Feature

Secure iSCSI storage

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."

Download it now to read this article plus other related content.

CHAP can also be used to authenticate the array to the clients. John Spiers, founder and CTO of LeftHand Networks Inc., suggests all iSCSI users implement two-way CHAP, also known as Diffie-Hellman CHAP or DH-CHAP. "A single-way CHAP session could be spoofed to break in or set up a man-in-the-middle [attack]," says Spiers. "DH-CHAP is much more secure."

But CHAP isn't totally secure. "CHAP is subject to offline dictionary attacks--the secret can be guessed with a powerful computer," admits Alan Warwick, lead software design engineer for iSCSI at Microsoft Corp. This would be time-consuming and difficult, however, because a CHAP login would have to be captured by a network sniffer situated on the storage network. Warwick suggests those concerned about the possibility of a CHAP attack use 16-byte secrets and change them frequently.

The most secure option for authentication is IPsec Authentication Header (AH), which has a digital signature on every packet. Unlike a full implementation of IPsec that encrypts the entire packet, IPsec AH merely authenticates the sender, recipient and checksum for the message content. This effectively authenticates the entire message, but does nothing to protect its content from snooping. Although there's still some performance impact, it's much easier to encrypt a 60-byte header than a 64KB packet.

Requires Free Membership to View

This was first published in May 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: