Feature

Secure iSCSI storage

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."

Download it now to read this article plus other related content.

Who are you?
There are many ways to authenticate a person before granting them access to the iSCSI SAN. You can authenticate based on who someone claims they are by requiring positive identification before talking to them or by continually checking their identity as long as they're connected.

Borrowing a concept from FC, most iSCSI arrays allow you to control access based on a unique identifier for each attached client. While FC uses a world-wide name for LUN masking, iSCSI can use an IP address, a MAC address or a unique name assigned to the iSCSI initiator software running on the client to hide targets. While none of these methods is very secure, they do protect against accidents on the part of storage administrators. Plus, some iSCSI initiators have been known to "grab" all the storage they can see, making masking a requirement. All of these values can be easily changed in software, so spoofing them is trivial.

If masking iSCSI targets isn't enough, CHAP adds another layer of security. The common authentication protocol in IP circles, CHAP uses public key encryption concepts to verify the identity of connected devices. It validates that both devices know a "shared secret" like a password, making it harder to gain access to the storage array. "The iSCSI standard requires that all iSCSI initiators and targets include CHAP support, but not all customers choose to turn it on," reports Eric Schott, director of product management

    Requires Free Membership to View

at EqualLogic Inc.

This was first published in May 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: