Whitepaper: Providing LUN Security with VMware ESX Server

by

VMware has released a very interesting paper about Storage Attached Networks (SANs) security:

VMware ESX Server provides strong security and performance isolation for virtual machine storage. Each virtual machine sees only the virtual disks that have been presented to its virtual SCSI adapters. Virtual machines cannot see the physical Fibre Channel HBAs on the ESX Server host on which they run. Nor, in typical use cases, do they see the LUNs on which their virtual
disks reside. Emerging mechanisms for LUN security in a virtual environment from Fibre Channel HBA vendors provide an alternative for accomplishing the same goals.

In a physical Fibre Channel SAN environment, LUN security is typically accomplished through a combination of LUN masking and zoning. Using these approaches in a vendor-recommended
way ensures that a given LUN can be accessed only by a single host, as identified by the world wide names (WWN) of its HBAs.

In a virtual environment, this situation changes slightly. It is now possible to have multiple virtual machines on a single physical host. Furthermore, to facilitate the use of advanced technologies
such as VMotion, multiple ESX Server hosts may have their LUN masking and zoning set up to allow for broad access, with control being maintained by VMFS, the distributed file system that is
included as part of ESX Server.

As this document explains in greater detail:

  • Virtual machines can see and access only specific units of storage that the ESX Server administrator explicitly allows. This is true whether the virtual machine is using virtual disks on a VMFS file system or raw device mappings.
  • The operating system within the virtual machine cannot change its own storage access nor interrogate a unit of storage in a way that allows it to discover any other storage units not defined by the ESX Server administrator.
  • Special mechanisms are built in so concurrent access by multiple ESX Server systems to storage can take place safely. This protection enables advanced functionality such as VMotion.

Download it here.