How come no one is talking about the security issues created by using VMware in a SAN environment? - B.P., St. Louis. Because no one knows what you are talking about – including me. So after I got your e-mail, I started sniffing around, and lo and behold, there sure is a big time bomb out there.

It turns out that the “hypervisors” (VMware, Zen) that let us turn one physical machine into numerous logical machines have a big flaw when it comes to “sharing” a Fibre Channel host bus adapter. The HBA presents a WWN (World Wide Name) to the I/O driver of the server, and that server uses it as it will. In a virtual server mode, all of the server instances can see and access the same HBA - and all the same logical unit numbers (LUN) attached to it. Oops. IBM doesn’t have the issue on it’s own hypervisors for the mainframe, AIX and AS/400s, it appears.

Since I’m guessing the majority of VMware installations are for consolidation purposes, which means they're most likely using SANs, I can smell burning metal.

It turns out that the likes of Emulex and Q-Logic are working to provide the hypervisor people with a way out. VMware will incorporate Emulex’s N-Port Virtualization capabilities shortly - which will enable a slew of virtual WWN to be presented from a single HBA - each assignable to a virtual machine. This will kill the conflicts and enable zoning and LUN masking just like it was a single HBA to a single server relationship. They have even figured out how to fail virtual WWNs in a VMotion environment so the LUNs can move right along with the virtual server instance.

Q-Logic is even working on making its virtual N-Port stuff compatible with Cisco’s VSANs, which is also way cool.

So in the interim, be careful how you set this stuff up. Windows still likes to grab everything it sees as its own.

Expect to pay a little to upgrade the firmware of you existing adapters. I’d imagine both HBA giants will support a ton of virtual instances on their higher-end cards but probably be restrictive on the lower end. A few hundred bucks shouldn’t matter in the overall scheme of things, considering all the benefits you get from the consolidation to begin with - especially now that you’ll be able to do it much more securely.