Tip

How to make sure your IP storage is secure

Dr. Vijay Ahuja
Founder and President,

    Requires Free Membership to View

Cipher Solutions Inc.
Dr. Vijay Ahuja is the president and founder of Cipher Solutions Inc., a professional services company that assists its clients in implementing storage security and offers customized seminars on storage and network security issues. Dr. Ahuja has been an industry leader in network security and more recently in storage security.

Constant growth in stored data is leading to expansion and interconnections of storage networks. This growth has led to gradual acceptance of different IP storage technologies. These IP storage technologies were developed over the last two years by IETF. Storage networks can be extended by transferring SCSI commands over IP (iSCSI) or by sending Fibre Channel traffic over IP (FCIP or iFCP), While each technology presents a different solution, in effect they allow linking of storage devices or networks over IP networks.

The IETF standard for iSCSI outlines how SCSI traffic can be transported over a connection-oriented TCP traffic. It specifies the protocols for an "initiator" (often a server) to send SCSI commands to a "target" (often a disk or a tape). IETF has specified that the target must authenticate the initiator, while the initiator may authenticate the target. The standard specifies that compliant iSCSI initiator and target implementations must implement CHAP (Challenge Handshake Authentication Protocol). For the IP layer, the initiator and the target must also provide IPSec support for authentication, integrity and confidentiality. The IPSec support may be integrated in the initiator and the target, or be provided by a standalone device such as a VPN appliance.

FCIP simply encapsulates the FC frames within IP packets. In case of iFCP, FC frames are mapped to IP packets. For FCIP and iFCP connections, you may also use IPSec/VPN solutions between the two FCIP or iFCP endpoints.

There are two important considerations when evaluating IP storage security. First, the IP storage data is exposed to the same security vulnerabilities as those by traditional Internet traffic using IP networks. As such, the same technologies and solutions may be used.

Examples include IPSec/VPNs, SSL and SSH.

The second consideration is the exception to the above. While the performance degradation due to security measures may be may be acceptable for traditional data traffic over IP networks, the level of degradation may be unacceptable for storage networks due to its high data rates and short time-out conditions. For example, data encryption of storage traffic, performed by IPSec protocols, may induce significant delays for Fibre Channel traffic between two high-speed SANs. Exceptions may include disaster recovery or backup environments, where such delays may be acceptable. The good news is that several storage security vendors, such as Kasten Chase, Neoscale, Decru and Vormetric offer high-speed encryption solutions for storage traffic.

So, some of the tips while securing your IP storage are:

1. Evaluate the risks to IP storage traffic and compare them with your existing IP network risks.

2. Develop a solution that is consistent with your existing security policies.

3. Select technologies that address above risks and policies, while maintaining performance within the latency limitations. Specifically, this becomes important if you are considering encryption of storage data.

4. Finally, remember the thumb rule for your investment in securing any asset: The cost to successfully penetrate a secured asset should be considerably higher than the value of the asset.


This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.