Simplified Storage, Storage Simplified Storage, Storage Directions And TrendsDirections And TrendsSimple SANsSimple SANsSAN SecuritySAN Security

Rahul AuradkarRahul AuradkarPartner Program ManagerPartner Program Manager

Keith HagemanKeith HagemanTechnical EvangelistTechnical Evangelist

AgendaAgenda SAN Complexities & Adoption BlockersSAN Complexities & Adoption Blockers

SAN Deployment/ConfigurationSAN Deployment/Configuration SAN SecuritySAN Security ……

Windows Server 2003 Storage Windows Server 2003 Storage TechnologiesTechnologies

Industry Initiatives with Microsoft PlatformsIndustry Initiatives with Microsoft Platforms SAN Simplification with WindowsSAN Simplification with Windows SAN SecuritySAN Security

Storage Solution Adoption TrendsStorage Solution Adoption Trends

Low CostSAN

iSCSI

NAS

DAS

SANHalf the cost of SANHalf the cost of SAN

GatewaysGateways

SME LE

SAN Complexities & Adoption Blockers

Obstacles to Faster SAN AdoptionObstacles to Faster SAN AdoptionAbsence of O.S. SAN Facilities

Security

Path Fail-over

Snap-Shot

LUN Management

Multiple Storage Management Interfaces

Expensive Storage Networking Hardware

Build-a-SAN StudiesBuild-a-SAN Studies 5 attempts of 6-9 people5 attempts of 6-9 people

Technical – server and storage awareTechnical – server and storage aware Not specifically SAN trainedNot specifically SAN trained

SAN ConfigurationSAN Configuration Server, HBA, Switch & Storage Array – 1 eachServer, HBA, Switch & Storage Array – 1 each

Goal – Build-a-SAN in under 4 hoursGoal – Build-a-SAN in under 4 hours Cable server to switch to storage arrayCable server to switch to storage array Zone switchZone switch Create LUN, format, assign drive letterCreate LUN, format, assign drive letter Write data to volumeWrite data to volume

Results – 100% failureResults – 100% failure

Windows Server 2003Storage Technologies

Windows Server 2003Windows Server 2003Storage GoalsStorage Goals Data Protection and Recovery Data Protection and Recovery

Volume Shadow Copy Services (VSS)Volume Shadow Copy Services (VSS) Automated System Recovery (ASR)Automated System Recovery (ASR)

Availability, Scalability, and PerformanceAvailability, Scalability, and Performance Multipath IO (MPIO)Multipath IO (MPIO) Distributed File System (DFS) Distributed File System (DFS) File and System Performance (SMB, NFS, Chkdsk, Vrfydsk) File and System Performance (SMB, NFS, Chkdsk, Vrfydsk)

InteroperabilityInteroperability Virtual Disk Service (VDS)Virtual Disk Service (VDS) SAN friendliness (SAN Boot, Flexible Volume Mounting, Storport, SNIA-SAN friendliness (SAN Boot, Flexible Volume Mounting, Storport, SNIA-

based HBA Management API) based HBA Management API)

Best Platform for Storage SolutionsBest Platform for Storage Solutions

Microsoft AnswerMicrosoft AnswerWindows Server 2003 Storage StackWindows Server 2003 Storage Stack

PartnersPartners

MicrosoftMicrosoft

Ker

nel M

ode

Ker

nel M

ode

File SystemsFile Systems

Volume SnapshotVolume Snapshot

Volume ManagementVolume Management

Miniport(s)Miniport(s) MiniportMiniport

PortPort

DiskDisk TapeTape ChangerChanger ClassClass

SCSIPortSCSIPort StorportStorport IDEPortIDEPort

Use

r M

ode

Use

r M

ode

WMIWMI

Removable Removable Storage Storage ManagerManager

(tape and (tape and optical media optical media management)management)

Virtual Disk Virtual Disk ServiceService

(RAID, disk (RAID, disk access, access,

Enclosures)Enclosures)

HW ProvidersHW Providers

Volume Volume Shadow Shadow

Copy Copy ServiceService

(Point-in-time (Point-in-time copies)copies)

SW ProviderSW Provider

Writ

ers

Writ

ers

RequestorsRequestors

Writ

ers

Writ

ers

HW ProvidersHW Providers

SW ProviderSW Provider

iSCSI InitiatoriSCSI Initiator

iSCSIprtiSCSIprt

Multipath I/OMultipath I/O DSMDSM DSMDSM DSMDSM MS MPIOMS MPIO

ApplicationsApplications

Volume Shadow Copy Service (VSS)

VSS ComponentsVSS Components Volume Shadow Copy ServiceVolume Shadow Copy Service

Coordinators all componentsCoordinators all components RequestorsRequestors

Invokes VSS to a create shadow copyInvokes VSS to a create shadow copy Backup applicationsBackup applications Shadow copy management applicationsShadow copy management applications

Writers – Represents Apps and Windows ServicesWriters – Represents Apps and Windows Services(i.e., SQL, Exchange, AD, etc.)(i.e., SQL, Exchange, AD, etc.) Differentiates VSS from competitorsDifferentiates VSS from competitors Participate in shadow copy creation processParticipate in shadow copy creation process

Providers Providers Create shadow copiesCreate shadow copies

System provider System provider Hardware snapshotsHardware snapshots

VSS RequestorsVSS RequestorsBackup RequestorsBackup Requestors Shadow Copy Management Shadow Copy Management

ApplicationsApplicationsAelitaAelita CommVault Shadow Explorer 1.3*CommVault Shadow Explorer 1.3*

BakBone NetVault 7.1BakBone NetVault 7.1 Datacore SANmelodyDatacore SANmelody

CA BrightStor ARCserve Backup v11CA BrightStor ARCserve Backup v11 Datacore SANsymphonyDatacore SANsymphony

CA BrightStor Enterprise Backup v10.5*CA BrightStor Enterprise Backup v10.5* EMC Snapview Integration MS Exchange*EMC Snapview Integration MS Exchange*

CommVault Galaxy*CommVault Galaxy* FalconStor Snapshot Agent for VSSFalconStor Snapshot Agent for VSS

CommVault Qinetix*CommVault Qinetix* HP Fast Recovery SolutionsHP Fast Recovery Solutions

DantzDantz Microsoft Vrfydsk (Resource Kit)Microsoft Vrfydsk (Resource Kit)

EMC ERM 2.1.1*EMC ERM 2.1.1* NetAppNetApp

EMC Legato Networker 7.1EMC Legato Networker 7.1 Xiotech/CA*Xiotech/CA*

IBM Tivoli Storage Manager 5.2IBM Tivoli Storage Manager 5.2

HP Data Protector 5.1*HP Data Protector 5.1*

Microsoft NTBackupMicrosoft NTBackup

StBernard Open File Manager 9.1StBernard Open File Manager 9.1

UltrabacUltrabac

Veritas Backup Exec 9.1Veritas Backup Exec 9.1

VSS WritersVSS Writers

Windows Server 2003 service writers (in-box)Windows Server 2003 service writers (in-box) COM+COM+ Active DirectoryActive Directory

Certificate ServerCertificate Server WINSWINS

Cluster ServerCluster Server WMIWMI

DHCP ServerDHCP Server IISIIS

Event LogEvent Log SFPSFP

Removable StorageRemovable Storage RegistryRegistry

Terminal ServerTerminal Server SQL 2000/MSDESQL 2000/MSDE

File Replication ServiceFile Replication Service

Application writers with increased functionalityApplication writers with increased functionality Exchange 2003 Exchange 2003 (SP1 Incr/Diff)(SP1 Incr/Diff) SQL Server 2000 SQL Server 2000 (in-box)(in-box)

Hardware ProvidersHardware Providers Software ProvidersSoftware ProvidersEMC CLARiiONEMC CLARiiON DatacoreDatacore

EMC SymmetrixEMC Symmetrix MicrosoftMicrosoft

FalconStor (iSCSI)FalconStor (iSCSI) StorageCraftStorageCraft

EqualLogic (iSCSI)EqualLogic (iSCSI) Veritas Storage Foundation for WindowsVeritas Storage Foundation for Windows

HP EVAHP EVA

HP VAHP VA

HP XP (32 & 64-bit)HP XP (32 & 64-bit)

IBM ESSIBM ESS

IBM FastTIBM FastT

Intransa (iSCSI)Intransa (iSCSI)

LSI LogicLSI Logic

NetAppNetApp

NECNEC

StorageTek SVAStorageTek SVA

XIOtech 3DXIOtech 3D

XIOtech MagnitudeXIOtech Magnitude

VSS ProvidersVSS Providers

Virtual Disk Service (VDS)

VDS – What Is It?VDS – What Is It?

Single interface for managing block Single interface for managing block storage whether done by storage whether done by OS software, orOS software, or RAID storage hardware, orRAID storage hardware, or other storage virtualization enginesother storage virtualization engines

Vendor and technology Vendor and technology neutralneutral Interconnect neutralInterconnect neutral Focus is virtualization and innovation in Focus is virtualization and innovation in

hardware for auto-managementhardware for auto-management

VDS ComponentsVDS ComponentsCommand Line

InterfacesDiskpart / Diskraid

ManagementApplication(s)

DiskManagement

- Hardware- MS functionality- 3rd party functionality

Virtual Disk Service

Software Providers - Basic Disk

- Dynamic Disk

Disks LUNs

Drives

SpindleSpindle

Hardware Provider(s)

VDS ProvidersVDS Providers

Windows Server 2003 providers Windows Server 2003 providers (in-box)(in-box)

Basic disk (partitions, volumes)Basic disk (partitions, volumes) Dynamic disk (partitions, volumes, Dynamic disk (partitions, volumes, spanning, mirror, RAID-5, Stripes)spanning, mirror, RAID-5, Stripes)

Third-Party ProvidersThird-Party ProvidersDatacore SANmelodyDatacore SANmelody Hitachi ThunderHitachi Thunder

Datacore SANsymphonyDatacore SANsymphony IBM FastTIBM FastT

EMC CLARiiONEMC CLARiiON LSI LogicLSI Logic

EMC SymmetrixEMC Symmetrix NetAppNetApp

HP EVAHP EVA StorageTek SVAStorageTek SVA

HP MSAHP MSA Veritas Storage Foundation for Windows 4.0Veritas Storage Foundation for Windows 4.0

HP VAHP VA XIOtech 3DXIOtech 3D

HP XPHP XP XIOtech MagnitudeXIOtech Magnitude

Hitachi LightningHitachi Lightning

VDS ApplicationsVDS Applications

Windows Server 2003 Applications Windows Server 2003 Applications (in-box)(in-box)Disk Management MMCDisk Management MMC Diskpart CLIDiskpart CLI

Diskraid CLI (Resource Kit)Diskraid CLI (Resource Kit)

Third-Party ApplicationsThird-Party ApplicationsCommVault Shadow Explorer 1.3CommVault Shadow Explorer 1.3 Qlogic VDS SANSurferQlogic VDS SANSurfer

Datacore SANmelodyDatacore SANmelody Microsoft Automated Deployment Microsoft Automated Deployment ServicesServices

Datacore SANsymphonyDatacore SANsymphony StratusStratus

ElipSAN iSCSIElipSAN iSCSI Veritas Storage Foundation for Veritas Storage Foundation for Windows 4.0Windows 4.0

HP Fast Recovery SolutionsHP Fast Recovery Solutions

IOMegaIOMega

VDS 1.1 – MS MPIO & iSCSIVDS 1.1 – MS MPIO & iSCSI

Feature additionsFeature additions Integrated MPIO managementIntegrated MPIO management Support for iSCSI hardwareSupport for iSCSI hardware Better SDK docs, sample code, and tests for IHVsBetter SDK docs, sample code, and tests for IHVs Managed code wrappers for ISVsManaged code wrappers for ISVs

ScheduleSchedule Beta SDK – June, 2004Beta SDK – June, 2004 RTM Q4, 2004RTM Q4, 2004

““Designed for Windows” logo programDesigned for Windows” logo program VDS 1.0 or 1.1 (TBD) in HCT 12.1 (W2K3 SP1)VDS 1.0 or 1.1 (TBD) in HCT 12.1 (W2K3 SP1)

Integration of MS MPIO & iSCSIIntegration of MS MPIO & iSCSI Part of Osaka release available in beta this monthPart of Osaka release available in beta this month Microsoft MPIO binaries are included with this release of Microsoft MPIO binaries are included with this release of

iSCSI as well as a generic iSCSI DSM written and iSCSI as well as a generic iSCSI DSM written and supported by Microsoft supported by Microsoft

iSCSI DSM designed to work with all SPC-2 or later iSCSI DSM designed to work with all SPC-2 or later compliant iSCSI targets compliant iSCSI targets

Additionally, Microsoft MPIO partners will have access to Additionally, Microsoft MPIO partners will have access to iSCSI DSM source and can add functionality and release iSCSI DSM source and can add functionality and release their own Microsoft MPIO iSCSI solution to customerstheir own Microsoft MPIO iSCSI solution to customers

Logo program will be available only for iSCSI multipath Logo program will be available only for iSCSI multipath solutions based on Microsoft MPIOsolutions based on Microsoft MPIO

Simple SANs

The Solution: The Solution: Virtual Disk ServiceVirtual Disk Service

VirtualDisk

Services

Simplify & Cost Reduce SAN Array Management

Partner Driven Simple SAN initiativePartner Driven Simple SAN initiative

SAN’s SAN’s Very successful in the high-end enterpriseVery successful in the high-end enterprise VERY COMPLEXVERY COMPLEX to deploy, expensive ($/byte), lack of end-to-end prescriptive to deploy, expensive ($/byte), lack of end-to-end prescriptive

configurationsconfigurations

Mid-Market Customers open to networked storage Mid-Market Customers open to networked storage solutionssolutions data explosion, server consolidation, cost support this BUT …data explosion, server consolidation, cost support this BUT … Need SANs with modular arrays Need SANs with modular arrays Ease of initial deployment, provisioning; reasonable cost for ongoing managementEase of initial deployment, provisioning; reasonable cost for ongoing management More favorable cost to capacity – the trend-lines here are positive More favorable cost to capacity – the trend-lines here are positive

Solutions from Key Industry partners Solutions from Key Industry partners Windows Server 2003 hostsWindows Server 2003 hosts Low-cost, simple fabrics that includes pre-configured switches and HBAsLow-cost, simple fabrics that includes pre-configured switches and HBAs Integrated applications & management consoles on Windows Server 2003Integrated applications & management consoles on Windows Server 2003

SAN Config - AcceleratorSAN Config - AcceleratorPowerful O.S. Storage Networking Facilities

RADIUS SecurityMPIO Path Fail-over

VSS Snap-Shot

VDS LUN Management

One Simple Storage Management Interface

Affordable Storage Networking Hardware

Protocol A

gnostic - iSC

SI or F

C

SANsurferSANsurfer®® VDS Manager VDS Manager Windows 2003 Server Windows 2003 Server

applicationapplication Complements VDS CLI with Complements VDS CLI with

an easy to use GUIan easy to use GUI FunctionsFunctions

Device discoveryDevice discovery LUN configurationLUN configuration RAID managementRAID management Disk formattingDisk formatting

Distributed with QLogic Distributed with QLogic HBAs, switches and SAN HBAs, switches and SAN Connectivity Kit for Windows Connectivity Kit for Windows 20032003

Downloadable from Downloadable from QLogic.comQLogic.com

Complementary to VDS CLIComplementary to VDS CLI CLI for Windows storage expertsCLI for Windows storage experts

Must know command strings, syntax and flagsMust know command strings, syntax and flags Typo’sTypo’s Must know the environmentMust know the environment

QLogic VDS GUI those that don’t want to be Windows QLogic VDS GUI those that don’t want to be Windows storage expertsstorage experts One intuitive easy to use interfaceOne intuitive easy to use interface Uses HBA API for auto discovery of devicesUses HBA API for auto discovery of devices Maps and displays storage network topologyMaps and displays storage network topology Configure cross platform devices from one interfaceConfigure cross platform devices from one interface Point and ClickPoint and Click Accelerates mass adoptionAccelerates mass adoption

SANsurfer VDS ManagerSANsurfer VDS Manager

SAN Security

Enterprise SAN SecurityEnterprise SAN SecurityPhases of implementationPhases of implementation

Physical Lock-down & Physical Lock-down & Protection of Data at Protection of Data at

Rest Rest

PHASE IIPHASE IIIn-Band Audits for In-band events In-Band Audits for In-band events

RADIUS with Policy EngineRADIUS with Policy Engine

1. Out of Band Management Access1. Out of Band Management AccessSimple AuthenticationSimple Authentication

2. Switch-based proprietary device security2. Switch-based proprietary device security

PHASE IPHASE IOut of Band Authentication, Out of Band Authentication,

Authorization and Audit (AAA) Authorization and Audit (AAA) RADIUS with AD/LDAPRADIUS with AD/LDAP

PHASE IIIPHASE IIIIn-band Fabric (FC) region of trust In-band Fabric (FC) region of trust

DH-CHAP w/RADIUS, Kerberos, AD, DH-CHAP w/RADIUS, Kerberos, AD, LDAP LDAP

PHASE IVPHASE IVPKI Security w/MS Cert AuthorityPKI Security w/MS Cert Authority

Enterprise Frameworks with policy controlEnterprise Frameworks with policy controlAdvanced Authentication – EAPAdvanced Authentication – EAP

Host (HBA) to Fabric to Storage bindingHost (HBA) to Fabric to Storage bindingCorresponds to phases in Corresponds to phases in

the future roadmapthe future roadmap

Present todayPresent today

SAN Security – Phase ISAN Security – Phase IOut-of-band User AAAOut-of-band User AAA

Fabric/Fibre Channel NetworkFabric/Fibre Channel Network

IP NetworkIP Network

SAN Mgmt SAN Mgmt ConsoleConsole

RADIUSRADIUS SERVER SERVER

Users Users (AD/LDAP)(AD/LDAP)

11User AAAUser AAA

22Switch Pass Switch Pass

ThroughThrough

33Directory LookupDirectory Lookup

HBAsHBAs

Server Server HostHost

ClientsClients

SwitchSwitch

Storage Storage Sub Sub

systemsystem

Complete Out-of-band Complete Out-of-band user AAAuser AAA

SAN Security – Phase II, III, IVSAN Security – Phase II, III, IVIn-Band Device AAAIn-Band Device AAA

Fabric/Fibre Channel NetworkFabric/Fibre Channel Network

IP NetworkIP Network

SAN Mgmt SAN Mgmt ConsoleConsole

RADIUSRADIUS SERVER SERVER

Users Users (AD/LDAP)(AD/LDAP)

HBAsHBAs

Server Server HostHost

ClientsClients

SwitchSwitch

Storage Storage Sub Sub

systemsystem

44Devices zone of trustDevices zone of trust

55Fabric devices AAA & PolicyFabric devices AAA & Policy

66Fabric Devices Fabric Devices

Dir LookupDir Lookup

4,5,6 4,5,6 In-band Zone In-band Zone of trust with Advanced of trust with Advanced PolicyPolicy

SAN Fabric SecuritySAN Fabric SecurityPartner Support For MS RADIUS initiativePartner Support For MS RADIUS initiative

PartnerPartner SupportSupport

BrocadeBrocade

Qlogic Qlogic (Switch and HBAs)(Switch and HBAs)

McDataMcData

CiscoCisco

InrangeInrange In discussionsIn discussions

Emulex Emulex (HBAs)(HBAs)

In discussionsIn discussions

>90

% o

f M

arke

t

Enterprise SAN SecurityEnterprise SAN SecurityRadius ImplementationRadius Implementation

Customer BenefitsCustomer Benefits Enterprise Security IntegrationEnterprise Security Integration

Enterprise security does not address SAN Security today – but SANs a are Enterprise security does not address SAN Security today – but SANs a are critical piece of the Enterprise Infrastructurecritical piece of the Enterprise Infrastructure

Seamless integration into existing networks for advanced featuresSeamless integration into existing networks for advanced features Ease of security administration (user and device security management)Ease of security administration (user and device security management)

Eliminate SAN security complexityEliminate SAN security complexity Single point (RADIUS) to create and administer user and device Authentication Single point (RADIUS) to create and administer user and device Authentication

Authorization and Administration (AAA)Authorization and Administration (AAA) Common mgmt of user and device profiles across LAN and SANCommon mgmt of user and device profiles across LAN and SAN

Advanced Policy creation and enforcementAdvanced Policy creation and enforcement Dynamic policies with Microsoft's Internet Authentication Service (RADIUS)Dynamic policies with Microsoft's Internet Authentication Service (RADIUS) User policy, group policy (Active Directory)User policy, group policy (Active Directory) Device and SAN policies (server and application policies)Device and SAN policies (server and application policies)

Enterprise SAN SecurityEnterprise SAN SecurityRadius ImplementationRadius Implementation

What’s newWhat’s new Current SAN Security solutions are non-existent, Current SAN Security solutions are non-existent,

insecure or isolated from the Enterprise : this integrates insecure or isolated from the Enterprise : this integrates SAN Security into the overall Enterprise Security SAN Security into the overall Enterprise Security frameworkframework

Industry leaders working together to address SAN Industry leaders working together to address SAN Security – Standards based implementationSecurity – Standards based implementation

Use of existing RADIUS Authentication to integrate a Use of existing RADIUS Authentication to integrate a new class of users (SAN administrators)new class of users (SAN administrators)

Use of existing policy engines (dynamic policies in Use of existing policy engines (dynamic policies in RADIUS, user/group/device policies from AD)RADIUS, user/group/device policies from AD)

Enterprise SAN SecurityEnterprise SAN SecurityRadius ImplementationRadius Implementation

Competitive advantage for Microsoft and PartnersCompetitive advantage for Microsoft and Partners Microsoft:Microsoft:

Microsoft will be first to market in addressing SAN Security that integrates with Microsoft will be first to market in addressing SAN Security that integrates with existing enterprise security (partnering with the leading players in the industry)existing enterprise security (partnering with the leading players in the industry)

Holistically address SAN security (as compared to islands of security and policy in Holistically address SAN security (as compared to islands of security and policy in the competitive platform offerings – Linux and Unix)the competitive platform offerings – Linux and Unix)

Partners:Partners: Ability to integrate widely deployed SAN markets with market leading frameworks Ability to integrate widely deployed SAN markets with market leading frameworks

for Enterprise securityfor Enterprise security Proliferation of SANs to smaller enterprisesProliferation of SANs to smaller enterprises SAN security fits within the context of overall Enterprise Security and is not an SAN security fits within the context of overall Enterprise Security and is not an

isolated solutionisolated solution Partnership with widely deployed Enterprise infrastructure provider (MS) Partnership with widely deployed Enterprise infrastructure provider (MS)

Call To ActionCall To Action

Storage products are TOO hard to deploy Storage products are TOO hard to deploy for end users; especially MORG/SORGfor end users; especially MORG/SORG

Make your product(s) compatible with Make your product(s) compatible with Microsoft’s partner-driven Storage Microsoft’s partner-driven Storage Security Initiative & Storage Simplification Security Initiative & Storage Simplification InitiativeInitiative

Request the Windows Storage Services Request the Windows Storage Services SDKs and DDKs to develop VDS, VSS, SDKs and DDKs to develop VDS, VSS, iSCSI, Storport and MPIO solutionsiSCSI, Storport and MPIO solutions

Community ResourcesCommunity Resources

Community SitesCommunity Sites http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

List of NewsgroupsList of Newsgroups http://communities2.microsoft.com/communities/newsgroups/en-uhttp://communities2.microsoft.com/communities/newsgroups/en-u

s/default.aspxs/default.aspx

Attend a free chat or webcastAttend a free chat or webcast http://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/seminar/events/webcasts/default.mspxhttp://www.microsoft.com/seminar/events/webcasts/default.mspx

Locate a local user group(s)Locate a local user group(s) http://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx

Non-Microsoft Community SitesNon-Microsoft Community Sites http://www.microsoft.com/communities/related/default.mspxhttp://www.microsoft.com/communities/related/default.mspx

EmailEmail

Web Resources:Web Resources: Specs: Specs: http://www.microsoft.com/storagehttp://www.microsoft.com/storage Whitepapers: Whitepapers:

http://www.microsoft.com/storagehttp://www.microsoft.com/storage

Related SessionsRelated Sessions TW04084 – Windows Storage Services TW04084 – Windows Storage Services

Interfaces & Adoption TrendsInterfaces & Adoption Trends

Additional ResourcesAdditional Resources

VDSAPI @ microsoft.com VSSAPI @ microsoft.com