Tip

Securing SAN's with iSCSI

Built on the foundation of IP technology, iSCSI brings a wealth of standardized security features to storage area networks (SANs). iSCSI security offers a critical level of interoperability with existing authentication management systems along with proven IP security protocols. By leveraging existing IP networking expertise, businesses today can create affordable, secure IP-SANs that are easy to build and manage.

Some people hear IP-SAN, and think every hacker on the internet will have free access to their storage networks. Nothing could be further from the truth. Correctly configured, iSCSI-based arrays offer the highest level of security available in SAN technologies.

ISCSI networks provide a number of integrated security features. Passwords are required for array management and group membership protocols between arrays are always authenticated. Most importantly from the point of view of securing the data, access controls are provided for each volume. Per volume access controls can be a combination of initiator name, initiator IP address, and strong CHAP authentication. Secure authentication of any kind is a security feature not available with Fibre Channel technology.

Since gigabit ethernet is a switched fabric with point-to-point connectivity, it is nearly impossible to snoop packet traffic without physical access to the network and an analyzer on hand. Within the physical storage site, walking off with a backup tape or a hot swap disk drive is far simpler

Requires Free Membership to View

than connecting up a real-time analyzer.

The storage network itself can be easily partitioned from the rest of the LAN. By blocking the iSCSI TCP/IP port 3260, a feature available in every off-the-shelf router and firewall on the market, the administrator can quickly secure the SAN while optionally allowing management ports access to the system.

Multiple storage sites and volume replication

The security features described thus far are more than suitable for securing a single storage site. However, for linking up multiple storage sites over larger networks, more precautions must be taken.

Replicating volumes for disaster tolerance across large corporate local area networks, metropolitan area networks or even wide area networks require stronger security measures. IP offers a built in solution: IPSec. Virtual Private Networks (VPNs), using IPSec, provide well-established solutions for creating secure, virtual point-to-point IP bridges across un-trusted mediums such as the Internet. Numerous vendors provide a plethora of VPN gateway appliances servicing a wide market from home IPSec VPN routers to Enterprise VPN Gateway Switches.

By securing multiple storage sites with IPSec VPN gateways, business can simply setup and manage secure site replication.

About the author


Peter Hayden is CEO at Nashua, N.H.-based EqualLogic.

For more information on IP security:

Audit your SAN's security risks

SAN/NAS encryption complexity

Do you want to see more articles or insights from noted industry observers? Visit the complete Bits & Bytes column library.

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.