|Layer 4. Protocol mapping|
|Layer 3. Common services|
|Layer 2. Network|
|Fibre Channel fabric|
Fibre Channel zoning
Registered State Change Notification
|Layer 1. Data link|
|Fibre Channel 8B/10B encoding|
|Layer 0. Physical|
LUN Masking is a level of security that makes a LUN available to only selected hosts and unavailable to all others. This kind of security is done on the SAN level and is based on the host HBA, i.e. you can give access of specific LUN on the SAN to specific host with specific HBA.
LUN masking is mainly implemented at the host bus adapter (HBA) level. The security benefits of LUN masking implemented at HBAs are limited, since with many HBAs it is possible to forge source addresses (WWNs/MACs/IPs) and compromise the access. Many storage controllers also support LUN masking. When LUN masking is implemented at the storage controller level, the controller itself enforces the access policies to the device and as a result it is more secure. However, it is mainly implemented not as a security measure per se, but rather as a protection against misbehaving servers which may corrupt disks belonging to other servers. For example, Windows servers attached to a SAN will, under some conditions, corrupt non-Windows (Unix, Linux, NetWare) volumes on the SAN by attempting to write Windows volume labels to them. By hiding the other LUNs from the Windows server, this can be prevented, since the Windows server does not even realize the other LUNs exist.