegal, but you must remove the spam yourself, thereby using up valuable time, not to mention memory space in your e-mail system. Spyware. Spyware is a kind of software that monitors a computer and its user while he or she accesses the Internet or e-mail. It then collects data about how that user uses the Internet such as Internet website access, shopping, etc. It uses this information to send unsolicited ads and spam. Some examples of dangerous practices are the capture of credit card numbers, delivery of unsolicited pop-up ads, and capture of Web-browsing activity and transmission to a person or company for use in unauthorized promotions.
Denial-of-Service (DoS) Attacks
This is a process that transmits errors in the communications protocol and causes the computer to crash or hang up. This type of vandalism doesn’t steal information, but it does prevent the user from accessing the operating system, programs, data files, applications programs, or communications links.
It is the easiest form of attack that serves no useful purpose other than to hurt others. One special type of DoS attack is called smurfing. A smurf attack usually overwhelms ISP servers with a huge number of worthless packets, thereby preventing other ISP subscribers from using the system. Smurfing makes use of a technique called pinging. Ping is the transmission of an inquiry by way of the Internet Control Message Protocol (ICMP) that is a part of TCP/IP to see if a particular computer is connected to the Internet and active. In response to the ping, the computer sends back a message confirming that it is connected. Hackers substitute the ISP’s own address for the return message so that it gets repeatedly transmitted, thus tying up the system.
To protect data and prevent the kinds of malicious hacking described, special software or hardware is used. Here is a brief summary of some of the techniques used to secure a computer system or network.
Encryption and Decryption
Encryption is the process of obscuring information so that it cannot be read by someone else. It involves converting a message to some other form that makes it useless to the reader. Decryption is the reverse process that translates the encrypted message back to readable form.
Encryption has been used for centuries by governments and the military, mainly to protect sensitive material from enemies. Today it is still heavily used by the government and the military but also by companies and individuals as they strive to protect their private information. The Internet has made encryption more important than ever as individuals and organizations send information to one another. For example, encryption ensures that a customer’s credit card number is protected in e-commerce transactions (buying items over the Internet). Other instances are automated teller machines (ATM) accesses and sending private financial information. Even digitized voice in a cell phone network can be protected by encryption.
Fig. 15-16 shows the basic encryption process. The information or message to be transmitted is called plaintext. In binary form, the plaintext is encrypted by using some predetermined computer algorithm. The output of the algorithm is called ciphertext. The ciphertext is the secret code that is transmitted. At the receiving end, the reverse algorithm is performed on the ciphertext to generate the original plaintext.
Most encryption processes combine the plaintext with another binary number called a secret key. The key is used as part of the algorithmic computing process. To translate the ciphertext back to plaintext, the receiving computer must also know the secret key. The strength of the encryption (meaning how secure the data is from deliberate attempts at decryption by brute computing force) is determined by the number of bits in the key. The greater the number of bits, the more difficult the key is to discover.
There are two basic types of encryption: secret key encryption (SKE), also called private key encryption, and public key encryption (PKE). SKE is said to be symmetric because both sending and receiving parties must have the same key. The problem with this method lies in sharing the key. How do you transmit or distribute the secret key in a secure manner? This problem led to the development of PKE.
PKE is known as asymmetric encryption. It uses two keys, a public key, and a private key, in the encryption process. The public key can be openly shared in public. In fact, the public key is sent by the receiver to the transmitting party, and it is used in the encryption process. A secret key is also needed in the decryption process. The original PKE method used two factors of a large prime number for the public and private keys. Other methods are used today.
There are literally dozens of different types of encryption methods. Two of the most common SKEs are the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) developed by the National Institute of Standards and Technology (NIST) or the U.S. government. DES uses a 56-bit key for encryption. The key is actually 64 bits or 8 bytes long, where 1 bit of each byte is a parity bit. The remaining eight 7-bit bytes make up the key. The plaintext is encoded or encrypted in 64-bit blocks.
DES was found to be insufficiently secure as the key could actually be discovered by a very fast computer, simply by trying all the related key combinations. This led to the development of 3DES (pronounced triple-Dez), which puts the plaintext through three separate sequential DES encryptions, creating a virtually unbreakable code.
The AES algorithm was developed by NIST to replace DES with a method better suited to network use and hardware as well as software implementation. The resulting cipher is known as the Rijndael algorithm, named after one of its creators. It uses 128-, 192-, or 256-bit keys, making it ultrasecure and essentially impossible to break.
There are numerous private key methods. Another one that is often used is Rivest Cipher #4 (RC4), developed by Ron Rivest at the Massachusetts Institute of Technology. The key length can vary from about 40 to 128 bits.
The original public key encryption concept is known as the Diffie-Hellman key exchange, named for its inventors Whitfi eld Diffi e and Martin Hellman. The Diffie-Hellman algorithm uses random number generation and logarithms to create the keys.
One of the most commonly used is the RSA method developed by Rivest, Shamir, and Adleman. It uses large prime numbers to generate 512-, 1024-, or 2048-bit keys to ensure maximum protection.
A newer PKE algorithm is the elliptic curve cryptosystem (ECC). Its prime advantage is that it uses a smaller 160-bit key that provides equivalent protection to a 1024-bit RSA key, but computation is significantly faster. Large keys make it more secure. Here is a step-by-step sequence to show how PKE is used.
- Two parties X and Y wish to communicate. Party X will transmit information to Y.
- Both X and Y have encryption software that generates both public and private keys.
- The receiving party Y first transmits the public key to X. This can be done by using nonsecure or unencrypted methods.
- The transmitting party X then uses the public key to encrypt the message that is sent to Y.
- Then Y decrypts the message by applying the private key that matches the public key.
Even though a message is encrypted by whatever method, there is no way to be sure that it arrives unmodified. It could be changed during transmission due to some form of interception and attack or just muddled by noise. To prevent this problem, methods of ensuring data integrity have been created. These methods are referred to as hash functions. Hash functions are a kind of one-way encryption. They allow you to determine if the original message has been changed in any way during transmission.
What a hashing function or algorithm does is compress the plaintext of any length into a fixed-length binary number. The hash process maybe like a checksum where the bytes of the message are added or XORed together to create a single byte or longer word. Generating a CRC is another similar example. Modern hash functions are more complex to be more secure. The hash function takes plaintext of an arbitrary length and maps it to fixed-length blocks. The algorithm is performed on the blocks of data. The result is a digest of the message. The two most commonly used hash functions are designated Message Digest 5 (MD5), which produces a 128-bit hash value, and Secure Hash Algorithm-1 (SHA-1), which generates a 160-bit hash value. SHA-1 is generally more secure, but both are available in just about all security software. A newer SHA-2 further improves security.
Authentication is the process of verifying that you are who you say you are. It is a way that you or someone you are communicating with really can confirm true identity. Authentication ensures that the transmitting and receiving parties are really who they say they are and that their identities have not been stolen or simulated. Digital authentication allows computer users to confidently access the Internet, other networks, computers, software, or other resources such as bank accounts if they can verify their identities. Authentication is widely used in most Internet transactions such as e-commerce as it provides a way to control access, keep out unauthorized users, and keep track of those who are using the resources.
The most common methods of authentication are the use of passwords or personal identification numbers (PIN). Coded ID cards are another way. More recently, biometric methods of identification are being used as security tightens with more and more transactions. Some common biometric ID methods are fingerprint scans, retinal eye scans, voiceprints, or video facial recognition.
Passwords and PINs are often encrypted before transmission so that they cannot be stolen. This is done with the one-way encryption method known as hashing just described. When you key in your password, a hashing algorithm encrypts it and sends it to the authorizing computer, which decrypts it and then compares it to the password you originally created. The process cannot be reversed and so is secure.
The most commonly used process of authentication in network communications is the use of digital certificates. Also known as certificate-based authentication, this method uses hashing and public-key encryption to verify identity in various transactions. A digital certificate is a message or document created by a computer that has been “signed” by some trusted authority or third party. Several companies have been established to provide public and private keys for this purpose. Known as a certification authority (CA), these organizations issue public keys to those individuals or organizations and vouches for their identity. The digital signature binds the person or company to that public key. Here is the general process for creating a digital signature.
- The message to be sent is fi rst put through the hash process to produce a digest.
- The digest is then encrypted by using the sender’s private key. The encrypted hash
is the signature.
- That signature is appended as a header (or trailer) to the message to be transmitted.
The combination is transmitted.
- At the receiving end, the signature is decrypted by using the sender’ public key. The
result is the original hash of the message.
- The message itself is then put through the same hash function. The decrypted hash
and the recreated hash are compared. If the two are the same, authentication is
Secure Socket Layer (SSL)
The processes of encryption/decryption and authentication are used together to ensure secure transactions over the Internet. All these processes are combined into a protocol known as the Secure Socket Layer (SSL). The resulting process renders the exchange of private information such as credit card numbers safe and secure. Without such a system, the use of the Internet would be more limited. E-commerce simply would not exist without the safeguards of SSL. SSL or a more advanced version called Transport Layer Security (TLS) usually resides in layers 5, 6, or 7 of the OSI model. The SSL or TLS protocol is implemented in browser software such as Microsoft Internet Explorer (IE) or Netscape. It uses public key and private key encryption and authentication via hashing. SSL was originally developed by Netscape, which invented the browser.
To show how all these techniques are used, here is an example of an e-commerce transaction. This transaction is handled through the browser software as a person we call client X accesses the desired website-designated server Y via the Internet.
- Server X transmits its public key to client X. It is signed by a digital signature as
- The client then generates a secret key.
- Client X uses the public key to encrypt the secret key, which is sent to server Y.
- Client X encrypts the message, using private key encryption methods, and sends the
message to server Y.
- Server Y decrypts the private key previously sent and then uses it to decrypt the
- Hashing and digital signatures are used throughout the process to ensure identity.
The encryption, decryption, and authentication processes are computationally intense. Even with very high-speed computers, the encryption, decryption, and hashing algorithms take considerable time to execute. The longer the key, e.g., the longer the calculation time. This adds to the time of transmission via the Internet. The result can be a significant delay. This is the price to be paid for secure transmissions. Since most of these processes are software, using a faster computer will speed up the process. In more recent systems, the hardware is used to speed up the process. Most security algorithms can be implemented in hardware. This hardware can be special processors or logic chips dedicated to the purpose. All significantly speed up the security measures.
A firewall is a piece of software that monitors transmissions on a network and inspects the incoming information to see if it conforms to a set of guidelines established by the software or the organization or person owning the network. The firewall controls the flow of traffic from the Internet to a LAN or PC or between LANs or other networks.
The most common type of firewall operates at the network layer in the OSI model. It examines TCP/IP packets and acts as a filter to block access from inputs that do not match a set of rules set up in the firewall. The firewall screens packets for specific IP sources or destinations, packet attributes, domain name, or other factors. Firewalls are the first line of defense against intrusions by unwanted sources. Today, any computer connected to the Internet should have a firewall. These are available as a software program loaded into a PC that screens according to the guidelines set up by the software producer. Some operating systems such as Microsoft Windows now come with a built-in fi rewall. More sophisticated fi rewalls are available for LANs and other networks. These usually can be configured by the network administrator to filter on special rules as needed by the organization.
Antivirus, Antispam, and Antispyware Software
There are commercial programs designed to be installed on a computer to fi nd and eliminate these security problems. The antivirus and antispyware programs scan all files on the hard drive either automatically or on command, to look for viruses. The antivirus software looks for a pattern of code unique to each virus, and when it is identified, the software can remove the virus or in some cases quarantine and isolate the infected file so that it does no harm. Antispyware works the same way by scanning all files, searching for patterns that designate a spyware program. It then removes the program.
Antispam software is typically set up to monitor incoming e-mail traffic and look for clues to whether it is legitimate e-mail or spam. It then blocks the spam from the e-mail inbox and places it in a special bulk e-mail file. You will never see the spam unless your e-mail system allows you to look in a special bulk file normally furnished by the e-mail provider. Antispam software is not perfect, and because of its rules for blocking spam, it can also affect desired e-mail. It is worthwhile to examine the bulk files occasionally to be sure that legitimate e-mails are getting through. Most antispam programs allow you to change the filtering rules to ensure you get all desired mail while the real spam is rejected.
Virtual Private Network (VPN)
One way to achieve security on a LAN is to use software measures to block off segments of a network or create a subnetwork using software to assign access only to authorized users. This is referred to as a virtual LAN or VLAN. Security can also be achieved when you are connecting two remote LANs by using a leased line. The lease line, such as a T1 or T3 connection, is totally dedicated to just the connection between the LANs. No one else has access. While this works well, it is very expensive. A popular alternative is to create a secure connection through the Internet by using a virtual private network (VPN). In a VPN, the data to be transmitted is encrypted, encapsulated in a special packet, and then sent over the Internet.
VPNs use one of two special protocols for the encapsulation and encryption process. One of these is IPsec (Internet Protocol security), a protocol created and supported by the Internet Engineering Task Force. IPsec encrypts the data along with the TCP header and then adds another header that identifies the kind of encryption used plus a trailer that contains the authentication. An IP header is added to form the datagram or packet to be transmitted.
Next, this datagram is encrypted and encapsulated in one additional IP datagram, which is also encrypted. The combined packet is transmitted. This process is referred to as tunneling. The packet containing the message is encrypted, which in turn is wrapped in a second IP packet and encrypted again. This in effect forms a secure tunnel through the otherwise insecure Internet. The routers at the sending and receiving ends of the VPN sort out all the source and destination addresses for the proper delivery of the data.
While IPsec has been widely used for VPNs, it is gradually being replaced by SSL, which is also an IETF standard. Both IPsec and SSL are usually implemented in software, but hardware versions are available that greatly speed up transactions.
Wireless Security. Security in wireless systems is important because it is relatively easy to capture a radio signal containing important information. A directional antenna and sensitive receiver designed for the specifi c wireless service, such as a wireless LAN and a computer, are all you need. Wireless data can be protected by encryption, and a number of special methods have been developed especially for wireless systems. These are discussed later.
Internet security is a very broad and complex subject that is far beyond the scope It is one of the most critical and fastest-growing segments of the networking industry
Internet Working | SONET | TCP/IP | Internet Transmission Systems ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Radio Wave | Reflection | Refraction | Diffraction | Ground, Sky Waves ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Antenna | Antenna Operation | Antenna Types | Radio Waves | Dipoles ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Smith Chart | Wavelength Scales | SWR Circle | Plotting and Reading ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Standing Waves | Matched Lines | Circuit Elements | Stripline | Microstrip ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Click Here to Learn More ( Storage-Area Networks | SCSI | Internet Security | Security Measures )
Click Here To Learn ( Storage-Area Networks | SCSI | Internet Security | Security Measures )