This article can also be found in the Premium Editorial Download "Storage magazine: Top 15 Storage hardware and software Products of the Year 2006."
Download it now to read this article plus other related content.
The different approaches taken by iSCSI and FC to secure storage access are probably the biggest hurdles multiprotocol storage architects have to deal with. While FC leverages FC switches for zoning, arrays for LUN presentation and host identification through worldwide names, iSCSI secures storage access through a combination of the aforementioned physical and virtual isolation of the iSCSI network, as well as access restriction by IP addresses, initiator-target names and internal/external CHAP authentication.
Although it may seem confusing to have multiple iSCSI authentication options, there's a simple rule of thumb: For isolated IP-based iSCSI networks, initiator-target name authentication will typically suffice. In situations where the iSCSI network is physically connected to the LAN, the stronger CHAP authentication should be deployed, eliminating the external threat of spoofed IP addresses accessing iSCSI LUNs. In environments with a large number of iSCSI devices, central authentication via a Radius server eliminates the need to manage user credentials in iSCSI targets.
Mike Layton, director of enterprise services and information systems at Baylor College of Medicine in Houston, applied a similar strategy when he opted for initiator-target name-based iSCSI authorization for a small number of servers accessing his Hitachi Data Systems (HDS) Corp.-based FC SAN via a Network Appliance (NetApp) Inc. FAS980c gateway over an isolated iSCSI
One of the big benefits of iSCSI over FC is the native support for IPsec encryption within the IP protocol, and it should be used whenever IP traffic may fall into the wrong hands. But the overhead of IPsec encryption on a busy server can be significant. In environments with IPsec turned on, servers and bandwidth-hungry desktops should be equipped with iSCSI HBAs or NICs with hardware encryption available from companies like Cavium Networks Inc. At the network level, encryption appliances from companies such as Decru Inc. (now a NetApp company) and NeoScale Systems Inc., which sit in the data path, encrypt the FC and iSCSI data before it reaches the network-attached storage arrays.
Storage management interfaces are highly vulnerable to security lapses, but are often neglected during storage design. Using default passwords, a single password for all storage devices or passwords that are never changed puts an otherwise well-designed SAN at risk. Securing management interfaces by making them accessible only from certain systems and VLANs with strong password policies, and using a centralized Radius authentication server in environments with a large number of IP devices, reduces the risk of unauthorized management changes.
This was first published in February 2007