Unsolved
This post is more than 5 years old
199 Posts
0
2551
Encryption solution question with VMware
Hi Experts, I'm working on a data at rest encryption solution. The environment is ESX hosts, VNX and Cisco switch. Cisco SME has been selected to encrypt data. It's heard SME doesn't support thin provisioning, if that's the case, VP and FAST VP in VNX seems not be able to work. There is also a question of if SME supports VMware SRM and MirrorView. Does any of you have the experience or knowledge of the SME compatibility? Your input is appreciated. Thanks.
zhaos2
643 Posts
0
February 16th, 2012 00:00
For VNX environment, VNX Host Encryption could be an alternative solution for protecting sensitive data at the host to disk on storage where it resides.
Benefits and differentiators include:
Jingyi1
199 Posts
0
February 16th, 2012 17:00
Thanks for your input, Simon. However, VNX host encryption only supports Windows, AIX, Linux and Solaris. It won't be a good fit for current VMware environement.
reseach
225 Posts
1
February 17th, 2012 00:00
JY, I dont think this configuration is supported.
http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/5_2/configuration/guides/sme/smediskcnfg.html
it confirms,
SME disk does not support thin provisioning of disks.
SME disk does not allow dynamic resizing of LUN.
therefore, I think VP and F_VP is not supported.
for your consideration.
Eddy
zhaos2
643 Posts
0
February 17th, 2012 01:00
For VMware environment, it is recommended to create encrypted virtual disks within the data center. If the virtual disk was encrypted, then it would be possible to bypass all the other layers of encryption possibilities and still maintain data integrity and encryption throughout the process, no matter where the virtual disk image lands. While Cisco Storage Media Encryption (SME) is recommended for option of encrypts and decrypts your data coming on and off tape etc.
http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5990/wp_data-protection.pdf
Jingyi1
199 Posts
0
February 19th, 2012 18:00
I've done some research and found:
The Cisco MDS 9000 SME solution includes complete key management that works with new and existing SANs to provide key archival and shredding features. It supports storage features such as replication, clones and mirrors, and snapshots. The key manager database can be replicated with Oracle Data Guard when an Oracle database is used for archiving.
It looks like SME may support MirrorView/SRM, however, we cannot find any information on elab website.
zhaos2
643 Posts
0
February 20th, 2012 20:00
EMC offers the following solution to address information protectionin the network, through partnership with Cisco: Cisco Storage Media Encryption (SME) or Connectrix® MDS provides encryption of data-at-rest as a service with its switches
with proper key management facilities.
Device level
Encryption at the device level, (array, disk, or tape) is a sufficient method of protecting sensitive data residing on storage media, which is a primary security risk many organizations are seeking to address.
Array-level encryption
There are a number of design points for encryption in the array, that is, at the disk drive or controller level, each discussed briefly, next. Design considerations for encryption include the interfaces to the array, software support, performance, FIPS validation, key management, and encryption object granularity, to name a few. The intent is to have the encryption implementation transparent to the hosts attached, while protecting the removable media. The connected hosts may not be knowledgeable of the encryption implementation but may be with respect to management and performance. All aspects of the design must be considered.
http://www.emc.com/collateral/hardware/technical-documentation/h8082-building-secure-sans-tb.pdf
reseach
225 Posts
0
February 20th, 2012 21:00
Simon and JY,
As the configuration is not listed on current ESM, if it would be a part of EMC solution delivered to customer. I highly recommend you go to RPQ first, if this was approved, that would ensure this configuration compatibility and serviceability.
Thanks,
Eddy
zhaos2
643 Posts
0
February 20th, 2012 22:00
I agree to submit RPQ for this configuration with Cisco SME. In the white paper h8082, there are specific use cases for Brocade Encryption Switches with EMC TimeFinder/SRDF/RecoverPoint, but not mentioned for Cisco SME.
zhaos2
643 Posts
0
February 21st, 2012 20:00
Hello Experts
As confirmed from Cisco document, SME disk does not allow dynamic resizing of LUN. Is there any alternative solution for dynamic LUN resize to be supported with SME?
Thanks in advance!