My current (imaginary) setup has a DMZ with two servers and an internal network with two more servers
Servers in DMZ- Webserver (Company Website), Proxy
Servers in the internal Network - Messaging (Exchange) and Authentication and Domain Services (AD)
Now I have only one SAN setup which I should share between those two networks.
Is connecting the SAN to both the servers in the DMZ and the internal Network a Sin in Network Security Context ?
Whats the best practice ?
Since the SAN is a separate infrastructure, as long as you zone separate LUNs to separate locations, it should not be a horrible problem.
However, usually a SAN is the placeholder for all the sensitive data in the organization, and it is best to keep it as secure as possible, preferrably accessible only internally, by firewall protected servers
You don't mention what type of SAN you're thinking of, certainly I'd be a lot happier using an FC-attached SAN between systems in two different security zones as an intruder would have to hack the IP aspect of your web server, then hack an FC array - two totally different skills/protocols etc. - to get at the internal data. Also FC networks tend to be based around effectively point-to-point connections unlike 'regular' IP networks where things are open to all unless tied down. Conversely if you can crack a web server then you probably have the skills to go poking around over iSCSI, even if it's on a dedicated subnet.
