FICON Drives Fibre Channel Security Research Brief Abstract: FICON products for mainframes impact the Fibre Channel switch market as FICON requirements drive improvements in security, benefiting all Fibre Channel switch products. By James Opfer Recommendations Vendors must anticipate the coexistence of mainframes and open systems on SANs. Vendors must upgrade security of all Fibre Channel SANs to the level required for mainframe systems Vendors must respond to the incremental market opportunity presented by FICON products. Publication Date: September 25, 2002
2 FICON Drives Fibre Channel Security ESCON Heritage Benefits FICON FICON and FC Storage Networks Deployment of Fibre Connectivity (FICON) cascading in data centers requires enhancing provisions for data security to meet the expectations driven by the Enterprise Systems Connection (ESCON) heritage. The opportunity for FICON revenue will drive improvements that will, in turn, benefit conventional Fibre Channel (FC) deployments. FICON and the FC Protocol (FCP), when combined with FC transport technology, provide two distinct architectures for implementing storage networking. The more commonly deployed FCP maps the serial Small Computer Systems Interface (SCSI) upper layer protocol (ULP) at the FC-4 protocol level to lower FC protocol levels (FC-0 through FC-3) that define the FC transport technology. FICON, standardized as FC Single Byte Command set, maps ESCON channel command words at the same level to the same common FC transport. FC architecture supports a serial switched network that provides transport of FC frames between source and destination ports in addition to direct point-to-point connectivity. A fabric consisting of one or more FC switches provides the interconnection between servers and storage for what is typically designated today as FC storage area networks (SANs) understood to be FCP SANs or, alternatively, Open System SANs to distinguish them from emerging FICON SANs. Although in principle FICON supports similar network architecture, until this year, FICON deployment was limited to networks incorporating a single director as the switch product. This limitation clearly distinguished FICON deployment from FCP SANs that make extensive use of interoperable cascaded switches and directors. With this limitation, FICON and FCP architectures essentially remained physically separate and independent. Two IBM initiatives in 2002 materially altered the conceptual separation of the two architectures. First, FICON Intermix specified that FC directors support the FCP and FICON protocols on the same director concurrently. Second, IBM announced FICON support for cascading of directors initially limited to one hop. The two initiatives set the stage for FICON to influence FC security. Cascading of FICON directors required additional security measures to meet expectations driven by the ESCON heritage in data centers. FICON Intermix implementation assures that these security improvements will impact FCP deployment. Indeed, in mid-august McData announced the first offering of software providing increased security for cascaded FICON directors a clear example of FICON driving FC in a way likely to benefit FCP deployments as well.
3 Business Trend The emergence of FICON switching products became increasingly evident in the first half of 2002. The market for FC switching products deployed in SANs grew rapidly from 1997 to reach $830 million revenue to manufacturers of these products in 2001. However, these SANs were almost exclusively FCP SANs supporting the SCSI ULP in open systems (networking systems incorporating Unix- and Microsoft-based servers). While FICON also traces its beginning to 1997, a major impetus for revenue growth came in 2001 with IBM's incorporation of FICON into its Enterprise Storage System product. With a native FICON storage system to complement native FICON IBM servers introduced in 2000, the stage was set for significant deployment of FICON SANs with director products from McData and Inrange providing the switched point-to-point connections. Indeed for the second quarter of 2002, McData announced a material contribution to revenue from their FICON director products estimated at $8 million. The potential market for FICON switching products is sufficient to motivate development of product attributes demanded by expectations derived from the ESCON heritage in data centers. Gartner Dataquest forecasts that, by 2006, FICON storage will grow to 85 percent of mainframe storage connected by a channel-based architecture (ESCON or FICON) and that switched fabrics will connect 60 percent of the FICON storage to mainframe servers. Based on these high level forecasts, Table 1 shows the forecast for FICON switching products. Note that while Gartner Dataquest places FC directors in a market segment designated as high availability FC core switching products, Table 1 refers exclusively to FICON switching products as directors. This is in deference to current reality that no non-director products are deployed (or qualified) for FICON switching. The prospect of future annual revenue more than a quarter of a billion dollars is indeed an effective motivation to develop features of FC switching products that satisfy special demands for FICON products. The first tangible fruit of this motivation was McData's announcement on 20 August 2002 of SANtegrity, a security suite for multiprotocol storage networks. This was closely coordinated with an IBM hardware announcement that fabric and switch binding features of the suite would be mandatory for implementation of FICON cascading. Other FICON vendors, such as Inrange, must provide similar high integrity features for implementation of FICON cascading. McData and IBM assert that these binding features also provide the option of improved security of open system FCP SANs. Table 1 Manufacturer Revenue for FICON Switching Products, 2002-2006 2002 2003 2004 2005 2006 CAGR (%) 2002-2006 FICON Director Ports 26,700 86,400 190,900 260,800 301,900 83 FICON Director Revenue (Millions of U.S. Dollars) 34 109 218 271 285 70 Source: Gartner Dataquest (September 2002)
4 FICON Drives Fibre Channel Security Gartner Dataquest Perspective Enterprises increasingly rely on the integrity of FC SANs and FICON environments that are characterized by increasing size and complexity. It is now common to deploy one or more director-class switching products with an aggregation of hundreds of ports at the core. Vendors are supplying directors with ever greater port counts while maintaining relatively stable pricing per port. In turn, these directors greatly simplify the cabling of large SANs by dramatically reducing interswitch connections. But, reduction of granularity that accompanies the simplification of connection makes it less favorable to dedicate separate switching networks to FCP SANs and FICON when open systems and mainframes are present in a data center. Support of FICON and FCP protocols in large director-class switching products emerges as a very favorable architectural solution that all vendors established and emerging should embrace. FICON environments must have security provisions expected of a successor to ESCON technology. While security provisions embrace a diverse set of requirements, the fabric and switch binding provided by McData's SANtegrity and expected from future Inrange releases addresses fabric integrity, an important aspect of security. Fabric and switch binding ensures that the right devices are connected in the correct manner to help prevent unauthorized entry and modification of the fabric. Fabric binding restricts the switches that can join a fabric to only those specified in a fabric membership list while removing any arbitrariness of assignment of the switch domain ID. Switch binding further restricts connection by allowing only specified devices and switches to log on to a switch present in the secure fabric. Effectively, the binding features will dramatically reduce the possibility of corrupting fabric configuration by predictable human error, such as inaccurate connection of cables. Although FICON may have the more urgent requirements for fabric integrity, owing to details of the FICON addressing scheme, open FCP SANS clearly benefit from the same integrity features. The message to all FC switch vendors should not need repetition: Work together cooperatively to implement an evolving standards-based solution to FC security problems. As new vendors, such as Cisco, enter into competition in the director-class space, evolving alliances of vendors that actively work to develop and support standards can have an enormous impact on the competitive landscape. Gartner Dataquest forecasts FICON director revenue in 2006 of $285 million, greater than the FC switch product revenue of any manufacturer in 2001 except Brocade Communications. While this is expected to be less than 10 percent of overall FC switching product revenue in 2006, its relative importance in data centers that deploy mainframes will be much greater.thiswouldbetrueiftheonlymeasureofimportancewasthe relative number of ports dedicated respectively to FCP SANs and FICON. But, improvements in FC security driven by FICON requirements will be the agent to overcome ideological resistance to the integration of FICON and FCP SANs. FICON Intermix will add associated FCP ports to the weight of the FICON ports in affecting the revenue that is influenced by
FICON. If the standards of FICON security extend to all parts of a SAN that are connected to directors carrying FICON and FCP SAN traffic, then the influence of FICON on data center FC switching revenue cannot be ignored by any switch vendor. All switch vendors must respond to the challenges and opportunities presented by the evolving deployment of FICON. 5 Key Issue What changes in technologies and vendor dynamics will shape the storage industry?
6 FICON Drives Fibre Channel Security This document has been published to the following Marketplace codes: HARD-WW-DP-0340 For More Information... In North America and Latin America: +1-203-316-1111 In Europe, the Middle East and Africa: +44-1784-268819 In Asia/Pacific: +61-7-3405-2582 In Japan: +81-3-3481-3670 Worldwide via gartner.com: www.gartner.com Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 110032