This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
Snooping iSCSI packets
Snooping the contents of iSCSI packets, one of the first threats people mention when asked about iSCSI security issues, is less likely to occur than other types of attacks. An IP SAN with no security controls will probably run on a switched Ethernet network. Switches create point-to-point paths for data, so each port sees only the traffic intended for it. To snoop on iSCSI traffic requires some sort of advanced sniffer function to send all traffic to your port, which would require administrative access to the Ethernet switch.
There are many options to protect data in motion over the network. IPsec Encapsulating Security Payload, for example, provides advanced authentication of each packet, effectively eliminating the possibility that someone could read data while it travels across the network. And if stronger encryption is required, it's possible to replace the standard encryption protocols used by IPsec with a more powerful alternative.
Another option is to use an encrypting file system on the server to encrypt data before it gets to the IP SAN. This effectively encrypts data in motion as well as data at rest because no data leaves the server unencrypted. It also prevents all sorts of man-in-the-middle attacks on the network because any tampering with the content interferes with the server's ability to read the data. The downside of using an encrypting file system is the impact it can have on server performance. Even a powerful
A VPN creates a point-to-point encrypted tunnel between secure networks. The use of VPN technology should be a requirement whenever sensitive data travels across an uncontrolled network. The Town of Vail relies on an encrypted VPN tunnel for replication to a disaster recovery site, leveraging an existing WAN connection for its daily synchronization.
This was first published in May 2007