|
Who are you?
There are many ways to authenticate a person before granting them access to the iSCSI SAN. You can authenticate based on who someone claims they are by requiring positive identification before talking to them or by continually checking their identity as long as they're connected.
Borrowing a concept from FC, most iSCSI arrays allow you to control access based on a unique identifier for each attached client. While FC uses a world-wide name for LUN masking, iSCSI can use an IP address, a MAC address or a unique name assigned to the iSCSI initiator software running on the client to hide targets. While none of these methods is very secure, they do protect against accidents on the part of storage administrators. P...
To continue reading for free, register below or login
To read more you must become a member of SearchStorage.com
lus, some iSCSI initiators have been known to "grab" all the storage they can see, making masking a requirement. All of these values can be
easily changed in software, so spoofing them is trivial.
If masking iSCSI targets isn't enough, CHAP adds another layer of security. The common authentication protocol in IP circles, CHAP uses public key encryption concepts to verify the identity of connected devices. It validates that both devices know a "shared secret" like a password, making it harder to gain access to the storage array. "The iSCSI standard requires that all iSCSI initiators and targets include CHAP support, but not all customers choose to turn it on," reports Eric Schott, director of product management at EqualLogic Inc.
|
 |
|
