Logical Unit Number Masking
Encyclopedia
Logical Unit Number Masking or LUN masking is an authorization process that makes a Logical Unit Number available to some hosts and unavailable to other hosts.
The security benefits are limited in that with many HBA
s it is possible to forge source addresses (WWNs
/MACs
/IPs
). However, it is mainly implemented not as a security measure per se, but rather as protection against misbehaving servers from corrupting disks belonging to other servers. For example, Windows servers attached to a SAN
will under some conditions corrupt non-Windows (Unix, Linux, NetWare) volumes on the SAN by attempting to write Windows volume labels to them. By hiding the other LUNs from the Windows server, this can be prevented, since the Windows server does not even realize the other LUNs exist.
The security benefits are limited in that with many HBA
Host adapter
In computer hardware, a host controller, host adapter, or host bus adapter connects a host system to other network and storage devices...
s it is possible to forge source addresses (WWNs
World Wide Name
A World Wide Name or World Wide Identifier is a unique identifier which identifies a particular Fibre Channel, Advanced Technology Attachment or Serial Attached SCSI target...
/MACs
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
/IPs
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
). However, it is mainly implemented not as a security measure per se, but rather as protection against misbehaving servers from corrupting disks belonging to other servers. For example, Windows servers attached to a SAN
Storage area network
A storage area network is a dedicated network that provides access to consolidated, block level data storage. SANs are primarily used to make storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices...
will under some conditions corrupt non-Windows (Unix, Linux, NetWare) volumes on the SAN by attempting to write Windows volume labels to them. By hiding the other LUNs from the Windows server, this can be prevented, since the Windows server does not even realize the other LUNs exist.