This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
|A more secure iSCSI on the way|
Hardware–accelerated IPsec. Changes are coming that will make iSCSI even more secure. Vendors say hardware–accelerated IPsec will be a common feature in iSCSI initiators and storage arrays within two years. "Today's CPUs can keep up encryption processing at gigabit speeds, but 10Gb Ethernet will change all of that," says John Matze, president and CEO of Siafu Software LLC, and one of the original authors of the iSCSI protocol. He expects encryption processing will move to routers or storage arrays to provide wire speed throughput at 10Gb/sec.
Microsoft Corp.'s iSCSI Software Target. As Microsoft's market share of the entry-level iSCSI market grows, it will become easier to implement security technologies through its iSCSI target software, which can be configured using the same group policy editor that controls the configuration of Windows servers and desktops. Many iSCSI arrays also integrate smoothly with Windows domains for management authentication.
Trusted Platform Module. Changes in server architectures also have implications for iSCSI. A Trusted Platform Module (TPM) is a specialized chip that can be installed on the motherboard of a PC or server to authenticate the computer rather than the user. To do so, TPM stores information specific to the host system, such as encryption keys, digital certificates and passwords. TPM minimizes the risk that data on the computer will be compromised by physical theft or an external attack. TPM chips are expected to spread to disk drives and storage systems. While the TPM wouldn't remove the need for any of the current encryption or authentication techniques, it would make data stored on storage arrays even more secure.
Probably the most vulnerable point in an iSCSI network has nothing to do with iSCSI at all. Nearly every network device can be managed remotely over a network. This management traffic can travel in-band (sharing the same network as the data) or out-of-band (using a dedicated network). Almost all storage devices, including FC, SAN and iSCSI arrays, have management ports that operate using Ethernet and IP. In nearly all cases, these management ports are the easiest way to hack into the storage array (see "A more secure iSCSI on the way," at right).
Many management interfaces support outdated or insecure protocols like SNMP, Telnet and HTTP, as well as more secure protocols like Java and HTTPS or SSL. These older protocols can often be exploited for destructive purposes, allowing an attacker to access confidential configuration information or even bring down the array. This is especially true if default user names and passwords aren't changed when systems are configured. Some systems also have default accounts for vendor service, which can be the same across an entire region or even a company's whole product line. These accounts can be especially destructive because they often yield access to diagnostics areas and configuration information.
For this reason, management interfaces must be treated just like data interfaces and placed on isolated nonrouting subnets with firewalls and VPNs to prevent unauthorized access. Unfortunately, this isn't standard practice. In most sites, management interfaces are connected to the main corporate network and left open. The Town of Vail's Braden runs the management app on a server with one network interface card on the SAN and one on the LAN, and uses a remote desktop to access it securely.
This was first published in May 2007