|
CHAP can also be used to authenticate the array to the clients. John Spiers, founder and CTO of LeftHand Networks Inc., suggests all iSCSI users implement two-way CHAP, also known as Diffie-Hellman CHAP or DH-CHAP. "A single-way CHAP session could be spoofed to break in or set up a man-in-the-middle [attack]," says Spiers. "DH-CHAP is much more secure."
But CHAP isn't totally secure. "CHAP is subject to offline dictionary attacks--the secret can be guessed with a powerful computer," admits Alan Warwick, lead software design engineer for iSCSI at Microsoft Corp. This would be time-consuming and difficult, however, because a CHAP login would have to be captured by...
To continue reading for free, register below or login
To read more you must become a member of SearchStorage.com
a network sniffer situated on the storage network. Warwick suggests those concerned about the possibility of a CHAP attack use 16-byte secrets and change them frequently.
The most secure option for authentication is IPsec Authentication Header (AH), which has a digital signature on every packet. Unlike a full implementation of IPsec that encrypts the entire packet, IPsec AH merely authenticates the sender, recipient and checksum for the message content. This effectively authenticates the entire message, but does nothing to protect its content from snooping. Although there's still some performance impact, it's much easier to encrypt a 60-byte header than a 64KB packet.
|
 |
|
