Constant growth in stored data is leading to expansion and interconnections of storage networks. This growth has led to gradual acceptance of different IP storage technologies. These IP storage technologies were developed over the last two years by IETF. Storage networks can be extended by transferring SCSI commands over IP (iSCSI) or by sending Fibre Channel traffic over IP (FCIP or iFCP), While each technology presents a different solution, in effect they allow linking of storage devices or networks over IP networks.
The IETF standard for iSCSI outlines how SCSI traffic can be transported over a connection-oriented TCP traffic. It specifies the protocols for an "initiator" (often a server) to send SCSI commands to a "target" (often a disk or a tape). IETF has specified that the target must authenticate the initiator, while the initiator may authenticate the target. The standard specifies that compliant iSCSI initiator and target implementations must implement CHAP (Challenge Handshake Authentication Protocol). For the IP layer, the initiator and the target must also provide IPSec support for authentication, integrity and confidentiality. The IPSec support may be integrated in the initiator and the target, or be provided by a standalone device such as a VPN appliance.
FCIP simply encapsulates the FC frames within IP packets. In case of iFCP, FC frames are mapped to IP packets. For FCIP and iFCP connections, you may also use IPSec/VPN solutions between the two FCIP or iFCP endpoints.
There are two important considerations when evaluating IP storage security. First, the IP storage data is exposed to the same security vulnerabilities as those by traditional Internet traffic using IP networks. As such, the same technologies and solutions may be used.Examples include IPSec/VPNs, SSL and SSH.
The second consideration is the exception to the above. While the performance degradation due to security measures may be may be acceptable for traditional data traffic over IP networks, the level of degradation may be unacceptable for storage networks due to its high data rates and short time-out conditions. For example, data encryption of storage traffic, performed by IPSec protocols, may induce significant delays for Fibre Channel traffic between two high-speed SANs. Exceptions may include disaster recovery or backup environments, where such delays may be acceptable. The good news is that several storage security vendors, such as Kasten Chase, Neoscale, Decru and Vormetric offer high-speed encryption solutions for storage traffic.
So, some of the tips while securing your IP storage are:
1. Evaluate the risks to IP storage traffic and compare them with your existing IP network risks.
2. Develop a solution that is consistent with your existing security policies.
3. Select technologies that address above risks and policies, while maintaining performance within the latency limitations. Specifically, this becomes important if you are considering encryption of storage data.
4. Finally, remember the thumb rule for your investment in securing any asset: The cost to successfully penetrate a secured asset should be considerably higher than the value of the asset.
This was first published in July 2003