Logical Unit Number masking
Fibre Channel | |
---|---|
Layer 4. Protocol mapping | |
LUN masking | |
Layer 3. Common services | |
Layer 2. Network | |
Fibre Channel fabric Fibre Channel zoning Registered state change notification | |
Layer 1. Data link | |
Fibre Channel 8b/10b encoding | |
Layer 0. Physical |
Logical Unit Number Masking or LUN masking is an authorization process that makes a Logical Unit Number available to some hosts and unavailable to other hosts.
LUN Masking is a level of security that makes a LUN available to only selected hosts and unavailable to all others. This kind of security is done on the SAN level and is based on the host HBA, i.e. you can give access of specific LUN on the SAN to specific host with specific HBA.
LUN masking is mainly implemented at the host bus adapter (HBA) level. The security benefits of LUN masking implemented at HBAs are limited, since with many HBAs it is possible to forge source addresses (WWNs/MACs/IPs) and compromise the access. Many storage controllers also support LUN masking. When LUN masking is implemented at the storage controller level, the controller itself enforces the access policies to the device and as a result it is more secure. However, it is mainly implemented not as a security measure per se, but rather as a protection against misbehaving servers which may corrupt disks belonging to other servers. For example, Windows servers attached to a SAN will, under some conditions, corrupt non-Windows (Unix, Linux, NetWare) volumes on the SAN by attempting to write Windows volume labels to them. By hiding the other LUNs from the Windows server, this can be prevented, since the Windows server does not even realize the other LUNs exist.
See also
[edit]External links
[edit]- LUN Masking Archived 2006-05-05 at the Wayback Machine
- LUN Masking and Zoning