This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
CHAP can also be used to authenticate the array to the clients. John Spiers, founder and CTO of LeftHand Networks Inc., suggests all iSCSI users implement two-way CHAP, also known as Diffie-Hellman CHAP or DH-CHAP. "A single-way CHAP session could be spoofed to break in or set up a man-in-the-middle [attack]," says Spiers. "DH-CHAP is much more secure."
But CHAP isn't totally secure. "CHAP is subject to offline dictionary attacks--the secret can be guessed with a powerful computer," admits Alan Warwick, lead software design engineer for iSCSI at Microsoft Corp. This would be time-consuming and difficult, however, because a CHAP login would have to be captured by a network sniffer situated on the storage network. Warwick suggests those concerned about the possibility of a CHAP attack use 16-byte secrets and change them frequently.
The most secure option for authentication is IPsec Authentication Header (AH), which has a digital signature on every packet. Unlike a full implementation of IPsec that encrypts the entire packet, IPsec AH merely authenticates the sender, recipient and checksum for the message content. This effectively authenticates the entire message, but does nothing to protect its content from snooping. Although there's still some performance impact, it's much easier to encrypt a 60-byte header than a 64KB packet.
This was first published in May 2007