Bloombase Interoperability Program   P1                                                                                   ...
Bloombase Interoperability Program   P2                                                                                   ...
Bloombase Interoperability Program   P3                                                                           © 2011 B...
Bloombase Interoperability Program   P4                                                                              © 201...
Bloombase Interoperability Program   P5                                                                                   ...
Bloombase Interoperability Program   P6                                                                                   ...
Bloombase Interoperability Program   P7                          © 2011 Bloombase TechnologiesInfrastructureSetupThe valid...
Bloombase Interoperability Program             P8                                                                         ...
Bloombase Interoperability Program   P9                                                                                   ...
Bloombase Interoperability Program   P10                                                                © 2011 Bloombase T...
Bloombase Interoperability Program   P11                       © 2011 Bloombase TechnologiesSAN StorageA LUN is created at...
Bloombase Interoperability Program    P12                                                                                 ...
Bloombase Interoperability Program   P13                                                               © 2011 Bloombase Te...
Bloombase Interoperability Program   P14                                                                               © 2...
Bloombase Interoperability Program   P15                                                                                  ...
Bloombase Interoperability Program   P16                                                                                  ...
Bloombase Interoperability Program   P17   © 2011 Bloombase Technologies
Bloombase Interoperability Program   P18                                                                                  ...
Bloombase Interoperability Program   P19                                                                                  ...
Bloombase Interoperability Program   P20                                                                                  ...
Bloombase Interoperability Program   P21                                                                            © 2011...
Bloombase Interoperability Program   P22                               © 2011 Bloombase TechnologiesApplication Tests – Or...
Bloombase Interoperability Program   P23                                                                                  ...
Bloombase Interoperability Program   P24                                                                                  ...
Bloombase Interoperability Program   P25                                                                              © 20...
Upcoming SlideShare
Loading in …5
×

Interoperability of Bloombase Spitfire StoreSafe Security Server and Brocade SAN Switch for Transparent Storage Area Network (SAN) Encryption

644 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
644
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Interoperability of Bloombase Spitfire StoreSafe Security Server and Brocade SAN Switch for Transparent Storage Area Network (SAN) Encryption

  1. 1. Bloombase Interoperability Program P1 © 2011 Bloombase TechnologiesInteroperability of Bloombase Spitfire StoreSafeSecurity Server and Brocade SAN Switch forTransparent Storage Area Network (SAN)EncryptionJune, 2010Executive SummaryBrocade enterprise grade fiber channel storage area network (SAN) switches are validated by Bloombases interopLab to run with Bloombase SpitfireStoreSafe application-transparent storage area network (SAN) encryption server. This document describes the steps carried out to test interoperability ofBrocade SAN switches with Bloombase Spitfire StoreSafe Storage Encryption Server on SpitfireOS running on x86-based appliances. Host systems onMicrosoft Windows, Linux, Solaris, IBM AIX, VMware and Citrix XenServer are validated against Bloombase Spitfire StoreSafe Storage Encryptionappliances securing Dell EMC SAN storage sub-system with Brocade SAN switches as storage interconnects.
  2. 2. Bloombase Interoperability Program P2 © 2011 Bloombase TechnologiesInformation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies,organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should beinferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced,stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,without the express written permission of Bloombase Technologies.Bloombase Technologies may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except asexpressly provided in any written license agreement from Bloombase Technologies, the furnishing of this document does not give you any license to these patents, trademarks,copyrights, or other intellectual property.This document is the property of Bloombase Technologies. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement withBloombase Technologies, and neither the document nor any such information may be released without the written consent of Bloombase Technologies.© 2011 Bloombase TechnologiesBloombase, Bloombase Technologies, Spitfire, StoreSafe are either registered trademarks or trademarks of Bloombase Technologies in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.Document No.
  3. 3. Bloombase Interoperability Program P3 © 2011 Bloombase TechnologiesTable of ContentsTable of Contents 3Purpose and Scope 5Assumptions 6Infrastructure 7Setup ....................................................................................................... 7Bloombase Spitfire StoreSafe Storage Encryption Server Appliance .... 8SAN Switch .............................................................................................. 8Fiber Channel Host Bus Adapters ........................................................... 9Storage Area Network (SAN) .................................................................. 9Storage Hosts .......................................................................................... 9Configuration Overview 10SAN Fabric ............................................................................................. 10SAN Storage .......................................................................................... 11QLogic FC-HBA ...................................................................................... 12Bloombase Spitfire StoreSafe Security Server..................................... 12 Encryption Key Configuration ................................................................. 13 Virtual SAN Configuration ...................................................................... 14 Physical Storage Target Configuration ................................................... 15 Encrypted Virtual Storage Provisioning .................................................. 15
  4. 4. Bloombase Interoperability Program P4 © 2011 Bloombase TechnologiesValidation Tests 18Test Scenarios ....................................................................................... 18 Validation Matrix .................................................................................... 18 Raw Storage Device Tests ...................................................................... 19 File System Tests .................................................................................... 19 Application Tests – Oracle Database Server ........................................... 20Result .................................................................................................... 21 Raw Storage Device Tests ...................................................................... 21 File System Tests .................................................................................... 21 Application Tests – Oracle Database ...................................................... 22Conclusion 23Disclaimer 24Technical Reference 25
  5. 5. Bloombase Interoperability Program P5 © 2011 Bloombase TechnologiesPurpose and ScopeThis document describes the steps necessary to integrate Brocade SAN switches with Bloombase Spitfire StoreSafe enterprise storage security server tosecure sensitive corporate business data in a storage area network (SAN). Specifically, we cover the following topics: ● Preparing Bloombase Spitfire StoreSafe Security appliance(s) with FC-HBA(s) ● Preparing SAN storage sub-system ● Interoperability testing on host systems including Red Hat Linux, Novell Linux, Microsoft Windows, IBM AIX, Solaris, VMware ESX and Citrix XenServer
  6. 6. Bloombase Interoperability Program P6 © 2011 Bloombase TechnologiesAssumptionsThis document describes interoperability testing of Bloombase Spitfire StoreSafe Security Server appliance on SAN storage sub-system with Brocade SANswitches as interconnects. Therefore, it is assumed that you are familiar with operation of storage systems and major operating systems including Linux,Windows, AIX, HPUX and Solaris. It is also assumed that you possess basic UNIX administration skills. The examples provided may require modificationsbefore they are run under your version of UNIX.As Brocade SAN switches are hardware option to Bloombase Spitfire StoreSafe storage encryption system, you are recommended to refer to installationand configuration guides of specific model of Brocade SAN switch for the deployment you are going to test on. We assume you have basic knowledge ofstorage networking and information cryptography. For specific technical product information of Bloombase Spitfire StoreSafe, please refer to our websiteat http://www.bloombase.com or Bloombase SupPortal http://supportal.bloombase.com
  7. 7. Bloombase Interoperability Program P7 © 2011 Bloombase TechnologiesInfrastructureSetupThe validation testing environment is setup as in below figure
  8. 8. Bloombase Interoperability Program P8 © 2011 Bloombase Technologies Microsoft Novell SLES 11 Red Hat EL5 on Windows Server on VMware ESX/ Citrix Xen Server 2008 on Fujitsu ESXi 4 on Dell on HP Proliant Solaris 10 on IBM AIX 7.1 on PRIMERGY PowerEdge R510 DL380 Oracle Sun Fire IBM p710 RX200 x4170 1 2 3 4 5 6 7 8 ONLINE HP SPARE ProLiant MIRROR POWER POWER PCI DL380G5 SUPPLY SUPPLY RISER CAGE DIMMS PPM PPM PROC PROC INTER LOCK FANS OVER TEMP UID 1 2 Power 710 FC Qlogic FC-HBA Plain text FC FC FC FC FC FC FC FC 0 2 4 FC HP StorageWorks SAN Switch 4/16 HP StorageWorks SAN Switch 4/16 0 2 4 1 3 5 LNK SPD ! 0 4 1 5 2 6 3 7 8 12 9 13 10 14 11 15 LNK SPD ! 0 4 1 5 2 6 3 7 8 12 9 13 10 14 11 15 1 3 FC 5 Brocade 300 SAN Switch Brocade 300 SAN Switch xSeries 365 xSeries 365 FC FC FC FC Bloombase FC Bloombase Spitfire StoreSafe Spitfire StoreSafe on IBM x3650 on IBM x3650 with QLogic FC with QLogic FC HBA HBA 7^&aK Storage data in `@Y4 ciphered form DELL / EMC CX4-240 SAN StorageBloombase Spitfire StoreSafe Storage EncryptionServer Appliance Server IBM eServer xSeries x3650 M3 Processors 2 x Intel Xeon 5600-series quad-core 3.6 GHz Memory 8 GB Operating System Bloombase SpitfireOS 5.5 – Hardened and customized OS based on Linux kernel version 2.6.26 64-bit Storage Encryption Software Bloombase Spitfire StoreSafe Security ServerSAN Switch Model 2 x Brocade 300 SAN Switch Link Speed 8/4/2 Gbps auto-sensing
  9. 9. Bloombase Interoperability Program P9 © 2011 Bloombase TechnologiesFiber Channel Host Bus Adapters Model QLogic QLE2562 QLogic QLE2462 QLogic QLA2342 Speed 8 Gbps 4 Gbps 2 Gbps Interface PCI-E PCI-E PCI-XStorage Area Network (SAN) SAN Storage Dell / EMC CX4-240 SAN Storage Link Speed 8/4/2 Gbps auto-sensingStorage Hosts Model Dell PowerEdge R510 HP Proliant DL380 Oracle Sun Fire x4170 Fujitsu PRIMERGY IBM p710 RX200 Operating System Novell SLES 11 on Red Hat EL5 on Citrix Solaris 10 Microsoft Windows IBM AIX 7.1 VMware ESX/ESXi 4 XenServer Server 2008 Host Bus Adapter QLogic QLE2562 QLogic QLE2562 QLogic QLE2562 QLogic QLE2562 QLogic QLE2562
  10. 10. Bloombase Interoperability Program P10 © 2011 Bloombase TechnologiesConfiguration OverviewSAN FabricThe virtual disks on Dell / EMC SAN are exposed to Bloombase Spitfire StoreSafe appliance for access.
  11. 11. Bloombase Interoperability Program P11 © 2011 Bloombase TechnologiesSAN StorageA LUN is created at Dell / EMC CX4 SAN with below parameters
  12. 12. Bloombase Interoperability Program P12 © 2011 Bloombase Technologies Name lun01 Capacity 3 TB Redundancy RAID5QLogic FC-HBAQLogic FC-HBAs ● QLogic QLE2562 ● QLogic QLE2462 ● QLogic QLA2362are installed onto the x86-based appliance running Bloombase SpitfireOS 5.5.Bloombase Spitfire StoreSafe Security ServerSpitfire StoreSafe supports both file-based and block-based on-the-fly storage encryption. In this interoperability test exercise, fiber channel SAN block-based encryption is validated against Brocade SAN switches.
  13. 13. Bloombase Interoperability Program P13 © 2011 Bloombase TechnologiesEncryption Key ConfigurationGenerate encryption key with name ‘key’ in bundled Spitfire KeyCastle key life-cycle management tool
  14. 14. Bloombase Interoperability Program P14 © 2011 Bloombase TechnologiesVirtual SAN ConfigurationBloombase Spitfire StoreSafe block-based virtual storage and physical storage settings are configured as followings.
  15. 15. Bloombase Interoperability Program P15 © 2011 Bloombase TechnologiesPhysical Storage Target ConfigurationAfter zoning and LUN mask are properly configured at SAN switches, Spitfire StoreSafe should be able to mount to LUNs of SAN storages and shows on‘List Storage Device’ toolPhysical storage namely ‘lun01’ is configured to map to the storage device to be encrypted by Spitfire StoreSafeBloombase Spitfire StoreSafe secures SAN contents block by block. Volumes can be secured one by one by specific cryptographic cipher, bit length,encryption key, etc.Encrypted Virtual Storage ProvisioningVirtual storage namely ‘san01’ of type ‘FC’ is created to virtualize physical storage ‘lun01’ for transparent encryption protection over FCP
  16. 16. Bloombase Interoperability Program P16 © 2011 Bloombase TechnologiesProtection type is specified as ‘Privacy’ and secure the FC SAN LUN using AES-XTS 256-bit encryption with encryption key ‘key’Fiber channel protocol access control relies mainly on LUN mask for host based access control, the WWN of host HBA on ‘Host’ of ‘Host Access Control’section is configured as follows
  17. 17. Bloombase Interoperability Program P17 © 2011 Bloombase Technologies
  18. 18. Bloombase Interoperability Program P18 © 2011 Bloombase TechnologiesValidation TestsTest ScenariosValidation MatrixValidation tests span across models of Brocade SAN switches, FC-HBAs, Bloombase Spitfire StoreSafe Security Server, appliance hardware platform, andhost platform. Test Condition Candidate SAN Switch ● Brocade 300 SAN Switch Storage System ● Dell / EMC CX4-240 SAN storage HBA ● QLogic QLE2562 ● QLogic QLE2462 ● QLogic QLA2362 Storage Encryption Appliance ● Bloombase Spitfire StoreSafe Security Server on x86-based IBM x3650 Host Server Hardware ● Dell PowerEdge R510 ● HP Proliant DL-380
  19. 19. Bloombase Interoperability Program P19 © 2011 Bloombase Technologies ● Oracle Sun Fire x4170 ● Fujitsu PRIMERGY RX200 ● IBM p710 Host Operating Systems ● Microsoft Windows Server 2008 ● Red Hat EL 5 ● Novel SELS ● Solaris 10 ● IBM AIX ● VMware ESX/ESXi (hypervisor) ● Citrix XenServer (hypervisor)Raw Storage Device TestsThe following tests are carried out at storage host operating systems to access encrypted SAN storage by Bloombase Spitfire StoreSafe appliances viaBrocade SAN switches Test Description Write disk with zeros Write zeros into encrypted storage target via Bloombase Spitfire StoreSafe, platform equivalence of UNIX’s dd if=/dev/zero of=/dev/sda Read disk to null device Read from encrypted storage target via Bloombase Spitfire StoreSafe, platform equivalence of UNIX’s dd if=/dev/sda of=/dev/null Wipe disk with random data Write random zeros and ones into encrypted storage target, platform equivalence of UNIX’s dd if=/dev/urandom of=/dev/sdaFile System TestsThe following tests are carried out at storage hosts to access encrypted SAN storage by Bloombase Spitfire StoreSafe appliances via operating system file-systems with Brocade SAN switches as interconnects ● ext3 for Linux ● NTFS for Microsoft Windows ● JFS for IBM AIX ● UFS for Solaris
  20. 20. Bloombase Interoperability Program P20 © 2011 Bloombase Technologies Test Description Directory creation Platform equivalence of UNIXs mkdir Directory rename Platform equivalence of UNIXs mv Directory removal Platform equivalence of UNIXs rm Directory move Platform equivalence of UNIXs mv File creation Platform equivalence of UNIXs echo XXX > File rename Platform equivalence of UNIXs mv File removal Platform equivalence of UNIXs rm File move Platform equivalence of UNIXs mv File append – by character Platform equivalence of UNIXs echo XXX >> File append – by block Platform equivalence of UNIXs echo XXX >> File parameters inquiry Platform equivalence of UNIXs ls *X File permission configurations ● Platform equivalence of UNIXs chmod ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris) Softlink/Symbolic link removal ● Platform equivalence of UNIXs rm ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris) Softlink/Symbolic link move ● Platform equivalence of UNIXs mv ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris)Application Tests – Oracle Database Server Test Remarks Database creation Version equivalence of CREATE DATABASE Schema creation Version equivalence of CREATE TABLE Database record insert Version equivalence of INSERT INTO Database record query Version equivalence of SELECT * FROM Database record update Version equivalence of UPDATE Database record delete Version equivalence of DELETE FROM Index creation Version equivalence of CREATE INDEX Tablespace alteration Version equivalence of ALTER TABLESPACE
  21. 21. Bloombase Interoperability Program P21 © 2011 Bloombase Technologies Redo log creation Automated by Oracle data server, verify by examining Oracle system log Redo log rotation Automated by Oracle data server, verify by examining Oracle system log Archive log creation Automated by Oracle data server, verify by examining Oracle system logResultRaw Storage Device Tests Test Validation Pass Remarks Write disk with zeros  Read disk to null device  Wipe disk with random data File System Tests Test Validation Pass Remarks Directory creation  Directory rename  Directory removal  Directory move  File creation  File rename  File removal  File move  File append – by character  File append – by block  File parameters inquiry  File permission configurations  Softlink/Symbolic link removal  Softlink/Symbolic link move 
  22. 22. Bloombase Interoperability Program P22 © 2011 Bloombase TechnologiesApplication Tests – Oracle Database Test Validation Pass Remarks Database creation  Schema creation  Database record insert  Database record query  Database record update  Database record delete  Index creation  Tablespace alteration  Redo log creation  Redo log rotation  Archive log creation 
  23. 23. Bloombase Interoperability Program P23 © 2011 Bloombase TechnologiesConclusionBrocade SAN switches ● Brocade 300 SAN switchpass all Bloombase interopLabs interoperability tests with Bloombase Spitfire StoreSafe enterprise storage encryption server Bloombase Product Operating System Brocade SAN Switches Bloombase Spitfire StoreSafe Security Server Microsoft Windows Server 2008 Brocade 300 SAN switch Red Hat Enterprise Linux 5 Brocade 300 SAN switch Novel SELS 11 Brocade 300 SAN switch Solaris 10 Brocade 300 SAN switch IBM AIX 7 Brocade 300 SAN switch VMware ESX/ESXi 4 (hypervisor) Brocade 300 SAN switch Citrix Xen Server (hypervisor) Brocade 300 SAN switch 
  24. 24. Bloombase Interoperability Program P24 © 2011 Bloombase TechnologiesDisclaimerThe tests described in this paper were conducted in the Bloombase InteropLab. Bloombase has not tested this configuration with all the combinations ofhardware and software options available. There may be significant differences in your configuration that will change the procedures necessary toaccomplish the objectives outlined in this paper. If you find that any of these procedures do not work in your environment, please contact us immediately.
  25. 25. Bloombase Interoperability Program P25 © 2011 Bloombase TechnologiesTechnical Reference 1. Bloombase Spitfire StoreSafe Security Server Technical Specifications, http://www.bloombase.com/content/8936QA88Dh3lD3kYMVKxe1VGb8UG4900eNL8Dj 2. Bloombase Spitfire StoreSafe Security Server Compatibility Matrix, http://www.bloombase.com/content/e8Gzz281s480J2192FF4Btv5HOpb77vLpt1U8V 3. dd for Microsoft Windows, http://software.intel.com/en-us/articles/dd-for-windows/ 4. Oracle database server, www.oracle.com/us/products/database 5. Transaction Processing Performance Council, http://www.tpc.org/tpcc/ 6. Brocade 300 SAN Switch, http://www.brocade.com/products/all/switches/product-details/300-switch/index.page

×