Feature

Secure iSCSI storage

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."

Download it now to read this article plus other related content.

What to do first

    Requires Free Membership to View

iSCSI experts agree that there are certain things everyone using this technology should do:
  • Deploy iSCSI on a secure, isolated virtual LAN (VLAN) or subnet that doesn't route outside the data center.


  • Keep management interfaces on a secure network.


  • Use role-based access control and keep a log of all management activities.


  • Use encryption anytime iSCSI traffic leaves a secure network (e.g., WAN connections).


  • Employ Diffie-Hellman Challenge-Handshake Authentication Protocol (DH-CHAP) to authenticate servers and storage arrays to each other.


  • Employ security technologies that are appropriate to your business without going overboard on complexity--sometimes simpler is better.

Isolate the iSCSI network
The most important step in building a stable and secure iSCSI SAN is to keep it separate from other networks (see "What to do first," this page). "We were not as worried about security as about denial of service," says Braden. "It was too risky from a performance standpoint to allow storage traffic to share the network with other applications." Braden's iSCSI SAN contains what's called an "air gap," which contains dedicated Ethernet switches and isolated fiber-optic cables for storage. This approach reduces the risk that a problem on the main data network would overflow into the SAN. Each of Vail's SAN-attached servers has two Ethernet interfaces: one for the SAN and one for the LAN.

A larger iSCSI implementation at an international bank was configured similarly. Routers and switch configuration throughout the network prevented iSCSI data from leaking from one network segment to another. And the bank used iSCSI host bus adapters (HBAs) instead of standard Ethernet cards. The HBAs it chose couldn't be configured to carry general network traffic, which reduced the risk of an intruder using the iSCSI SAN as a "bridge" to other secure networks.

This was first published in May 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: