Home > Storage Magazine > Features > Secure iSCSI storage
EMAIL THIS
Storage Magazine

  CURRENT ISSUE  
  FEATURES  
  TOOLS, TRENDS & ANALYSIS  
  COLUMNS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Secure iSCSI storage
Issue: May 2007
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   NEXT PAGE  >

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] What to do first [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
iSCSI experts agree that there are certain things everyone using this technology should do:

  • Deploy iSCSI on a secure, isolated virtual LAN (VLAN) or subnet that doesn't route outside the data center.


  • Keep management interfaces on a secure network.


  • Use role-based access control and keep a log of all management activities.


  • Use encryption anytime iSCSI traffic leaves a secure network (e.g., WAN connections).


  • Employ Diffie-Hellman Challenge-Handshake Authentication Protocol (DH-CHAP) to authenticate servers and storage arrays to each other.


  • Employ security technologies that are appropriate to your business without going overboard on complexity--sometimes simpler is better.

[IMAGE]
[...


IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

Isolate the iSCSI network
The most important step in building a stable and secure iSCSI SAN is to keep it separate from other networks (see "What to do first," this page). "We were not as worried about security as about denial of service," says Braden. "It was too risky from a performance standpoint to allow storage traffic to share the network with other applications." Braden's iSCSI SAN contains what's called an "air gap," which contains dedicated Ethernet switches and isolated fiber-optic cables for storage. This approach reduces the risk that a problem on the main data network would overflow into the SAN. Each of Vail's SAN-attached servers has two Ethernet interfaces: one for the SAN and one for the LAN.

A larger iSCSI implementation at an international bank was configured similarly. Routers and switch configuration throughout the network prevented iSCSI data from leaking from one network segment to another. And the bank used iSCSI host bus adapters (HBAs) instead of standard Ethernet cards. The HBAs it chose couldn't be configured to carry general network traffic, which reduced the risk of an intruder using the iSCSI SAN as a "bridge" to other secure networks.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   NEXT PAGE  >





TechTarget Storage Media
Storage Magazine View this month\\'s issue and subscribe today.
Storage Decisions Apply online for free conference admission.
SearchStorage.com
HomeNewsMagazineTopicsLearningMultimediaWhite PapersBlogsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2000 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts