Iscsi Security Considerations - IBM System Storage DS3500 Introduction And Implementation Manual
Hide thumbs
Also See for System Storage DS3500:
- Installation, user's, and maintenance manual (222 pages) ,
- Installation, user & maintenance manual (180 pages) ,
- Quick start manual (18 pages)
Table of Contents
Advertisement
7914DiskAttach0908.fm
Service Location Protocol (SLP)
The Service Location Protocol can be used to locate iSCSI target devices. SLP operates with
three agents:
User agent (UA): Works on the client (iSCSI initiator) to help establish contact with a
service (iSCSI target). It does this by retrieving information from service agents (SA) or
directory agents (DA).
Service agent (SA): Runs on the iSCSI target device to advertise the service and its
capabilities.
Directory agent (DA): Collects service advertisements from the iSCSI targets.
1.3.3 iSCSI security considerations
FC disk attachment uses a separate FC SAN, not accessible to Ethernet network users.
iSCSI, on the other hand, is a SAN technology that uses the Ethernet network, which is a lot
more vulnerable to intrusion. Therefore, iSCSI security is very important.
iSCSI connection authentication
iSCSI initiators and targets prove their identity to each other using the Challenge Handshake
Authentication Protocol (CHAP), which includes a mechanism to prevent cleartext passwords
from appearing on the wire. When enabled, the iSCSI target will authenticate the initiator.
Optionally, the initiator can authenticate the target as well. Each connection within a session
has to be authenticated. In addition to CHAP, several authentication methods can be used:
Secure Remote Password (SRP)
Kerberos V5 (KRB5)
Simple Public-Key generic security service API Mechanism (SPKM1)
Simple Public-Key generic security service API Mechanism (SPKM2)
In our sample configurations, we used CHAP.
IP Security (IPSec)
As iSCSI relies on TCP/IP communication, IP Security (IPSec) can be used to achieve
increased security. IPSec authenticates and encrypts each packet in the IP data stream.
There are two IPSec modes:
Transport mode
With transport mode, only the payload in each packet is encrypted. The IP header is left
unencrypted, so the routing works just the same as without IPSec.
Tunnel mode
With tunnel mode, the entire packet is encrypted, including the IP header. This means that
the whole encrypted packet must be encapsulated in a new IP packet, so that routing will
function properly.
IPsec is commonly used to set up Virtual Private Networks (VPN)
12
IBM System Storage DS3500: Introduction and Implementation Guide
Draft Document for Review March 28, 2011 12:24 pm
Advertisement
Table of Contents
Troubleshooting
