How to improve iSCSI SAN security

How to improve iSCSI SAN security

• The foremost rule for iSCSI security is that the iSCSI SAN infrastructure should be separated from the existing EthernetLAN. If this requirement is not met, unauthorized access to iSCSI resources from the main network may be possible. Ideally, iSCSI storage should be physically isolated from the user LAN, using its own network segment. If physical segregation is impossible, create a VLAN or PVLAN virtual network on the existing segment.
  This approach is applicable if the iSCSI devices are supposed to interact exclusively with each other. If a group of users on the main network is supposed to have access to the iSCSI storage, then administrators will need to take separate measures for data protection.
• There are several ways to ensure the security of connection authentication when connecting to iSCSI SAN resources. The iSCSI protocol supports Access Control Lists (ACL), for instance. These lists allow setting access policies for storage resources for specific initiators (network nodes) with regard to specific targets over specified target interfaces. This method does not guarantee complete security, however, as there are methods for getting around ACLs, notably IP spoofing. ACLs are much more reliable in tandem with CHAP authentication.
• CHAP (Challenge-HandshakeAuthenticationProtocol)is a widespread authentication algorithm based on shared secret hash functions. This protocol is the most commonly used authentication method on mixed networks. CHAP authentication can be one-way (the target verifies that the initiator is genuine using the hash value it receives) or mutual (the target also sends an authentication challengeto the initiator).
  CHAP is not the only possible algorithm, but it is available by default and provides good protection, which is why it is most often used to secureiSCSI storage. You can also use any other protocol for authentication that is supported by your equipment and OS.
• If it is impossible to physically separate the LAN and iSCSI SAN segments for whatever reason, it will be necessary to protect the data transmitted over the network from interception. Two options here are to configure VPN tunnels between the storage nodes or to use the secure IPSec protocol. The latter allows encrypting IP packet contents and/or masking their routing. It should be mentioned that although IPSec affords a high level of data security, it is relatively difficult to configure. If the iSCSI SAN segment is separate from the user network, it is inadvisable in most cases to use encryption.
• Note that the encryption key storage policy is another very important aspect of storage security. If these keys are not handled correctly, you may lose access to your datairreversibly.
• Keep access to network equipment management secure. Most devices (routers, servers, switches, network interfaces and so forth) can be configured and managed remotely, most often through a web interface. If external access to these is allowed, then attackers can take advantage of this by changing equipment settings to gain control. We urge consolidating management of all network components, as well as severely limiting external console access. This will quite possibly create some inconveniences for network administrators, but at the same time it removes a potential data threat.
• Unused network component functions should also be turned off.




 
Learn more about iSCSI:
• Benefits of iSCSI Technology
• Networking Technology: why to choose iSCSI?
• How to enhance and measure iSCSI SAN performance
• iSCSI best practices
• iSCSI for SMB’s
• Microsoft iSCSI initiator
• iSCSI vs. Fiber Channel